divert(-1) # # Directory patterns (dir) # # Parameters: # 1. domain type # 2. container (directory) type # 3. directory type # # # Regular file patterns (file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # Symbolic link patterns (lnk_file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # (Un)named Pipes/FIFO patterns (fifo_file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # (Un)named sockets patterns (sock_file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # Block device node patterns (blk_file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # Character device node patterns (chr_file) # # Parameters: # 1. domain type # 2. container (directory) type # 3. file type # # # File type_transition patterns # # filetrans_add_pattern(domain,dirtype,newtype,class(es),[filename]) # # # filetrans_pattern(domain,dirtype,newtype,class(es),[filename]) # # # unix domain socket patterns # ######################################## # # Macros for switching between source policy # and loadable policy module support # ############################## # # For adding the module statement # ############################## # # For use in interfaces, to optionally insert a require block # # helper function, since m4 wont expand macros # if a line is a comment (#): ############################## # # In the future interfaces should be in loadable modules # # template(name,rules) # ############################## # # In the future interfaces should be in loadable modules # # interface(name,rules) # ############################## # # Optional policy handling # ############################## # # Determine if we should use the default # tunable value as specified by the policy # or if the override value should be used # ############################## # # Extract booleans out of an expression. # This needs to be reworked so expressions # with parentheses can work. ############################## # # Tunable declaration # ############################## # # Tunable policy handling # ######################################## # # Helper macros # # # shiftn(num,list...) # # shift the list num times # # # ifndef(expr,true_block,false_block) # # m4 does not have this. # # # __endline__ # # dummy macro to insert a newline. used for # errprint, so the close parentheses can be # indented correctly. # ######################################## # # refpolwarn(message) # # print a warning message # ######################################## # # refpolerr(message) # # print an error message. does not # make anything fail. # ######################################## # # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) # ######################################## # # gen_context(context,mls_sensitivity,[mcs_categories]) # ######################################## # # can_exec(domain,executable) # ######################################## # # gen_bool(name,default_value) # # # Specified domain transition patterns # # compatibility: # # Automatic domain transition patterns # # compatibility: # # Dynamic transition pattern # # # Other process permissions # ######################################## # # gen_cats(N) # # declares categores c0 to c(N-1) # ######################################## # # gen_sens(N) # # declares sensitivites s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # ######################################## # # gen_levels(N,M) # # levels from s0 to (N-1) with categories c0 to (M-1) # ######################################## # # Basic level names for system low and high # ######################################## # # Support macros for sets of object classes and permissions # # This file should only have object class and permission set macros - they # can only reference object classes and/or permissions. # # All directory and file classes # # # All non-directory file classes. # # # Non-device file classes. # # # Device file classes. # # # All socket classes. # # # Datagram socket classes. # # # Stream socket classes. # # # Unprivileged socket classes (exclude rawip, netlink, packet). # ######################################## # # Macros for sets of permissions # # # Permissions to mount and unmount file systems. # # # Permissions for using sockets. # # # Permissions for creating and using sockets. # # # Permissions for using stream sockets. # # # Permissions for creating and using stream sockets. # # # Permissions for creating and using sockets. # # # Permissions for creating and using sockets. # # # Permissions for creating and using netlink sockets. # # # Permissions for using netlink sockets for operations that modify state. # # # Permissions for using netlink sockets for operations that observe state. # # # Permissions for sending all signals. # # # Permissions for sending and receiving network packets. # # # Permissions for using System V IPC # ######################################## # # New permission sets # # # Directory (dir) # # # Regular file (file) # # # Symbolic link (lnk_file) # # # (Un)named Pipes/FIFOs (fifo_file) # # # (Un)named Sockets (sock_file) # # # Block device nodes (blk_file) # # # Character device nodes (chr_file) # # # Anonymous inode files (anon_inode) # ######################################## # # Special permission sets # # # Use (read and write) terminals # # # Sockets # # # Keys # # # Service # # # perf_event # ## Policy for the kernel modules, kernel image, and bootloader. ######################################## ## ## Execute bootloader in the bootloader domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bootloader_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_domtrans'($*)) dnl gen_require(` type bootloader_t, bootloader_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bootloader_exec_t, bootloader_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_domtrans'($*)) dnl ') ###################################### ## ## Execute bootloader in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`bootloader_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_exec'($*)) dnl gen_require(` type bootloader_exec_t; ') can_exec($1, bootloader_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_exec'($*)) dnl ') ######################################## ## ## Execute bootloader interactively and do ## a domain transition to the bootloader domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`bootloader_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_run'($*)) dnl gen_require(` type bootloader_t; attribute_role bootloader_roles; ') bootloader_domtrans($1) roleattribute $2 bootloader_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_run'($*)) dnl ') ######################################## ## ## Read the bootloader configuration file. ## ## ## ## Domain allowed access. ## ## # define(`bootloader_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_read_config'($*)) dnl gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_read_config'($*)) dnl ') ######################################## ## ## Read and write the bootloader ## configuration file. ## ## ## ## Domain allowed access. ## ## ## # define(`bootloader_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_rw_config'($*)) dnl gen_require(` type bootloader_etc_t; ') allow $1 bootloader_etc_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_rw_config'($*)) dnl ') ######################################## ## ## Manage the bootloader ## configuration file. ## ## ## ## Domain allowed access. ## ## ## # define(`bootloader_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_manage_config'($*)) dnl gen_require(` type bootloader_etc_t; ') manage_files_pattern($1, bootloader_etc_t, bootloader_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_manage_config'($*)) dnl ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`bootloader_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_rw_tmp_files'($*)) dnl gen_require(` type bootloader_tmp_t; ') files_search_tmp($1) allow $1 bootloader_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_rw_tmp_files'($*)) dnl ') ######################################## ## ## Read and write the bootloader ## temporary data in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`bootloader_create_runtime_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_create_runtime_file'($*)) dnl gen_require(` type boot_runtime_t; ') allow $1 boot_runtime_t:file { create_file_perms rw_file_perms }; files_boot_filetrans($1, boot_runtime_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_create_runtime_file'($*)) dnl ') ######################################## ## ## Type transition files created in /etc ## ## ## ## Domain allowed access. ## ## # define(`bootloader_filetrans_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bootloader_filetrans_config'($*)) dnl gen_require(` type bootloader_etc_t; ') files_etc_filetrans($1,bootloader_etc_t,file, "grub") files_etc_filetrans($1,bootloader_etc_t,file, "lilo.conf") files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf") files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bootloader_filetrans_config'($*)) dnl ') ## ## Determine of the console connected to the controlling terminal. ## ######################################## ## ## Execute consoletype in the consoletype domain. ## ## ## ## Domain allowed to transition. ## ## # define(`consoletype_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consoletype_domtrans'($*)) dnl gen_require(` type consoletype_t, consoletype_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, consoletype_exec_t, consoletype_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consoletype_domtrans'($*)) dnl ') ######################################## ## ## Execute consoletype in the consoletype domain, and ## allow the specified role the consoletype domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`consoletype_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consoletype_run'($*)) dnl gen_require(` type consoletype_t; ') consoletype_domtrans($1) role $2 types consoletype_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consoletype_run'($*)) dnl ') ######################################## ## ## Execute consoletype in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`consoletype_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consoletype_exec'($*)) dnl gen_require(` type consoletype_exec_t; ') corecmd_search_bin($1) can_exec($1, consoletype_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consoletype_exec'($*)) dnl ') ## Policy for dmesg. ######################################## ## ## Execute dmesg in the dmesg domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dmesg_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dmesg_domtrans'($*)) dnl gen_require(` type dmesg_t, dmesg_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dmesg_exec_t, dmesg_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dmesg_domtrans'($*)) dnl ') ######################################## ## ## Execute dmesg in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`dmesg_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dmesg_exec'($*)) dnl gen_require(` type dmesg_exec_t; ') corecmd_search_bin($1) can_exec($1, dmesg_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dmesg_exec'($*)) dnl ') ## Network analysis utilities ######################################## ## ## Execute network utilities in the netutils domain. ## ## ## ## Domain allowed to transition. ## ## # define(`netutils_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_domtrans'($*)) dnl gen_require(` type netutils_t, netutils_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, netutils_exec_t, netutils_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_domtrans'($*)) dnl ') ######################################## ## ## Execute network utilities in the netutils domain, and ## allow the specified role the netutils domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netutils_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_run'($*)) dnl gen_require(` type netutils_t; ') netutils_domtrans($1) allow $1 netutils_t:process { signal sigkill }; role $2 types netutils_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_run'($*)) dnl ') ######################################## ## ## Execute network utilities in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`netutils_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_exec'($*)) dnl gen_require(` type netutils_exec_t; ') corecmd_search_bin($1) can_exec($1, netutils_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_exec'($*)) dnl ') ######################################## ## ## Send generic signals to network utilities. ## ## ## ## Domain allowed access. ## ## # define(`netutils_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_signal'($*)) dnl gen_require(` type netutils_t; ') allow $1 netutils_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_signal'($*)) dnl ') ######################################## ## ## Execute ping in the ping domain. ## ## ## ## Domain allowed to transition. ## ## # define(`netutils_domtrans_ping',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_domtrans_ping'($*)) dnl gen_require(` type ping_t, ping_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ping_exec_t, ping_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_domtrans_ping'($*)) dnl ') ######################################## ## ## Send a kill (SIGKILL) signal to ping. ## ## ## ## Domain allowed access. ## ## # define(`netutils_kill_ping',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_kill_ping'($*)) dnl gen_require(` type ping_t; ') allow $1 ping_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_kill_ping'($*)) dnl ') ######################################## ## ## Send generic signals to ping. ## ## ## ## Domain allowed access. ## ## # define(`netutils_signal_ping',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_signal_ping'($*)) dnl gen_require(` type ping_t; ') allow $1 ping_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_signal_ping'($*)) dnl ') ######################################## ## ## Execute ping in the ping domain, and ## allow the specified role the ping domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netutils_run_ping',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_run_ping'($*)) dnl gen_require(` type ping_t; ') netutils_domtrans_ping($1) role $2 types ping_t; allow $1 ping_t:process { signal sigkill }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_run_ping'($*)) dnl ') ######################################## ## ## Conditionally execute ping in the ping domain, and ## allow the specified role the ping domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netutils_run_ping_cond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_run_ping_cond'($*)) dnl gen_require(` type ping_t; bool selinuxuser_ping; ') role $2 types ping_t; if ( selinuxuser_ping ) { netutils_domtrans_ping($1) allow $1 ping_t:process { signal sigkill }; } popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_run_ping_cond'($*)) dnl ') ######################################## ## ## Execute ping in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`netutils_exec_ping',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_exec_ping'($*)) dnl gen_require(` type ping_exec_t; ') corecmd_search_bin($1) can_exec($1, ping_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_exec_ping'($*)) dnl ') ######################################## ## ## Execute traceroute in the traceroute domain. ## ## ## ## Domain allowed to transition. ## ## # define(`netutils_domtrans_traceroute',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_domtrans_traceroute'($*)) dnl gen_require(` type traceroute_t, traceroute_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, traceroute_exec_t, traceroute_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_domtrans_traceroute'($*)) dnl ') ######################################## ## ## Execute traceroute in the traceroute domain, and ## allow the specified role the traceroute domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netutils_run_traceroute',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute'($*)) dnl gen_require(` type traceroute_t; ') netutils_domtrans_traceroute($1) allow $1 traceroute_t:process { signal sigkill }; role $2 types traceroute_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_run_traceroute'($*)) dnl ') ######################################## ## ## Conditionally execute traceroute in the traceroute domain, and ## allow the specified role the traceroute domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netutils_run_traceroute_cond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_run_traceroute_cond'($*)) dnl gen_require(` type traceroute_t; bool selinuxuser_ping; ') role $2 types traceroute_t; if( selinuxuser_ping ) { netutils_domtrans_traceroute($1) allow $1 traceroute_t:process { signal sigkill }; } popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_run_traceroute_cond'($*)) dnl ') ######################################## ## ## Execute traceroute in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`netutils_exec_traceroute',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netutils_exec_traceroute'($*)) dnl gen_require(` type traceroute_exec_t; ') corecmd_search_bin($1) can_exec($1, traceroute_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netutils_exec_traceroute'($*)) dnl ') ## Run shells with substitute user and group ####################################### ## ## Restricted su domain template. ## ## ##

## This template creates a derived domain which is allowed ## to change the linux user id, to run shells as a different ## user. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the user domain. ## ## ## ## ## The role associated with the user domain. ## ## # define(`su_restricted_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `su_restricted_domain_template'($*)) dnl gen_require(` type su_exec_t; ') type $1_su_t; domain_entry_file($1_su_t, su_exec_t) domain_type($1_su_t) domain_interactive_fd($1_su_t) role $3 types $1_su_t; allow $2 $1_su_t:process signal; allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:unix_stream_socket create_stream_socket_perms; allow $1_su_t self:netlink_selinux_socket create_socket_perms; # Transition from the user domain to this domain. domtrans_pattern($2, su_exec_t, $1_su_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t,$2) allow $2 $1_su_t:fd use; allow $2 $1_su_t:fifo_file rw_file_perms; allow $2 $1_su_t:process sigchld; kernel_getattr_core_if($1_su_t) kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) kernel_link_key($1_su_t) # for SSP dev_read_urand($1_su_t) files_read_etc_files($1_su_t) files_read_etc_runtime_files($1_su_t) files_search_var_lib($1_su_t) files_dontaudit_getattr_tmp_dirs($1_su_t) # for the rootok check selinux_compute_access_vector($1_su_t) auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) domain_use_interactive_fds($1_su_t) init_dontaudit_use_fds($1_su_t) init_dontaudit_use_script_ptys($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) init_search_script_keys($1_su_t) init_getattr_initctl($1_su_t) logging_send_syslog_msg($1_su_t) ifdef(`distro_redhat',` # RHEL5 and possibly newer releases incl. Fedora auth_domtrans_upd_passwd($1_su_t) optional_policy(` locallogin_search_keys($1_su_t) ') ') ifdef(`distro_rhel4',` domain_role_change_exemption($1_su_t) domain_subj_id_change_exemption($1_su_t) domain_obj_id_change_exemption($1_su_t) selinux_get_fs_mount($1_su_t) selinux_validate_context($1_su_t) selinux_compute_access_vector($1_su_t) selinux_compute_create_context($1_su_t) selinux_compute_relabel_context($1_su_t) selinux_compute_user_contexts($1_su_t) seutil_read_config($1_su_t) seutil_read_default_contexts($1_su_t) # Only allow transitions to unprivileged user domains. userdom_spec_domtrans_unpriv_users($1_su_t) ') optional_policy(` cron_read_pipes($1_su_t) ') optional_policy(` kerberos_use($1_su_t) ') optional_policy(` # used when the password has expired usermanage_read_crack_db($1_su_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `su_restricted_domain_template'($*)) dnl ') ####################################### ## ## The role template for the su module. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`su_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `su_role_template'($*)) dnl gen_require(` attribute su_domain_type; type su_exec_t; bool secure_mode; ') type $1_su_t, su_domain_type; userdom_user_application_domain($1_su_t, su_exec_t) domain_interactive_fd($1_su_t) role $2 types $1_su_t; allow $1_su_t self:netlink_selinux_socket create_socket_perms; allow $3 $1_su_t:process signal; allow $1_su_t $3:key search; # Transition from the user domain to this domain. domtrans_pattern($3, su_exec_t, $1_su_t) ps_process_pattern($3, $1_su_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t, $3) allow $3 $1_su_t:fd use; allow $3 $1_su_t:fifo_file rw_file_perms; allow $3 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_dontaudit_getattr_core_if($1_su_t) auth_use_pam($1_su_t) init_dontaudit_getattr_initctl($1_su_t) mls_file_write_all_levels($1_su_t) logging_send_syslog_msg($1_su_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `su_role_template'($*)) dnl ') ####################################### ## ## Execute su in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`su_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `su_exec'($*)) dnl gen_require(` type su_exec_t; ') corecmd_search_bin($1) can_exec($1, su_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `su_exec'($*)) dnl ') ## Execute a command with a substitute user ####################################### ## ## The role template for the sudo module. ## ## ##

## This template creates a derived domain which is allowed ## to change the linux user id, to run commands as a different ## user. ##

##
## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## The user role. ## ## ## ## ## The user domain associated with the role. ## ## # define(`sudo_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sudo_role_template'($*)) dnl gen_require(` type sudo_exec_t; type sudo_db_t; attribute sudodomain; ') ############################## # # Declarations # type $1_sudo_t, sudodomain; userdom_user_application_domain($1_sudo_t, sudo_exec_t) domain_interactive_fd($1_sudo_t) domain_role_change_exemption($1_sudo_t) role $2 types $1_sudo_t; userdom_home_manager($1_sudo_t) type $1_sudo_tmp_t; files_tmp_file($1_sudo_tmp_t) allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms; files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file) allow $1_sudo_t $3:dir search_dir_perms;; allow $1_sudo_t $3:file read_file_perms;; allow $1_sudo_t $3:key search; # Enter this derived domain from the user domain domtrans_pattern($3, sudo_exec_t, $1_sudo_t) # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $3) corecmd_bin_domtrans($1_sudo_t, $3) userdom_domtrans_user_home($1_sudo_t, $3) userdom_domtrans_user_tmp($1_sudo_t, $3) domain_entry_file($3, sudo_exec_t) domain_auto_transition_pattern($1_sudo_t, sudo_exec_t, $3) allow $3 $1_sudo_t:fd use; allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; kernel_read_system_state($1_sudo_t) seutil_libselinux_linked($1_sudo_t) auth_run_chk_passwd($1_sudo_t, $2) auth_use_nsswitch($1_sudo_t) logging_send_syslog_msg($1_sudo_t) logging_read_syslog_pid($1_sudo_t) term_use_generic_ptys($1_sudo_t) term_setattr_generic_ptys($1_sudo_t) optional_policy(` mta_role($2, $1_sudo_t) ') optional_policy(` rpm_run($1_sudo_t, $2) ') optional_policy(` kerberos_manage_host_rcache($1_sudo_t) kerberos_read_config($1_sudo_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sudo_role_template'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the sudo domain. ## ## ## ## Domain allowed access. ## ## # define(`sudo_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sudo_sigchld'($*)) dnl gen_require(` attribute sudodomain; ') allow $1 sudodomain:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sudo_sigchld'($*)) dnl ') ####################################### ## ## Allow execute sudo in called domain. ## This interfaces is added for nova-stack policy. ## ## ## ## Domain allowed access. ## ## # define(`sudo_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sudo_exec'($*)) dnl gen_require(` type sudo_exec_t; ') can_exec($1, sudo_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sudo_exec'($*)) dnl ') ###################################### ## ## Allow to manage sudo database in called domain. ## ## ## ## Domain allowed access. ## ## # define(`sudo_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sudo_manage_db'($*)) dnl gen_require(` type sudo_db_t; ') manage_dirs_pattern($1, sudo_db_t, sudo_db_t) manage_files_pattern($1, sudo_db_t, sudo_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sudo_manage_db'($*)) dnl ') ## Policy for managing user accounts. ######################################## ## ## Execute chfn in the chfn domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usermanage_domtrans_chfn',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_chfn'($*)) dnl gen_require(` type chfn_t, chfn_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, chfn_exec_t, chfn_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_domtrans_chfn'($*)) dnl ') ######################################## ## ## Execute chfn in the chfn domain, and ## allow the specified role the chfn domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`usermanage_run_chfn',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_run_chfn'($*)) dnl gen_require(` attribute_role chfn_roles; type chfn_t; ') usermanage_domtrans_chfn($1) roleattribute $2 chfn_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_run_chfn'($*)) dnl ') ######################################## ## ## Execute groupadd in the groupadd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usermanage_domtrans_groupadd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_groupadd'($*)) dnl gen_require(` type groupadd_t, groupadd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, groupadd_exec_t, groupadd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_domtrans_groupadd'($*)) dnl ') ######################################## ## ## Check access to the groupadd executable. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_access_check_groupadd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_access_check_groupadd'($*)) dnl gen_require(` type groupadd_exec_t; ') corecmd_search_bin($1) allow $1 groupadd_exec_t:file { getattr_file_perms execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_access_check_groupadd'($*)) dnl ') ######################################## ## ## Execute groupadd in the groupadd domain, and ## allow the specified role the groupadd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`usermanage_run_groupadd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_run_groupadd'($*)) dnl gen_require(` type groupadd_t; attribute_role groupadd_roles; ') usermanage_domtrans_groupadd($1) roleattribute $2 groupadd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_run_groupadd'($*)) dnl ') ######################################## ## ## Execute passwd in the passwd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usermanage_domtrans_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_passwd'($*)) dnl gen_require(` type passwd_t, passwd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, passwd_exec_t, passwd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_domtrans_passwd'($*)) dnl ') ######################################## ## ## Send sigkills to passwd. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_kill_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_kill_passwd'($*)) dnl gen_require(` type passwd_t; ') allow $1 passwd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_kill_passwd'($*)) dnl ') ######################################## ## ## Check if the passwd binary is executable. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_check_exec_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_passwd'($*)) dnl gen_require(` type passwd_exec_t; ') allow $1 passwd_exec_t:file { execute getattr_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_check_exec_passwd'($*)) dnl ') ######################################## ## ## Execute passwd in the passwd domain, and ## allow the specified role the passwd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`usermanage_run_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_run_passwd'($*)) dnl gen_require(` type passwd_t; attribute_role passwd_roles; ') usermanage_domtrans_passwd($1) roleattribute $2 passwd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_run_passwd'($*)) dnl ') ######################################## ## ## Check access to the passwd executable ## ## ## ## Domain allowed access. ## ## # define(`usermanage_access_check_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_access_check_passwd'($*)) dnl gen_require(` type passwd_exec_t; ') corecmd_search_bin($1) allow $1 passwd_exec_t:file { getattr_file_perms execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_access_check_passwd'($*)) dnl ') ######################################## ## ## Execute password admin functions in ## the admin passwd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usermanage_domtrans_admin_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_admin_passwd'($*)) dnl gen_require(` type sysadm_passwd_t, admin_passwd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, admin_passwd_exec_t, sysadm_passwd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_domtrans_admin_passwd'($*)) dnl ') ######################################## ## ## Execute passwd admin functions in the admin ## passwd domain, and allow the specified role ## the admin passwd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`usermanage_run_admin_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_run_admin_passwd'($*)) dnl gen_require(` type sysadm_passwd_t; attribute_role sysadm_passwd_roles; ') usermanage_domtrans_admin_passwd($1) roleattribute $2 sysadm_passwd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_run_admin_passwd'($*)) dnl ') ######################################## ## ## Do not audit attempts to use useradd fds. ## ## ## ## Domain to not audit. ## ## # define(`usermanage_dontaudit_use_useradd_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_dontaudit_use_useradd_fds'($*)) dnl gen_require(` type useradd_t; ') dontaudit $1 useradd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_dontaudit_use_useradd_fds'($*)) dnl ') ######################################## ## ## Execute useradd in the useradd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usermanage_domtrans_useradd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_domtrans_useradd'($*)) dnl gen_require(` type useradd_t, useradd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, useradd_exec_t, useradd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_domtrans_useradd'($*)) dnl ') ######################################## ## ## Check if the useradd binaries are executable. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_check_exec_useradd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_check_exec_useradd'($*)) dnl gen_require(` type useradd_exec_t; ') allow $1 useradd_exec_t:file { execute getattr_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_check_exec_useradd'($*)) dnl ') ######################################## ## ## Execute useradd in the useradd domain, and ## allow the specified role the useradd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`usermanage_run_useradd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_run_useradd'($*)) dnl gen_require(` attribute_role useradd_roles; type useradd_t; ') usermanage_domtrans_useradd($1) roleattribute $2 useradd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_run_useradd'($*)) dnl ') ######################################## ## ## Check access to the useradd executable. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_access_check_useradd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_access_check_useradd'($*)) dnl gen_require(` type useradd_exec_t; ') corecmd_search_bin($1) allow $1 useradd_exec_t:file { getattr_file_perms execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_access_check_useradd'($*)) dnl ') ######################################## ## ## Read the crack database. ## ## ## ## Domain allowed access. ## ## # define(`usermanage_read_crack_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usermanage_read_crack_db'($*)) dnl gen_require(` type crack_db_t; ') files_search_var($1) read_files_pattern($1, crack_db_t, crack_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usermanage_read_crack_db'($*)) dnl ') ## Filesystem namespacing/polyinstantiation application. ######################################## ## ## Execute a domain transition to run seunshare. ## ## ## ## Domain allowed to transition. ## ## # define(`seunshare_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seunshare_domtrans'($*)) dnl gen_require(` type seunshare_t, seunshare_exec_t; ') domtrans_pattern($1, seunshare_exec_t, seunshare_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seunshare_domtrans'($*)) dnl ') ######################################## ## ## Execute seunshare in the seunshare domain, and ## allow the specified role the seunshare domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`seunshare_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seunshare_run'($*)) dnl gen_require(` type seunshare_t; ') seunshare_domtrans($1) role $2 types seunshare_t; allow $1 seunshare_t:process signal_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seunshare_run'($*)) dnl ') ######################################## ## ## The role template for the seunshare module. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`seunshare_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seunshare_role_template'($*)) dnl gen_require(` attribute seunshare_domain; type seunshare_exec_t; ') type $1_seunshare_t, seunshare_domain; application_domain($1_seunshare_t, seunshare_exec_t) role $2 types $1_seunshare_t; kernel_read_system_state($1_seunshare_t) domain_dyntrans_type($1_seunshare_t) auth_use_nsswitch($1_seunshare_t) logging_send_syslog_msg($1_seunshare_t) mls_process_set_level($1_seunshare_t) domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t) allow $1_seunshare_t $3:unix_stream_socket getattr; # part of sandboxX.pp optional_policy(` sandbox_x_transition($1_seunshare_t, $2) ') # part of sandbox.pp optional_policy(` sandbox_transition($1_seunshare_t, $2) ') ps_process_pattern($3, $1_seunshare_t) dontaudit $1_seunshare_t $3:file read; allow $3 $1_seunshare_t:process signal_perms; allow $3 $1_seunshare_t:fd use; allow $1_seunshare_t $3:process transition; dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh }; corecmd_bin_domtrans($1_seunshare_t, $1_t) corecmd_shell_domtrans($1_seunshare_t, $1_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seunshare_role_template'($*)) dnl ') ## ABRT - automated bug-reporting tool ######################################## ## ## abrt stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`abrt_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_stub'($*)) dnl gen_require(` type abrt_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_stub'($*)) dnl ') ###################################### ## ## Creates types and rules for a basic ## ABRT daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`abrt_basic_types_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_basic_types_template'($*)) dnl gen_require(` attribute abrt_domain; ') type $1_t, abrt_domain; type $1_exec_t; kernel_read_system_state($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_basic_types_template'($*)) dnl ') ###################################### ## ## Execute abrt in the abrt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`abrt_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_domtrans'($*)) dnl gen_require(` type abrt_t, abrt_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, abrt_exec_t, abrt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_domtrans'($*)) dnl ') ###################################### ## ## Execute abrt_dump_oops in the abrt_dump_oops_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`abrt_dump_oops_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_dump_oops_domtrans'($*)) dnl gen_require(` type abrt_dump_oops_t, abrt_dump_oops_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_dump_oops_domtrans'($*)) dnl ') ###################################### ## ## Execute abrt in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`abrt_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_exec'($*)) dnl gen_require(` type abrt_exec_t; ') corecmd_search_bin($1) can_exec($1, abrt_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_exec'($*)) dnl ') ######################################## ## ## Send a null signal to abrt. ## ## ## ## Domain allowed access. ## ## # define(`abrt_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_signull'($*)) dnl gen_require(` type abrt_t; ') allow $1 abrt_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_signull'($*)) dnl ') ######################################## ## ## Allow the domain to read abrt state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_state'($*)) dnl gen_require(` type abrt_t; ') kernel_search_proc($1) ps_process_pattern($1, abrt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_state'($*)) dnl ') ######################################## ## ## Connect to abrt over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`abrt_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_stream_connect'($*)) dnl gen_require(` type abrt_t, abrt_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, abrt_var_run_t, abrt_var_run_t, abrt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_stream_connect'($*)) dnl ') ######################################## ## ## Send and receive messages from ## abrt over dbus. ## ## ## ## Domain allowed access. ## ## # define(`abrt_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_dbus_chat'($*)) dnl gen_require(` type abrt_t; class dbus send_msg; ') allow $1 abrt_t:dbus send_msg; allow abrt_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_dbus_chat'($*)) dnl ') ##################################### ## ## Execute abrt-helper in the abrt-helper domain. ## ## ## ## Domain allowed to transition. ## ## # define(`abrt_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_domtrans_helper'($*)) dnl gen_require(` type abrt_helper_t, abrt_helper_exec_t; ') domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute abrt helper in the abrt_helper domain, and ## allow the specified role the abrt_helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`abrt_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_run_helper'($*)) dnl gen_require(` attribute_role abrt_helper_roles; ') abrt_domtrans_helper($1) roleattribute $2 abrt_helper_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_run_helper'($*)) dnl ') ######################################## ## ## Read abrt cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_cache'($*)) dnl gen_require(` type abrt_var_cache_t; ') read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_cache'($*)) dnl ') ######################################## ## ## Append abrt cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_append_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_append_cache'($*)) dnl gen_require(` type abrt_var_cache_t; ') allow $1 abrt_var_cache_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_append_cache'($*)) dnl ') ######################################## ## ## Read/Write inherited abrt cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_rw_inherited_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_rw_inherited_cache'($*)) dnl gen_require(` type abrt_var_cache_t; ') allow $1 abrt_var_cache_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_rw_inherited_cache'($*)) dnl ') ######################################## ## ## Manage abrt cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_manage_cache'($*)) dnl gen_require(` type abrt_var_cache_t; ') manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_manage_cache'($*)) dnl ') ######################################## ## ## Map abrt cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_map_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_map_cache'($*)) dnl gen_require(` type abrt_var_cache_t; ') allow $1 abrt_var_cache_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_map_cache'($*)) dnl ') #################################### ## ## Read abrt configuration file. ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_config'($*)) dnl gen_require(` type abrt_etc_t; ') files_search_etc($1) read_files_pattern($1, abrt_etc_t, abrt_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_config'($*)) dnl ') #################################### ## ## Dontaudit read abrt configuration file. ## ## ## ## Domain allowed access. ## ## # define(`abrt_dontaudit_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_dontaudit_read_config'($*)) dnl gen_require(` type abrt_etc_t; ') files_search_etc($1) dontaudit $1 abrt_etc_t:dir list_dir_perms; dontaudit $1 abrt_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_dontaudit_read_config'($*)) dnl ') ###################################### ## ## Read abrt logs. ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_log'($*)) dnl gen_require(` type abrt_var_log_t; ') logging_search_logs($1) read_files_pattern($1, abrt_var_log_t, abrt_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_log'($*)) dnl ') ###################################### ## ## Read abrt PID files. ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_pid_files'($*)) dnl gen_require(` type abrt_var_run_t; ') files_search_pids($1) read_files_pattern($1, abrt_var_run_t, abrt_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_pid_files'($*)) dnl ') ###################################### ## ## Create, read, write, and delete abrt PID files. ## ## ## ## Domain allowed access. ## ## # define(`abrt_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_manage_pid_files'($*)) dnl gen_require(` type abrt_var_run_t; ') files_search_pids($1) manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_manage_pid_files'($*)) dnl ') ######################################## ## ## Read and write abrt fifo files. ## ## ## ## Domain allowed access. ## ## # define(`abrt_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_rw_fifo_file'($*)) dnl gen_require(` type abrt_t; ') allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_rw_fifo_file'($*)) dnl ') ######################################## ## ## Execute abrt server in the abrt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`abrt_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_systemctl'($*)) dnl gen_require(` type abrt_t; type abrt_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 abrt_unit_file_t:file manage_file_perms; allow $1 abrt_unit_file_t:service manage_service_perms; ps_process_pattern($1, abrt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_systemctl'($*)) dnl ') ##################################### ## ## All of the rules required to administrate ## an abrt environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the abrt domain. ## ## ## # define(`abrt_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_admin'($*)) dnl gen_require(` type abrt_t, abrt_etc_t; type abrt_var_cache_t, abrt_var_log_t; type abrt_var_run_t, abrt_tmp_t; type abrt_initrc_exec_t; type abrt_unit_file_t; ') allow $1 abrt_t:process { signal_perms }; ps_process_pattern($1, abrt_t) tunable_policy(`deny_ptrace',`',` allow $1 abrt_t:process ptrace; ') init_labeled_script_domtrans($1, abrt_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 abrt_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, abrt_etc_t) logging_list_logs($1) admin_pattern($1, abrt_var_log_t) files_list_var($1) admin_pattern($1, abrt_var_cache_t) files_list_pids($1) admin_pattern($1, abrt_var_run_t) files_list_tmp($1) admin_pattern($1, abrt_tmp_t) abrt_systemctl($1) admin_pattern($1, abrt_unit_file_t) allow $1 abrt_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_admin'($*)) dnl ') #################################### ## ## Execute abrt-retrace in the abrt-retrace domain. ## ## ## ## Domain allowed to transition. ## ## # define(`abrt_domtrans_retrace_worker',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_domtrans_retrace_worker'($*)) dnl gen_require(` type abrt_retrace_worker_t, abrt_retrace_worker_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_domtrans_retrace_worker'($*)) dnl ') ###################################### ## ## Manage abrt retrace server cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_manage_spool_retrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_manage_spool_retrace'($*)) dnl gen_require(` type abrt_retrace_spool_t; ') manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_manage_spool_retrace'($*)) dnl ') ##################################### ## ## Read abrt retrace server cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_spool_retrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_spool_retrace'($*)) dnl gen_require(` type abrt_retrace_spool_t; ') list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_spool_retrace'($*)) dnl ') ##################################### ## ## Read abrt retrace server cache ## ## ## ## Domain allowed access. ## ## # define(`abrt_read_cache_retrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_read_cache_retrace'($*)) dnl gen_require(` type abrt_retrace_cache_t; ') list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_read_cache_retrace'($*)) dnl ') ######################################## ## ## Do not audit attempts to write abrt sock files ## ## ## ## Domain to not audit. ## ## # define(`abrt_dontaudit_write_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_dontaudit_write_sock_file'($*)) dnl gen_require(` type abrt_t; ') dontaudit $1 abrt_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_dontaudit_write_sock_file'($*)) dnl ') ######################################## ## ## Transition to abrt named content ## ## ## ## Domain allowed access. ## ## # define(`abrt_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `abrt_filetrans_named_content'($*)) dnl gen_require(` type abrt_tmp_t; type abrt_etc_t; type abrt_var_cache_t; type abrt_var_run_t; ') files_tmp_filetrans($1, abrt_var_cache_t, dir, "abrt") files_etc_filetrans($1, abrt_etc_t, dir, "abrt") files_var_filetrans($1, abrt_var_cache_t, dir, "abrt") files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix") files_var_filetrans($1, abrt_var_cache_t, dir, "debug") files_pid_filetrans($1, abrt_var_run_t, dir, "abrt") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `abrt_filetrans_named_content'($*)) dnl ') ## AccountsService and daemon for manipulating user account information via D-Bus. ######################################## ## ## Execute a domain transition to ## run accountsd. ## ## ## ## Domain allowed to transition. ## ## # define(`accountsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_domtrans'($*)) dnl gen_require(` type accountsd_t, accountsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, accountsd_exec_t, accountsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_domtrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write Accounts Daemon fifo files. ## ## ## ## Domain to not audit. ## ## # define(`accountsd_dontaudit_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_dontaudit_rw_fifo_file'($*)) dnl gen_require(` type accountsd_t; ') dontaudit $1 accountsd_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_dontaudit_rw_fifo_file'($*)) dnl ') ######################################## ## ## Send and receive messages from ## accountsd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`accountsd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_dbus_chat'($*)) dnl gen_require(` type accountsd_t; class dbus send_msg; ') allow $1 accountsd_t:dbus send_msg; allow accountsd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_dbus_chat'($*)) dnl ') ######################################## ## ## Search accountsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`accountsd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_search_lib'($*)) dnl gen_require(` type accountsd_var_lib_t; ') allow $1 accountsd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_search_lib'($*)) dnl ') ######################################## ## ## Watch accountsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`accountsd_watch_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_watch_lib'($*)) dnl gen_require(` type accountsd_var_lib_t; ') files_search_var_lib($1) watch_dirs_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_watch_lib'($*)) dnl ') ######################################## ## ## Read accountsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`accountsd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_read_lib_files'($*)) dnl gen_require(` type accountsd_var_lib_t; ') files_search_var_lib($1) allow $1 accountsd_var_lib_t:dir list_dir_perms; read_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## accountsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`accountsd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_manage_lib_files'($*)) dnl gen_require(` type accountsd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, accountsd_var_lib_t, accountsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an accountsd environment. ## ## ## ## Domain allowed to transition. ## ## # define(`accountsd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_systemctl'($*)) dnl gen_require(` type accountsd_t; type accountsd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 accountsd_unit_file_t:file read_file_perms; allow $1 accountsd_unit_file_t:service manage_service_perms; ps_process_pattern($1, accountsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an accountsd environment ## ## ## ## Domain allowed access. ## ## # define(`accountsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `accountsd_admin'($*)) dnl gen_require(` type accountsd_t; type accountsd_unit_file_t; ') allow $1 accountsd_t:process signal_perms; ps_process_pattern($1, accountsd_t) tunable_policy(`deny_ptrace',`',` allow $1 accountsd_t:process ptrace; ') accountsd_manage_lib_files($1) accountsd_systemctl($1) admin_pattern($1, accountsd_unit_file_t) allow $1 accountsd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `accountsd_admin'($*)) dnl ') ## Berkeley process accounting. ######################################## ## ## Transition to the accounting ## management domain. ## ## ## ## Domain allowed to transition. ## ## # define(`acct_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_domtrans'($*)) dnl gen_require(` type acct_t, acct_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, acct_exec_t, acct_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_domtrans'($*)) dnl ') ######################################## ## ## Execute accounting management tools ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`acct_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_exec'($*)) dnl gen_require(` type acct_exec_t; ') corecmd_search_bin($1) can_exec($1, acct_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_exec'($*)) dnl ') ######################################## ## ## Execute accounting management data ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`acct_exec_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_exec_data'($*)) dnl gen_require(` type acct_data_t; ') files_search_var($1) can_exec($1, acct_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_exec_data'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## process accounting data. ## ## ## ## Domain allowed access. ## ## # define(`acct_manage_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_manage_data'($*)) dnl gen_require(` type acct_data_t; ') files_search_var($1) manage_files_pattern($1, acct_data_t, acct_data_t) manage_lnk_files_pattern($1, acct_data_t, acct_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_manage_data'($*)) dnl ') ######################################## ## ## Dontaudit Attempts to list acct_data directory ## ## ## ## Domain to not audit. ## ## # define(`acct_dontaudit_list_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_dontaudit_list_data'($*)) dnl gen_require(` type acct_data_t; ') dontaudit $1 acct_data_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_dontaudit_list_data'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an acct environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`acct_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `acct_admin'($*)) dnl gen_require(` type acct_t, acct_initrc_exec_t, acct_data_t; ') allow $1 acct_t:process { signal_perms }; ps_process_pattern($1, acct_t) tunable_policy(`deny_ptrace',`',` allow $1 acct_t:process ptrace; ') init_labeled_script_domtrans($1, acct_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 acct_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, acct_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `acct_admin'($*)) dnl ') ## Andrew Filesystem server. ######################################## ## ## Execute a domain transition to run the ## afs client. ## ## ## ## Domain allowed to transition. ## ## # define(`afs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_domtrans'($*)) dnl gen_require(` type afs_t, afs_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, afs_exec_t, afs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_domtrans'($*)) dnl ') ######################################## ## ## Read and write afs client UDP sockets. ## ## ## ## Domain allowed access. ## ## # define(`afs_rw_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_rw_udp_sockets'($*)) dnl gen_require(` type afs_t; ') allow $1 afs_t:udp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_rw_udp_sockets'($*)) dnl ') ######################################## ## ## Read AFS config data ## ## ## ## Domain allowed access. ## ## # define(`afs_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_read_config'($*)) dnl gen_require(` type afs_config_t; ') read_files_pattern($1, afs_config_t, afs_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_read_config'($*)) dnl ') ######################################## ## ## Read and write afs cache files. ## ## ## ## Domain allowed access. ## ## # define(`afs_rw_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_rw_cache'($*)) dnl gen_require(` type afs_cache_t; ') files_search_var($1) allow $1 afs_cache_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_rw_cache'($*)) dnl ') ######################################## ## ## Execute afs server in the afs domain. ## ## ## ## Domain allowed to transition. ## ## # define(`afs_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_initrc_domtrans'($*)) dnl gen_require(` type afs_initrc_exec_t; ') init_labeled_script_domtrans($1, afs_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an afs environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`afs_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `afs_admin'($*)) dnl gen_require(` attribute afs_domain; type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t; type afs_ka_db_t, afs_vl_db_t, afs_config_t; type afs_logfile_t, afs_cache_t, afs_files_t; ') allow $1 afs_t:process signal_perms; ps_process_pattern($1, afs_t) tunable_policy(`deny_ptrace',`',` allow $1 afs_t:process ptrace; ') afs_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 afs_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, afs_config_t) files_search_var($1) admin_pattern($1, afs_cache_t) files_search_var_lib($1) admin_pattern($1, { afs_dbdir_t afs_pt_db_t afs_ka_db_t }) admin_pattern($1, afs_vl_db_t) logging_search_logs($1) admin_pattern($1, afs_logfile_t) admin_pattern($1, afs_files_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `afs_admin'($*)) dnl ') ## Automatic IPv6 Connectivity Client Utility. ######################################## ## ## Execute a domain transition to run aiccu. ## ## ## ## Domain allowed to transition. ## ## # define(`aiccu_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aiccu_domtrans'($*)) dnl gen_require(` type aiccu_t, aiccu_exec_t; ') domtrans_pattern($1, aiccu_exec_t, aiccu_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aiccu_domtrans'($*)) dnl ') ######################################## ## ## Execute aiccu server in the aiccu domain. ## ## ## ## Domain allowed to transition. ## ## # define(`aiccu_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aiccu_initrc_domtrans'($*)) dnl gen_require(` type aiccu_initrc_exec_t; ') init_labeled_script_domtrans($1, aiccu_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aiccu_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read aiccu PID files. ## ## ## ## Domain allowed access. ## ## # define(`aiccu_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aiccu_read_pid_files'($*)) dnl gen_require(` type aiccu_var_run_t; ') allow $1 aiccu_var_run_t:file read_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aiccu_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an aiccu environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`aiccu_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aiccu_admin'($*)) dnl gen_require(` type aiccu_t, aiccu_initrc_exec_t, aiccu_etc_t; type aiccu_var_run_t; ') allow $1 aiccu_t:process signal_perms; ps_process_pattern($1, aiccu_t) tunable_policy(`deny_ptrace',`',` allow $1 aiccu_t:process ptrace; ') aiccu_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 aiccu_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, aiccu_etc_t) files_list_etc($1) admin_pattern($1, aiccu_var_run_t) files_list_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aiccu_admin'($*)) dnl ') ## Aide filesystem integrity checker. ######################################## ## ## Execute aide in the aide domain. ## ## ## ## Domain allowed to transition. ## ## # define(`aide_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aide_domtrans'($*)) dnl gen_require(` type aide_t, aide_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, aide_exec_t, aide_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aide_domtrans'($*)) dnl ') ######################################## ## ## Execute aide programs in the AIDE ## domain and allow the specified role ## the AIDE domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`aide_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aide_run'($*)) dnl gen_require(` attribute_role aide_roles; ') aide_domtrans($1) roleattribute $2 aide_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aide_run'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an aide environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`aide_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aide_admin'($*)) dnl gen_require(` type aide_t, aide_db_t, aide_log_t; ') allow $1 aide_t:process signal_perms; ps_process_pattern($1, aide_t) tunable_policy(`deny_ptrace',`',` allow $1 aide_t:process ptrace; ') aide_run($1, $2) files_list_etc($1) admin_pattern($1, aide_db_t) logging_list_logs($1) admin_pattern($1, aide_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aide_admin'($*)) dnl ') ## Aisexec Cluster Engine. ######################################## ## ## Execute a domain transition to run aisexec. ## ## ## ## Domain allowed to transition. ## ## # define(`aisexec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aisexec_domtrans'($*)) dnl gen_require(` type aisexec_t, aisexec_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, aisexec_exec_t, aisexec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aisexec_domtrans'($*)) dnl ') ##################################### ## ## Connect to aisexec over a unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`aisexec_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aisexec_stream_connect'($*)) dnl gen_require(` type aisexec_t, aisexec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, aisexec_var_run_t, aisexec_var_run_t, aisexec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aisexec_stream_connect'($*)) dnl ') ####################################### ## ## Read aisexec log files content. ## ## ## ## Domain allowed access. ## ## # define(`aisexec_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aisexec_read_log'($*)) dnl gen_require(` type aisexec_var_log_t; ') logging_search_logs($1) list_dirs_pattern($1, aisexec_var_log_t, aisexec_var_log_t) read_files_pattern($1, aisexec_var_log_t, aisexec_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aisexec_read_log'($*)) dnl ') ###################################### ## ## All of the rules required to ## administrate an aisexec environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`aisexecd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `aisexecd_admin'($*)) dnl gen_require(` type aisexec_t, aisexec_var_lib_t, aisexec_var_log_t; type aisexec_var_run_t, aisexec_tmp_t, aisexec_tmpfs_t; type aisexec_initrc_exec_t; ') allow $1 aisexec_t:process signal_perms; ps_process_pattern($1, aisexec_t) tunable_policy(`deny_ptrace',`',` allow $1 aisexec_t:process ptrace; ') init_labeled_script_domtrans($1, aisexec_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 aisexec_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, aisexec_var_lib_t) logging_list_logs($1) admin_pattern($1, aisexec_var_log_t) files_list_pids($1) admin_pattern($1, aisexec_var_run_t) files_list_tmp($1) admin_pattern($1, aisexec_tmp_t) admin_pattern($1, aisexec_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `aisexecd_admin'($*)) dnl ') ## policy for ajaxterm ######################################## ## ## Execute a domain transition to run ajaxterm. ## ## ## ## Domain allowed access. ## ## # define(`ajaxterm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ajaxterm_domtrans'($*)) dnl gen_require(` type ajaxterm_t, ajaxterm_exec_t; ') domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ajaxterm_domtrans'($*)) dnl ') ######################################## ## ## Execute ajaxterm server in the ajaxterm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ajaxterm_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ajaxterm_initrc_domtrans'($*)) dnl gen_require(` type ajaxterm_initrc_exec_t; ') init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ajaxterm_initrc_domtrans'($*)) dnl ') ####################################### ## ## Read and write the ajaxterm pty type. ## ## ## ## Domain allowed access. ## ## # define(`ajaxterm_rw_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ajaxterm_rw_ptys'($*)) dnl gen_require(` type ajaxterm_devpts_t; ') allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ajaxterm_rw_ptys'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ajaxterm environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ajaxterm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ajaxterm_admin'($*)) dnl gen_require(` type ajaxterm_t, ajaxterm_initrc_exec_t; ') allow $1 ajaxterm_t:process signal_perms; ps_process_pattern($1, ajaxterm_t) tunable_policy(`deny_ptrace',`',` allow $1 ajaxterm_t:process ptrace; ') ajaxterm_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 ajaxterm_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ajaxterm_admin'($*)) dnl ') ## Advanced Linux Sound Architecture utilities. ######################################## ## ## Role access for alsa. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`alsa_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_role'($*)) dnl refpolicywarn(`$0($*) has been deprecated') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_role'($*)) dnl ') ######################################## ## ## Execute a domain transition to run Alsa. ## ## ## ## Domain allowed to transition. ## ## # define(`alsa_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_domtrans'($*)) dnl gen_require(` type alsa_t, alsa_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, alsa_exec_t, alsa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## Alsa, and allow the specified role ## the Alsa domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`alsa_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_run'($*)) dnl gen_require(` attribute_role alsa_roles; ') alsa_domtrans($1) roleattribute $2 alsa_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_run'($*)) dnl ') ######################################## ## ## Read and write Alsa semaphores. ## ## ## ## Domain allowed access. ## ## # define(`alsa_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_rw_semaphores'($*)) dnl gen_require(` type alsa_t; ') allow $1 alsa_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_rw_semaphores'($*)) dnl ') ######################################## ## ## Read and write Alsa shared memory. ## ## ## ## Domain allowed access. ## ## # define(`alsa_rw_shared_mem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_rw_shared_mem'($*)) dnl gen_require(` type alsa_t; ') allow $1 alsa_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_rw_shared_mem'($*)) dnl ') ######################################## ## ## Read writable Alsa configuration content. ## ## ## ## Domain allowed access. ## ## # define(`alsa_read_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_read_rw_config'($*)) dnl gen_require(` type alsa_etc_rw_t; ') files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) ifdef(`distro_debian',` files_search_usr($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_read_rw_config'($*)) dnl ') ######################################## ## ## Manage writable Alsa config files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_manage_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_manage_rw_config'($*)) dnl gen_require(` type alsa_etc_rw_t; ') files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) ifdef(`distro_debian',` files_search_usr($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_manage_rw_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## alsa home files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_manage_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_manage_home_files'($*)) dnl gen_require(` type alsa_home_t; ') userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file manage_file_perms; alsa_filetrans_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_manage_home_files'($*)) dnl ') ######################################## ## ## Read Alsa home files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_read_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_read_home_files'($*)) dnl gen_require(` type alsa_home_t; ') userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_read_home_files'($*)) dnl ') ######################################## ## ## Relabel alsa home files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_relabel_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_relabel_home_files'($*)) dnl gen_require(` type alsa_home_t; ') userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_relabel_home_files'($*)) dnl ') ######################################## ## ## Read Alsa lib files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_read_lib'($*)) dnl gen_require(` type alsa_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_read_lib'($*)) dnl ') ######################################## ## ## Transition to alsa named content ## ## ## ## Domain allowed access. ## ## # define(`alsa_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_filetrans_home_content'($*)) dnl gen_require(` type alsa_home_t; ') userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_filetrans_home_content'($*)) dnl ') ######################################## ## ## Transition to alsa named content ## ## ## ## Domain allowed access. ## ## # define(`alsa_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_filetrans_named_content'($*)) dnl gen_require(` type alsa_home_t; type alsa_etc_rw_t; type alsa_var_lib_t; ') files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state") files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm") files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound") files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf") files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm") files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_filetrans_named_content'($*)) dnl ') ######################################## ## ## Execute alsa server in the alsa domain. ## ## ## ## Domain allowed to transition. ## ## # define(`alsa_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_systemctl'($*)) dnl gen_require(` type alsa_t; type alsa_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 alsa_unit_file_t:file read_file_perms; allow $1 alsa_unit_file_t:service manage_service_perms; ps_process_pattern($1, alsa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_systemctl'($*)) dnl ') ######################################### ## ## Write Alsa lib files. ## ## ## ## Domain allowed access. ## ## # define(`alsa_write_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `alsa_write_lib'($*)) dnl gen_require(` type alsa_var_lib_t; ') files_search_var_lib($1) write_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `alsa_write_lib'($*)) dnl ') ## Advanced Maryland Automatic Network Disk Archiver. ######################################## ## ## Execute a domain transition to run ## Amanda recover. ## ## ## ## Domain allowed to transition. ## ## # define(`amanda_domtrans_recover',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_domtrans_recover'($*)) dnl gen_require(` type amanda_recover_t, amanda_recover_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_domtrans_recover'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## Amanda recover, and allow the specified ## role the Amanda recover domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`amanda_run_recover',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_run_recover'($*)) dnl gen_require(` attribute_role amanda_recover_roles; ') amanda_domtrans_recover($1) roleattribute $2 amanda_recover_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_run_recover'($*)) dnl ') ######################################## ## ## Search Amanda library directories. ## ## ## ## Domain allowed access. ## ## # define(`amanda_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_search_lib'($*)) dnl gen_require(` type amanda_usr_lib_t; ') files_search_usr($1) allow $1 amanda_usr_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_search_lib'($*)) dnl ') ######################################## ## ## Do not audit attempts to read /etc/dumpdates. ## ## ## ## Domain to not audit. ## ## # define(`amanda_dontaudit_read_dumpdates',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_dontaudit_read_dumpdates'($*)) dnl gen_require(` type amanda_dumpdates_t; ') dontaudit $1 amanda_dumpdates_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_dontaudit_read_dumpdates'($*)) dnl ') ######################################## ## ## Read and write /etc/dumpdates. ## ## ## ## Domain allowed access. ## ## # define(`amanda_rw_dumpdates_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_rw_dumpdates_files'($*)) dnl gen_require(` type amanda_dumpdates_t; ') files_search_etc($1) allow $1 amanda_dumpdates_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_rw_dumpdates_files'($*)) dnl ') ######################################## ## ## Search Amanda library directories. ## ## ## ## Domain allowed access. ## ## # define(`amanda_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_manage_lib'($*)) dnl gen_require(` type amanda_usr_lib_t; ') files_search_usr($1) allow $1 amanda_usr_lib_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_manage_lib'($*)) dnl ') ######################################## ## ## Read and append amanda log files. ## ## ## ## Domain allowed access. ## ## # define(`amanda_append_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_append_log_files'($*)) dnl gen_require(` type amanda_log_t; ') logging_search_logs($1) allow $1 amanda_log_t:file { read_file_perms append_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_append_log_files'($*)) dnl ') ####################################### ## ## Search Amanda var library directories. ## ## ## ## Domain allowed access. ## ## # define(`amanda_search_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amanda_search_var_lib'($*)) dnl gen_require(` type amanda_var_lib_t; ') files_search_var_lib($1) allow $1 amanda_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amanda_search_var_lib'($*)) dnl ') ## High-performance interface between an email server and content checkers. ######################################## ## ## Execute a domain transition to run amavis. ## ## ## ## Domain allowed to transition. ## ## # define(`amavis_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_domtrans'($*)) dnl gen_require(` type amavis_t, amavis_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, amavis_exec_t, amavis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_domtrans'($*)) dnl ') ######################################## ## ## Execute amavis server in the amavis domain. ## ## ## ## Domain allowed to transition. ## ## # define(`amavis_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_initrc_domtrans'($*)) dnl gen_require(` type amavis_initrc_exec_t; ') init_labeled_script_domtrans($1, amavis_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read amavis spool files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_read_spool_files'($*)) dnl gen_require(` type amavis_spool_t; ') files_search_spool($1) read_files_pattern($1, amavis_spool_t, amavis_spool_t) allow $1 amavis_spool_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_read_spool_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## amavis spool files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_manage_spool_files'($*)) dnl gen_require(` type amavis_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, amavis_spool_t, amavis_spool_t) manage_files_pattern($1, amavis_spool_t, amavis_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_manage_spool_files'($*)) dnl ') ######################################## ## ## Create objects in the amavis spool directories ## with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`amavis_spool_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_spool_filetrans'($*)) dnl gen_require(` type amavis_spool_t; ') files_search_spool($1) filetrans_pattern($1, amavis_spool_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_spool_filetrans'($*)) dnl ') ######################################## ## ## Search amavis lib directories. ## ## ## ## Domain allowed access. ## ## # define(`amavis_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_search_lib'($*)) dnl gen_require(` type amavis_var_lib_t; ') allow $1 amavis_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_search_lib'($*)) dnl ') ######################################## ## ## Read amavis lib files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_read_lib_files'($*)) dnl gen_require(` type amavis_var_lib_t; ') read_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) allow $1 amavis_var_lib_t:dir list_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_read_lib_files'($*)) dnl ') ######################################## ## ## Read and write amavis lib files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_rw_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_rw_lib_files'($*)) dnl gen_require(` type amavis_var_lib_t; ') rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) allow $1 amavis_var_lib_t:dir list_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_rw_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## amavis lib files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_manage_lib_files'($*)) dnl gen_require(` type amavis_var_lib_t; ') manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_manage_lib_files'($*)) dnl ') ######################################## ## ## Set attributes of amavis pid files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_setattr_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_setattr_pid_files'($*)) dnl gen_require(` type amavis_var_run_t; ') allow $1 amavis_var_run_t:file setattr_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_setattr_pid_files'($*)) dnl ') ######################################## ## ## Create amavis pid files. ## ## ## ## Domain allowed access. ## ## # define(`amavis_create_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_create_pid_files'($*)) dnl gen_require(` type amavis_var_run_t; ') allow $1 amavis_var_run_t:dir add_entry_dir_perms; allow $1 amavis_var_run_t:file create_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_create_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an amavis environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`amavis_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amavis_admin'($*)) dnl gen_require(` type amavis_t, amavis_tmp_t, amavis_var_log_t; type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t; type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t; ') allow $1 amavis_t:process signal_perms; ps_process_pattern($1, amavis_t) tunable_policy(`deny_ptrace',`',` allow $1 amavis_t:process ptrace; ') amavis_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 amavis_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, amavis_etc_t) admin_pattern($1, amavis_quarantine_t) files_list_spool($1) admin_pattern($1, amavis_spool_t) files_list_tmp($1) admin_pattern($1, amavis_tmp_t) files_list_var_lib($1) admin_pattern($1, amavis_var_lib_t) logging_list_logs($1) admin_pattern($1, amavis_var_log_t) files_list_pids($1) admin_pattern($1, amavis_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amavis_admin'($*)) dnl ') ## Abstract Machine Test Utility. ######################################## ## ## Execute a domain transition to run Amtu. ## ## ## ## Domain allowed to transition. ## ## # define(`amtu_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amtu_domtrans'($*)) dnl gen_require(` type amtu_t, amtu_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, amtu_exec_t, amtu_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amtu_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## Amtu, and allow the specified role ## the Amtu domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`amtu_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amtu_run'($*)) dnl gen_require(` attribute_role amtu_roles; ') amtu_domtrans($1) roleattribute $2 amtu_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amtu_run'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an amtu environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`amtu_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `amtu_admin'($*)) dnl gen_require(` type amtu_t, amtu_initrc_exec_t; ') allow $1 amtu_t:process { ptrace signal_perms }; ps_process_pattern($1, amtu_t) init_labeled_script_domtrans($1, amtu_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 amtu_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `amtu_admin'($*)) dnl ') ## Anaconda installer. ######################################## ## ## Execute a domain transition to run install. ## ## ## ## Domain allowed to transition. ## ## # define(`anaconda_domtrans_install',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_domtrans_install'($*)) dnl gen_require(` type install_t, install_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, install_exec_t, install_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_domtrans_install'($*)) dnl ') ######################################## ## ## Execute install in the install ## domain, and allow the specified ## role the install domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`anaconda_run_install',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_run_install'($*)) dnl gen_require(` type install_t; type install_exec_t; attribute_role install_roles; ') anaconda_domtrans_install($1) roleattribute $2 install_roles; role_transition $2 install_exec_t system_r; optional_policy(` rpm_transition_script(install_t, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_run_install'($*)) dnl ') ######################################## ## ## Execute preupgrade in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`anaconda_exec_preupgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_exec_preupgrade'($*)) dnl gen_require(` type preupgrade_exec_t; ') corecmd_search_bin($1) can_exec($1, preupgrade_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_exec_preupgrade'($*)) dnl ') ######################################## ## ## Execute a domain transition to run preupgrade. ## ## ## ## Domain allowed to transition. ## ## # define(`anaconda_domtrans_preupgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_domtrans_preupgrade'($*)) dnl gen_require(` type preupgrade_t, preupgrade_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, preupgrade_exec_t, preupgrade_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_domtrans_preupgrade'($*)) dnl ') ######################################## ## ## Read preupgrade lib files ## ## ## ## Domain allowed access. ## ## # define(`anaconda_read_lib_files_preupgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_read_lib_files_preupgrade'($*)) dnl gen_require(` type preupgrade_data_t; ') read_files_pattern($1, preupgrade_data_t, preupgrade_data_t) read_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_read_lib_files_preupgrade'($*)) dnl ') ######################################## ## ## Manage preupgrade lib files ## ## ## ## Domain allowed access. ## ## # define(`anaconda_manage_lib_files_preupgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `anaconda_manage_lib_files_preupgrade'($*)) dnl gen_require(` type preupgrade_data_t; ') manage_dirs_pattern($1, preupgrade_data_t, preupgrade_data_t) manage_files_pattern($1, preupgrade_data_t, preupgrade_data_t) manage_lnk_files_pattern($1, preupgrade_data_t, preupgrade_data_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `anaconda_manage_lib_files_preupgrade'($*)) dnl ') ## SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan ###################################### ## ## Creates types and rules for a basic ## antivirus domain. ## ## ## ## Prefix for the domain. ## ## # define(`antivirus_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_domain_template'($*)) dnl gen_require(` attribute antivirus_domain; ') typeattribute $1 antivirus_domain; kernel_read_system_state($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_domain_template'($*)) dnl ') ####################################### ## ## Execute a domain transition to run antivirus program. ## ## ## ## Domain allowed to transition. ## ## # define(`antivirus_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_domtrans'($*)) dnl gen_require(` type antivirus_t, antivirus_exec_t; ') domtrans_pattern($1, antivirus_exec_t, antivirus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_domtrans'($*)) dnl ') ####################################### ## ## Execute antivirus program without a transition. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_exec'($*)) dnl gen_require(` type antivirus_exec_t; ') can_exec($1, antivirus_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_exec'($*)) dnl ') ####################################### ## ## Connect to run antivirus program. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_stream_connect'($*)) dnl gen_require(` type antivirus_t, antivirus_db_t, antivirus_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t) stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_stream_connect'($*)) dnl ') ####################################### ## ## Allow the specified domain to append ## to antivirus log files. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_append_log'($*)) dnl gen_require(` type antivirus_log_t; ') logging_search_logs($1) allow $1 antivirus_log_t:dir list_dir_perms; append_files_pattern($1, antivirus_log_t, antivirus_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_append_log'($*)) dnl ') ####################################### ## ## Read antivirus configuration files. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_read_config'($*)) dnl gen_require(` type antivirus_conf_t; ') files_search_etc($1) allow $1 antivirus_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_read_config'($*)) dnl ') ####################################### ## ## Search antivirus db content directories. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_search_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_search_db'($*)) dnl gen_require(` type antivirus_db_t; ') files_search_var_lib($1) files_search_spool($1) allow $1 antivirus_db_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_search_db'($*)) dnl ') ###################################### ## ## Read antivirus db content directories. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_read_db'($*)) dnl gen_require(` type antivirus_db_t; ') files_search_var_lib($1) files_search_spool($1) read_files_pattern($1, antivirus_db_t, antivirus_db_t) read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_read_db'($*)) dnl ') ##################################### ## ## Read and write antivirus db content directories. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_rw_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_rw_db'($*)) dnl gen_require(` type antivirus_db_t; ') files_search_var_lib($1) files_search_spool($1) write_files_pattern($1, antivirus_db_t, antivirus_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_rw_db'($*)) dnl ') #################################### ## ## Manage antivirus db content directories. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_manage_db'($*)) dnl gen_require(` type antivirus_db_t; ') files_search_var_lib($1) files_search_spool($1) manage_files_pattern($1, antivirus_db_t, antivirus_db_t) manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_manage_db'($*)) dnl ') ####################################### ## ## Manage antivirus pid content. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_manage_pid'($*)) dnl gen_require(` type antivirus_var_run_t; ') manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t) manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_manage_pid'($*)) dnl ') ###################################### ## ## Read antivirus state files. ## ## ## ## Domain allowed access. ## ## # define(`antivirus_read_state_clamd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_read_state_clamd'($*)) dnl gen_require(` type antivirus_t; ') kernel_search_proc($1) ps_process_pattern($1, antivirus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_read_state_clamd'($*)) dnl ') ###################################### ## ## Execute antivirus server in the antivirus domain. ## ## ## ## Domain allowed to transition. ## ## # define(`antivirus_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_systemctl'($*)) dnl gen_require(` type antivirus_t; type antivirus_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 antivirus_unit_file_t:file read_file_perms; allow $1 antivirus_unit_file_t:service manage_service_perms; ps_process_pattern($1, antivirus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_systemctl'($*)) dnl ') ####################################### ## ## All of the rules required to administrate ## an antivirus programs environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the clamav domain. ## ## ## # define(`antivirus_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `antivirus_admin'($*)) dnl gen_require(` attribute antivirus_domain; type antivirus_t, antivirus_conf_t, antivirus_tmp_t; type antivirus_log_t, antivirus_db_t, antivirus_var_run_t; type antivirus_initrc_exec_t, antivirus_unit_file_t; ') allow $1 antivirus_t:process signal_perms; ps_process_pattern($1, antivirus_t) tunable_policy(`deny_ptrace',`',` allow $1 antivirus_t:process ptrace; ') init_labeled_script_domtrans($1, antivirus_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 antivirus_initrc_exec_t system_r; allow $2 system_r; antivirus_systemctl($1) admin_pattern($1, antivirus_unit_file_t) allow $1 antivirus_unit_file_t:service all_service_perms; files_list_etc($1) admin_pattern($1, antivirus_conf_t) files_list_var_lib($1) admin_pattern($1, antivirus_db_t) logging_list_logs($1) admin_pattern($1, antivirus_log_t) files_list_pids($1) admin_pattern($1, antivirus_var_run_t) files_list_tmp($1) admin_pattern($1, antivirus_tmp_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `antivirus_admin'($*)) dnl ') ## Apache web server ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # define(`apache_user_content_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_user_content_template'($*)) dnl gen_require(` attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; attribute httpd_script_type, httpd_user_content_type; ') #This type is for webpages type $1_content_t; # customizable; typeattribute $1_content_t httpd_user_content_type; typealias $1_content_t alias { httpd_$1_content_t httpd_$1_script_ro_t }; files_type($1_content_t) # This type is used for .htaccess files type $1_htaccess_t, httpd_content_type; # customizable; typeattribute $1_htaccess_t httpd_user_content_type; typealias $1_htaccess_t alias {httpd_$1_htaccess_t }; files_type($1_htaccess_t) # Type that CGI scripts run as type $1_script_t, httpd_script_type; typealias $1_script_t alias { httpd_$1_script_t }; domain_type($1_script_t) role system_r types $1_script_t; kernel_read_system_state($1_script_t) # This type is used for executable scripts files type $1_script_exec_t, httpd_script_exec_type; # customizable; typeattribute $1_script_exec_t httpd_user_content_type; typealias $1_script_exec_t alias { httpd_$1_script_exec_t }; domain_entry_file($1_script_t, $1_script_exec_t) type $1_rw_content_t; # customizable typeattribute $1_rw_content_t httpd_user_content_type; typealias $1_rw_content_t alias { httpd_$1_rw_content_t $1_script_rw_t $1_content_rw_t }; files_type($1_rw_content_t) type $1_ra_content_t, httpd_content_type; # customizable typeattribute $1_ra_content_t httpd_user_content_type; typealias $1_ra_content_t alias { httpd_$1_ra_content_t $1_script_ra_t $1_content_ra_t }; files_type($1_ra_content_t) # Allow the script process to search the cgi directory, and users directory allow $1_script_t $1_content_t:dir search_dir_perms; can_exec($1_script_t, $1_script_exec_t) allow $1_script_t $1_script_exec_t:dir list_dir_perms; allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) allow $1_script_t $1_content_t:dir list_dir_perms; read_files_pattern($1_script_t, $1_content_t, $1_content_t) read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) allow $1_script_t $1_rw_content_t:file map; allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write }; # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ') tunable_policy(`httpd_enable_cgi',` allow $1_script_t $1_script_exec_t:file entrypoint; domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) # privileged users run the script: domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) allow httpd_t $1_script_t:unix_dgram_socket sendto; ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_user_content_template'($*)) dnl ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # define(`apache_content_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_content_template'($*)) dnl gen_require(` attribute httpd_exec_scripts, httpd_script_exec_type; type httpd_t, httpd_suexec_t; attribute httpd_script_type, httpd_content_type; ') #This type is for webpages type $1_content_t; # customizable; typeattribute $1_content_t httpd_content_type; typealias $1_content_t alias httpd_$1_script_ro_t; files_type($1_content_t) # This type is used for .htaccess files type $1_htaccess_t, httpd_content_type; # customizable; typeattribute $1_htaccess_t httpd_content_type; files_type($1_htaccess_t) # Type that CGI scripts run as type $1_script_t, httpd_script_type; typealias $1_script_t alias { httpd_$1_script_t }; domain_type($1_script_t) role system_r types $1_script_t; kernel_read_system_state($1_script_t) # This type is used for executable scripts files type $1_script_exec_t, httpd_script_exec_type; # customizable; typeattribute $1_script_exec_t httpd_content_type; domain_entry_file($1_script_t, $1_script_exec_t) type $1_rw_content_t; # customizable typeattribute $1_rw_content_t httpd_content_type; typealias $1_rw_content_t alias { $1_script_rw_t $1_content_rw_t }; files_type($1_rw_content_t) type $1_ra_content_t, httpd_content_type; # customizable typeattribute $1_ra_content_t httpd_content_type; typealias $1_ra_content_t alias { $1_script_ra_t $1_content_ra_t }; files_type($1_ra_content_t) # Allow the script process to search the cgi directory, and users directory allow $1_script_t $1_content_t:dir search_dir_perms; can_exec($1_script_t, $1_script_exec_t) allow $1_script_t $1_script_exec_t:dir list_dir_perms; allow $1_script_t $1_ra_content_t:dir { list_dir_perms add_entry_dir_perms }; read_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern($1_script_t, $1_ra_content_t, $1_ra_content_t) allow $1_script_t $1_content_t:dir list_dir_perms; read_files_pattern($1_script_t, $1_content_t, $1_content_t) read_lnk_files_pattern($1_script_t, $1_content_t, $1_content_t) manage_dirs_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_fifo_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) manage_sock_files_pattern($1_script_t, $1_rw_content_t, $1_rw_content_t) allow $1_script_t httpd_t:unix_stream_socket { ioctl accept getattr read write shutdown }; # Allow the web server to run scripts and serve pages tunable_policy(`httpd_builtin_scripting',` manage_dirs_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) manage_lnk_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) rw_sock_files_pattern(httpd_t, $1_rw_content_t, $1_rw_content_t) allow httpd_t $1_ra_content_t:dir { add_entry_dir_perms }; read_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) append_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) create_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) read_lnk_files_pattern(httpd_t, $1_ra_content_t, $1_ra_content_t) ') tunable_policy(`httpd_enable_cgi',` allow $1_script_t $1_script_exec_t:file entrypoint; domtrans_pattern(httpd_suexec_t, $1_script_exec_t, $1_script_t) # privileged users run the script: domtrans_pattern(httpd_exec_scripts, $1_script_exec_t, $1_script_t) allow httpd_exec_scripts $1_script_exec_t:file read_file_perms; # apache runs the script: domtrans_pattern(httpd_t, $1_script_exec_t, $1_script_t) allow httpd_t $1_script_t:unix_dgram_socket sendto; ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_content_template'($*)) dnl ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving new type names. ## ## ## ## ## The prefix to be used for deriving old type names. ## ## # define(`apache_content_alias_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_content_alias_template'($*)) dnl typealias $1_htaccess_t alias httpd_$2_htaccess_t; #typealias $1_script_t alias httpd_$2_script_t; typealias $1_script_exec_t alias httpd_$2_script_exec_t; typealias $1_content_t alias httpd_$2_content_t; typealias $1_rw_content_t alias httpd_$2_script_rw_content_t; typealias $1_ra_content_t alias httpd_$2_script_ra_content_t; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_content_alias_template'($*)) dnl ') ######################################## ## ## Role access for apache ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`apache_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_role'($*)) dnl gen_require(` attribute httpdcontent; type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t; type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t; ') role $1 types httpd_user_script_t; allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom }; manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t) manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t) relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t) manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t) manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t) apache_exec_modules($2) apache_filetrans_home_content($2) tunable_policy(`httpd_enable_cgi',` # If a user starts a script by hand it gets the proper context domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($2, httpdcontent, httpd_user_script_t) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_role'($*)) dnl ') ######################################## ## ## Read httpd user scripts executables. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_user_scripts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_user_scripts'($*)) dnl gen_require(` type httpd_user_script_exec_t; ') allow $1 httpd_user_script_exec_t:dir list_dir_perms; read_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) read_lnk_files_pattern($1, httpd_user_script_exec_t, httpd_user_script_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_user_scripts'($*)) dnl ') ######################################## ## ## Read user web content. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_user_content'($*)) dnl gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir list_dir_perms; read_files_pattern($1, httpd_user_content_t, httpd_user_content_t) read_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_user_content'($*)) dnl ') ######################################## ## ## Manage user web content. ## ## ## ## Domain allowed access. ## ## # define(`apache_manage_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_user_content'($*)) dnl gen_require(` type httpd_user_content_t; ') allow $1 httpd_user_content_t:dir manage_dir_perms; manage_files_pattern($1, httpd_user_content_t, httpd_user_content_t) manage_lnk_files_pattern($1, httpd_user_content_t, httpd_user_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_user_content'($*)) dnl ') ######################################## ## ## Transition to apache. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_domtrans'($*)) dnl gen_require(` type httpd_t, httpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_exec_t, httpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_domtrans'($*)) dnl ') ###################################### ## ## Allow the specified domain to execute apache ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`apache_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec'($*)) dnl gen_require(` type httpd_exec_t; ') can_exec($1, httpd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec'($*)) dnl ') ###################################### ## ## Allow the specified domain to execute apache suexec ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`apache_exec_suexec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec_suexec'($*)) dnl gen_require(` type httpd_suexec_exec_t; ') can_exec($1, httpd_suexec_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec_suexec'($*)) dnl ') ####################################### ## ## Send a generic signal to apache. ## ## ## ## Domain allowed access. ## ## # define(`apache_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_signal'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_signal'($*)) dnl ') ######################################## ## ## Send a null signal to apache. ## ## ## ## Domain allowed access. ## ## # define(`apache_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_signull'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_signull'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to apache. ## ## ## ## Domain allowed access. ## ## # define(`apache_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_sigchld'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_sigchld'($*)) dnl ') ######################################## ## ## Allow the domain to read apache state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_state'($*)) dnl gen_require(` type httpd_t; ') kernel_search_proc($1) ps_process_pattern($1, httpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_state'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from Apache. ## ## ## ## Domain allowed access. ## ## # define(`apache_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_use_fds'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write Apache ## unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_fifo_file'($*)) dnl gen_require(` type httpd_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_fifo_file'($*)) dnl ') ######################################## ## ## Allow attempts to read and write Apache ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`apache_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_rw_stream_sockets'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket { getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write Apache ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type httpd_t; ') dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write Apache ## TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type httpd_t; ') dontaudit $1 httpd_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all web content. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_manage_all_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_all_content'($*)) dnl gen_require(` attribute httpdcontent, httpd_script_exec_type; ') manage_dirs_pattern($1, httpdcontent, httpdcontent) manage_files_pattern($1, httpdcontent, httpdcontent) manage_lnk_files_pattern($1, httpdcontent, httpdcontent) manage_dirs_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) manage_lnk_files_pattern($1, httpd_script_exec_type, httpd_script_exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_all_content'($*)) dnl ') ######################################## ## ## Allow domain to set the attributes ## of the APACHE cache directory. ## ## ## ## Domain allowed access. ## ## # define(`apache_setattr_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_setattr_cache_dirs'($*)) dnl gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_setattr_cache_dirs'($*)) dnl ') ######################################## ## ## Allow the specified domain to list ## Apache cache. ## ## ## ## Domain allowed access. ## ## # define(`apache_list_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_list_cache'($*)) dnl gen_require(` type httpd_cache_t; ') list_dirs_pattern($1, httpd_cache_t, httpd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_list_cache'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## and write Apache cache files. ## ## ## ## Domain allowed access. ## ## # define(`apache_rw_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_rw_cache_files'($*)) dnl gen_require(` type httpd_cache_t; ') allow $1 httpd_cache_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_rw_cache_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to delete ## Apache cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`apache_delete_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_delete_cache_dirs'($*)) dnl gen_require(` type httpd_cache_t; ') delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_delete_cache_dirs'($*)) dnl ') ######################################## ## ## Allow the specified domain to delete ## Apache cache. ## ## ## ## Domain allowed access. ## ## # define(`apache_delete_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_delete_cache_files'($*)) dnl gen_require(` type httpd_cache_t; ') delete_files_pattern($1, httpd_cache_t, httpd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_delete_cache_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to search ## apache configuration dirs. ## ## ## ## Domain allowed access. ## ## # define(`apache_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_search_config'($*)) dnl gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_search_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_config'($*)) dnl gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir list_dir_perms; read_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage ## apache configuration files. ## ## ## ## Domain allowed access. ## ## # define(`apache_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_config'($*)) dnl gen_require(` type httpd_config_t; ') files_search_etc($1) manage_dirs_pattern($1, httpd_config_t, httpd_config_t) manage_files_pattern($1, httpd_config_t, httpd_config_t) read_lnk_files_pattern($1, httpd_config_t, httpd_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_config'($*)) dnl ') ######################################## ## ## Execute the Apache helper program with ## a domain transition. ## ## ## ## Domain allowed access. ## ## # define(`apache_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_domtrans_helper'($*)) dnl gen_require(` type httpd_helper_t, httpd_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, httpd_helper_exec_t, httpd_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute the Apache helper program with ## a domain transition, and allow the ## specified role the Apache helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`apache_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_run_helper'($*)) dnl gen_require(` type httpd_helper_t; ') apache_domtrans_helper($1) role $2 types httpd_helper_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_run_helper'($*)) dnl ') ######################################## ## ## dontaudit attempts to read ## apache log files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_dontaudit_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_read_log'($*)) dnl gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file read_file_perms; dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache log files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_log'($*)) dnl gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; read_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## to apache log files. ## ## ## ## Domain allowed access. ## ## # define(`apache_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_append_log'($*)) dnl gen_require(` type httpd_log_t; ') logging_search_logs($1) allow $1 httpd_log_t:dir list_dir_perms; append_files_pattern($1, httpd_log_t, httpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_append_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to create # apache's log directories. ## ## ## ## Domain allowed access ## ## # define(`apache_create_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_create_log_dirs'($*)) dnl gen_require(` type httpd_log_t; ') create_dirs_pattern($1, httpd_log_t, httpd_log_t) logging_search_logs($1) setattr_dirs_pattern($1, httpd_log_t, httpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_create_log_dirs'($*)) dnl ') ####################################### ## ## Allow the specified domain to write ## to apache log files. ## ## ## ## Domain allowed access. ## ## # define(`apache_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_write_log'($*)) dnl gen_require(` type httpd_log_t; ') allow $1 httpd_log_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_write_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to append to the ## Apache logs. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_append_log'($*)) dnl gen_require(` type httpd_log_t; ') dontaudit $1 httpd_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_append_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage ## to apache var lib files. ## ## ## ## Domain allowed access. ## ## # define(`apache_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_lib'($*)) dnl gen_require(` type httpd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t) manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_lib'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage ## to apache log files. ## ## ## ## Domain allowed access. ## ## # define(`apache_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_log'($*)) dnl gen_require(` type httpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, httpd_log_t, httpd_log_t) manage_files_pattern($1, httpd_log_t, httpd_log_t) read_lnk_files_pattern($1, httpd_log_t, httpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to search Apache ## module directories. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_search_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_search_modules'($*)) dnl gen_require(` type httpd_modules_t; ') dontaudit $1 httpd_modules_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_search_modules'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## the apache module directories. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_modules'($*)) dnl gen_require(` type httpd_modules_t; ') read_files_pattern($1, httpd_modules_t, httpd_modules_t) allow $1 httpd_modules_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_modules'($*)) dnl ') ######################################## ## ## Allow the specified domain to list ## the contents of the apache modules ## directory. ## ## ## ## Domain allowed access. ## ## # define(`apache_list_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_list_modules'($*)) dnl gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_list_modules'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute ## apache modules. ## ## ## ## Domain allowed access. ## ## # define(`apache_exec_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec_modules'($*)) dnl gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir list_dir_perms; allow $1 httpd_modules_t:lnk_file read_lnk_file_perms; can_exec($1, httpd_modules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec_modules'($*)) dnl ') ######################################## ## ## Execute a domain transition to run httpd_rotatelogs. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_domtrans_rotatelogs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_domtrans_rotatelogs'($*)) dnl gen_require(` type httpd_rotatelogs_t, httpd_rotatelogs_exec_t; ') domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_domtrans_rotatelogs'($*)) dnl ') ####################################### ## ## Execute httpd_rotatelogs in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_exec_rotatelogs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec_rotatelogs'($*)) dnl gen_require(` type httpd_rotatelogs_exec_t; ') can_exec($1, httpd_rotatelogs_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec_rotatelogs'($*)) dnl ') ####################################### ## ## Execute httpd system scripts in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_exec_sys_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec_sys_script'($*)) dnl gen_require(` type httpd_sys_script_exec_t; ') allow $1 httpd_sys_script_exec_t:dir search_dir_perms; can_exec($1, httpd_sys_script_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec_sys_script'($*)) dnl ') ######################################## ## ## Allow the specified domain to list ## apache system content files. ## ## ## ## Domain allowed access. ## ## # define(`apache_list_sys_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_list_sys_content'($*)) dnl gen_require(` type httpd_sys_content_t; ') list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_list_sys_content'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage ## apache system content files. ## ## ## ## Domain allowed access. ## ## ## # # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr define(`apache_manage_sys_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content'($*)) dnl gen_require(` type httpd_sys_content_t; ') files_search_var($1) manage_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_sys_content'($*)) dnl ') ###################################### ## ## Allow the specified domain to read ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_read_sys_content_rw_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_sys_content_rw_files'($*)) dnl gen_require(` type httpd_sys_rw_content_t; ') read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_sys_content_rw_files'($*)) dnl ') ###################################### ## ## Allow the specified domain to read ## apache system content rw dirs. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_read_sys_content_rw_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_sys_content_rw_dirs'($*)) dnl gen_require(` type httpd_sys_rw_content_t; ') list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_sys_content_rw_dirs'($*)) dnl ') ###################################### ## ## Allow the specified domain to manage ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_manage_sys_content_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_sys_content_rw'($*)) dnl gen_require(` type httpd_sys_rw_content_t; ') files_search_var($1) manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_sys_content_rw'($*)) dnl ') ######################################## ## ## Allow the specified domain to delete ## apache system content rw files. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_delete_sys_content_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_delete_sys_content_rw'($*)) dnl gen_require(` type httpd_sys_rw_content_t; ') files_search_tmp($1) delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_delete_sys_content_rw'($*)) dnl ') ######################################## ## ## Execute all web scripts in the system ## script domain. ## ## ## ## Domain allowed to transition. ## ## # # cjp: this interface specifically added to allow # sysadm_t to run scripts define(`apache_domtrans_sys_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_domtrans_sys_script'($*)) dnl gen_require(` attribute httpdcontent; type httpd_sys_script_exec_t; type httpd_sys_script_t, httpd_sys_content_t; ') tunable_policy(`httpd_enable_cgi',` domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t) ') tunable_policy(`httpd_enable_cgi && httpd_unified',` domtrans_pattern($1, httpdcontent, httpd_sys_script_t) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_domtrans_sys_script'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write Apache ## system script unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_rw_sys_script_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl gen_require(` type httpd_sys_script_t; ') dontaudit $1 httpd_sys_script_t:unix_stream_socket { getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_sys_script_stream_sockets'($*)) dnl ') ######################################## ## ## Execute all user scripts in the user ## script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_domtrans_all_scripts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_domtrans_all_scripts'($*)) dnl gen_require(` attribute httpd_exec_scripts; ') typeattribute $1 httpd_exec_scripts; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_domtrans_all_scripts'($*)) dnl ') ######################################## ## ## Execute all user scripts in the user ## script domain. Add user script domains ## to the specified role. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`apache_run_all_scripts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_run_all_scripts'($*)) dnl gen_require(` attribute httpd_exec_scripts, httpd_script_domains; ') role $2 types httpd_script_domains; apache_domtrans_all_scripts($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_run_all_scripts'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_squirrelmail_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_squirrelmail_data'($*)) dnl gen_require(` type httpd_squirrelmail_t; ') read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_squirrelmail_data'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## apache squirrelmail data. ## ## ## ## Domain allowed access. ## ## # define(`apache_append_squirrelmail_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_append_squirrelmail_data'($*)) dnl gen_require(` type httpd_squirrelmail_t; ') allow $1 httpd_squirrelmail_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_append_squirrelmail_data'($*)) dnl ') ######################################## ## ## Search apache system content. ## ## ## ## Domain allowed access. ## ## # define(`apache_search_sys_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_search_sys_content'($*)) dnl gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_search_sys_content'($*)) dnl ') ######################################## ## ## Read apache system content. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_sys_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_sys_content'($*)) dnl gen_require(` type httpd_sys_content_t; ') allow $1 httpd_sys_content_t:dir list_dir_perms; read_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_sys_content'($*)) dnl ') ######################################## ## ## Search apache system CGI directories. ## ## ## ## Domain allowed access. ## ## # define(`apache_search_sys_scripts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_search_sys_scripts'($*)) dnl gen_require(` type httpd_sys_content_t, httpd_sys_script_exec_t; ') search_dirs_pattern($1, httpd_sys_content_t, httpd_sys_script_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_search_sys_scripts'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all user web content. ## ## ## ## Domain allowed access. ## ## ## # define(`apache_manage_all_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_all_user_content'($*)) dnl gen_require(` attribute httpd_user_content_type, httpd_user_script_exec_type; ') manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type) manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_all_user_content'($*)) dnl ') ######################################## ## ## Search system script state directory. ## ## ## ## Domain allowed access. ## ## # define(`apache_search_sys_script_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_search_sys_script_state'($*)) dnl gen_require(` type httpd_sys_script_t; ') allow $1 httpd_sys_script_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_search_sys_script_state'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache tmp files. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_tmp_dirs'($*)) dnl gen_require(` type httpd_tmp_t; ') files_search_tmp($1) list_dirs_pattern($1, httpd_tmp_t, httpd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_tmp_dirs'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache tmp files. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_tmp_files'($*)) dnl gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_files_pattern($1, httpd_tmp_t, httpd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_tmp_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## apache tmp lnk files. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_tmp_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_tmp_symlinks'($*)) dnl gen_require(` type httpd_tmp_t; ') files_search_tmp($1) read_lnk_files_pattern($1, httpd_tmp_t, httpd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_tmp_symlinks'($*)) dnl ') ###################################### ## ## Dontaudit attempts to read and write ## apache tmp files. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_rw_tmp_files'($*)) dnl gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_rw_tmp_files'($*)) dnl ') ######################################## ## ## Dontaudit attempts to write ## apache tmp files. ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_write_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_write_tmp_files'($*)) dnl gen_require(` type httpd_tmp_t; ') dontaudit $1 httpd_tmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_write_tmp_files'($*)) dnl ') ######################################## ## ## Execute CGI in the specified domain. ## ## ##

## Execute CGI in the specified domain. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain run the cgi script in. ## ## ## ## ## Type of the executable to enter the cgi domain. ## ## # define(`apache_cgi_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_cgi_domain'($*)) dnl gen_require(` type httpd_t, httpd_sys_script_exec_t; ') domtrans_pattern(httpd_t, $2, $1) apache_search_sys_scripts($1) allow httpd_t $1:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_cgi_domain'($*)) dnl ') ######################################## ## ## Execute httpd server in the httpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apache_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_systemctl'($*)) dnl gen_require(` type httpd_t; type httpd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 httpd_unit_file_t:file read_file_perms; allow $1 httpd_unit_file_t:service manage_service_perms; ps_process_pattern($1, httpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate an apache environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`apache_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_admin'($*)) dnl gen_require(` attribute httpdcontent, httpd_script_exec_type; type httpd_t, httpd_config_t, httpd_log_t; type httpd_modules_t, httpd_lock_t, httpd_bool_t; type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t; type httpd_suexec_tmp_t, httpd_tmp_t; type httpd_unit_file_t; ') allow $1 httpd_t:process signal_perms; ps_process_pattern($1, httpd_t) tunable_policy(`deny_ptrace',`',` allow $1 httpd_t:process ptrace; ') init_labeled_script_domtrans($1, httpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 httpd_initrc_exec_t system_r; allow $2 system_r; apache_manage_all_content($1) miscfiles_manage_public_files($1) files_list_etc($1) admin_pattern($1, httpd_config_t) logging_list_logs($1) admin_pattern($1, httpd_log_t) admin_pattern($1, httpd_modules_t) admin_pattern($1, httpd_lock_t) files_lock_filetrans($1, httpd_lock_t, file) admin_pattern($1, httpd_var_run_t) files_pid_filetrans($1, httpd_var_run_t, file) admin_pattern($1, httpdcontent) admin_pattern($1, httpd_script_exec_type) seutil_domtrans_setfiles($1) files_list_tmp($1) admin_pattern($1, httpd_tmp_t) admin_pattern($1, httpd_php_tmp_t) admin_pattern($1, httpd_suexec_tmp_t) apache_systemctl($1) admin_pattern($1, httpd_unit_file_t) allow $1 httpd_unit_file_t:service all_service_perms; apache_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_admin'($*)) dnl ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`apache_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dontaudit_leaks'($*)) dnl gen_require(` type httpd_t; type httpd_tmp_t; ') dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 httpd_t:tcp_socket { read write }; dontaudit $1 httpd_t:unix_dgram_socket { read write }; dontaudit $1 httpd_t:unix_stream_socket { getattr read write }; dontaudit $1 httpd_tmp_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Transition to apache named content ## ## ## ## Domain allowed access. ## ## # define(`apache_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_filetrans_named_content'($*)) dnl gen_require(` type httpd_sys_content_t, httpd_sys_rw_content_t; type httpd_tmp_t; ') apache_filetrans_home_content($1) files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2") files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push") files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push") files_etc_filetrans($1, httpd_sys_content_t, dir, "web") files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar") files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud") files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "nextcloud") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content") filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade") userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_filetrans_named_content'($*)) dnl ') ######################################## ## ## Allow any httpd_exec_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`apache_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_entrypoint'($*)) dnl gen_require(` type httpd_exec_t; ') allow $1 httpd_exec_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_entrypoint'($*)) dnl ') ######################################## ## ## Execute a httpd_exec_t in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`apache_exec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_exec_domtrans'($*)) dnl gen_require(` type httpd_exec_t; ') domtrans_pattern($1, httpd_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_exec_domtrans'($*)) dnl ') ######################################## ## ## Transition to apache home content ## ## ## ## Domain allowed access. ## ## # define(`apache_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_filetrans_home_content'($*)) dnl gen_require(` type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t; type httpd_user_content_ra_t; ') userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html") userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www") userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web") filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin") filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs") filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_filetrans_home_content'($*)) dnl ') ######################################## ## ## Read apache pid files. ## ## ## ## Domain allowed access. ## ## # define(`apache_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_read_pid_files'($*)) dnl gen_require(` type httpd_var_run_t; ') files_search_pids($1) read_files_pattern($1, httpd_var_run_t, httpd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_read_pid_files'($*)) dnl ') ######################################## ## ## Manage apache pid objects. ## ## ## ## Domain allowed access. ## ## # define(`apache_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_manage_pid_files'($*)) dnl gen_require(` type httpd_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, httpd_var_run_t, httpd_var_run_t) manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t) manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_manage_pid_files'($*)) dnl ') ######################################## ## ## Send and receive messages from ## httpd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`apache_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_dbus_chat'($*)) dnl gen_require(` type httpd_t; class dbus send_msg; ') allow $1 httpd_t:dbus send_msg; allow httpd_t $1:dbus send_msg; ps_process_pattern(httpd_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_dbus_chat'($*)) dnl ') ######################################## ## ## Delete the httpd tmp. ## ## ## ## Domain allowed access. ## ## # define(`apache_delete_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_delete_tmp'($*)) dnl gen_require(` type httpd_tmp_t; ') allow $1 httpd_tmp_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_delete_tmp'($*)) dnl ') ######################################## ## ## Allow httpd noatsecure ## ## ## ## Domain allowed access. ## ## # define(`apache_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_noatsecure'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:process { noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_noatsecure'($*)) dnl ') ####################################### ## ## Allow the specified domain to ioctl an ## httpd with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`apache_ioctl_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apache_ioctl_stream_sockets'($*)) dnl gen_require(` type httpd_t; ') allow $1 httpd_t:unix_stream_socket ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apache_ioctl_stream_sockets'($*)) dnl ') ## APC UPS monitoring daemon. ######################################## ## ## Execute a domain transition to ## run apcupsd. ## ## ## ## Domain allowed to transition. ## ## # define(`apcupsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_domtrans'($*)) dnl gen_require(` type apcupsd_t, apcupsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, apcupsd_exec_t, apcupsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_domtrans'($*)) dnl ') ######################################## ## ## Execute apcupsd server in the ## apcupsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apcupsd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_initrc_domtrans'($*)) dnl gen_require(` type apcupsd_initrc_exec_t; ') init_labeled_script_domtrans($1, apcupsd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read apcupsd PID files. ## ## ## ## Domain allowed access. ## ## # define(`apcupsd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_read_pid_files'($*)) dnl gen_require(` type apcupsd_var_run_t; ') files_search_pids($1) allow $1 apcupsd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_read_pid_files'($*)) dnl ') ######################################## ## ## Read apcupsd power files. ## ## ## ## Domain allowed access. ## ## # define(`apcupsd_read_power_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_read_power_files'($*)) dnl gen_require(` type apcupsd_power_t; ') allow $1 apcupsd_power_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_read_power_files'($*)) dnl ') ######################################## ## ## Read apcupsd log files. ## ## ## ## Domain allowed access. ## ## ## # define(`apcupsd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_read_log'($*)) dnl gen_require(` type apcupsd_log_t; ') logging_search_logs($1) allow $1 apcupsd_log_t:dir list_dir_perms; allow $1 apcupsd_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_read_log'($*)) dnl ') ######################################## ## ## Append apcupsd log files. ## ## ## ## Domain allowed access. ## ## # define(`apcupsd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_append_log'($*)) dnl gen_require(` type apcupsd_log_t; ') logging_search_logs($1) allow $1 apcupsd_log_t:dir list_dir_perms; allow $1 apcupsd_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_append_log'($*)) dnl ') ######################################## ## ## Execute a domain transition to ## run apcupsd_cgi_script. ## ## ## ## Domain allowed to transition. ## ## # define(`apcupsd_cgi_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_cgi_script_domtrans'($*)) dnl gen_require(` type apcupsd_cgi_script_t, apcupsd_cgi_script_exec_t; ') files_search_var($1) domtrans_pattern($1, apcupsd_cgi_script_exec_t, apcupsd_cgi_script_t) optional_policy(` apache_search_sys_content($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_cgi_script_domtrans'($*)) dnl ') ######################################## ## ## Execute apcupsd server in the apcupsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apcupsd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_systemctl'($*)) dnl gen_require(` type apcupsd_t; type apcupsd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 apcupsd_unit_file_t:file read_file_perms; allow $1 apcupsd_unit_file_t:service manage_service_perms; ps_process_pattern($1, apcupsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_systemctl'($*)) dnl ') ######################################## ## ## Create configuration files in /var/lock ## with a named file type transition. ## ## ## ## Domain allowed access. ## ## # define(`apcupsd_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_filetrans_named_content'($*)) dnl gen_require(` type apcupsd_lock_t; ') files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd") files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an apcupsd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`apcupsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apcupsd_admin'($*)) dnl gen_require(` type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t; type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t; type apcupsd_unit_file_t; type apcupsd_power_t; ') allow $1 apcupsd_t:process signal_perms; ps_process_pattern($1, apcupsd_t) tunable_policy(`deny_ptrace',`',` allow $1 apcupsd_t:process ptrace; ') apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apcupsd_initrc_exec_t system_r; allow $2 system_r; files_list_var($1) admin_pattern($1, apcupsd_lock_t) logging_list_logs($1) admin_pattern($1, apcupsd_log_t) files_list_tmp($1) admin_pattern($1, apcupsd_tmp_t) files_list_pids($1) admin_pattern($1, apcupsd_var_run_t) apcupsd_systemctl($1) admin_pattern($1, apcupsd_unit_file_t) allow $1 apcupsd_unit_file_t:service all_service_perms; manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t) files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apcupsd_admin'($*)) dnl ') ## Advanced power management. ######################################## ## ## Execute apm in the apm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apm_domtrans_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_domtrans_client'($*)) dnl gen_require(` type apm_t, apm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, apm_exec_t, apm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_domtrans_client'($*)) dnl ') ######################################## ## ## Execute apm in the apm domain ## and allow the specified role ## the apm domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`apm_run_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_run_client'($*)) dnl gen_require(` attribute_role apm_roles; ') apm_domtrans_client($1) roleattribute $2 apm_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_run_client'($*)) dnl ') ######################################## ## ## Use apmd file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`apm_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_use_fds'($*)) dnl gen_require(` type apmd_t; ') allow $1 apmd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_use_fds'($*)) dnl ') ######################################## ## ## Write apmd unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`apm_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_write_pipes'($*)) dnl gen_require(` type apmd_t; ') allow $1 apmd_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_write_pipes'($*)) dnl ') ######################################## ## ## Read and write to apmd unix ## stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`apm_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_rw_stream_sockets'($*)) dnl gen_require(` type apmd_t; ') allow $1 apmd_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Append apmd log files. ## ## ## ## Domain allowed access. ## ## # define(`apm_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_append_log'($*)) dnl gen_require(` type apmd_log_t; ') logging_search_logs($1) allow $1 apmd_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_append_log'($*)) dnl ') ######################################## ## ## Connect to apmd over an unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`apm_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_stream_connect'($*)) dnl gen_require(` type apmd_t, apmd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_stream_connect'($*)) dnl ') ######################################## ## ## Execute apmd server in the apmd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apmd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apmd_systemctl'($*)) dnl gen_require(` type apmd_t; type apmd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 apmd_unit_file_t:file read_file_perms; allow $1 apmd_unit_file_t:service manage_service_perms; ps_process_pattern($1, apmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apmd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an apm environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`apm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apm_admin'($*)) dnl gen_require(` type apmd_t, apmd_initrc_exec_t, apmd_log_t; type apmd_lock_t, apmd_var_run_t, apmd_var_lib_t; type apmd_tmp_t; ') allow $1 apmd_t:process { signal_perms }; ps_process_pattern($1, apmd_t) tunable_policy(`deny_ptrace',`',` allow $1 apmd_t:process ptrace; ') init_labeled_script_domtrans($1, apmd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 apmd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, apmd_log_t) files_search_locks($1) admin_pattern($1, apmd_lock_t) files_search_pids($1) admin_pattern($1, apmd_var_run_t) files_search_var_lib($1) admin_pattern($1, apmd_var_lib_t) files_search_tmp($1) admin_pattern($1, apmd_tmp_t) apm_run_client($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apm_admin'($*)) dnl ') ## Advanced package tool. ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`apt_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_domtrans'($*)) dnl gen_require(` type apt_t, apt_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, apt_exec_t, apt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_domtrans'($*)) dnl ') ######################################## ## ## Execute the apt in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`apt_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_exec'($*)) dnl gen_require(` type apt_exec_t; ') corecmd_search_bin($1) can_exec($1, apt_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_exec'($*)) dnl ') ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`apt_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_run'($*)) dnl gen_require(` attribute_role apt_roles; ') apt_domtrans($1) roleattribute $2 apt_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_run'($*)) dnl ') ######################################## ## ## Use apt file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`apt_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_use_fds'($*)) dnl gen_require(` type apt_t; ') allow $1 apt_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## apt file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`apt_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_dontaudit_use_fds'($*)) dnl gen_require(` type apt_t; ') dontaudit $1 apt_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Read apt unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`apt_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_read_pipes'($*)) dnl gen_require(` type apt_t; ') allow $1 apt_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_read_pipes'($*)) dnl ') ######################################## ## ## Read and write apt unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`apt_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_rw_pipes'($*)) dnl gen_require(` type apt_t; ') allow $1 apt_t:fifo_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_rw_pipes'($*)) dnl ') ######################################## ## ## Read and write apt ptys. ## ## ## ## Domain allowed access. ## ## # define(`apt_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_use_ptys'($*)) dnl gen_require(` type apt_devpts_t; ') allow $1 apt_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_use_ptys'($*)) dnl ') ######################################## ## ## Read apt package cache content. ## ## ## ## Domain allowed access. ## ## # define(`apt_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_read_cache'($*)) dnl gen_require(` type apt_var_cache_t; ') files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; dontaudit $1 apt_var_cache_t:dir rw_dir_perms; allow $1 apt_var_cache_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_read_cache'($*)) dnl ') ######################################## ## ## Read apt package database content. ## ## ## ## Domain allowed access. ## ## # define(`apt_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_read_db'($*)) dnl gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) allow $1 apt_var_lib_t:dir list_dir_perms; read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_read_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## apt package database content. ## ## ## ## Domain allowed access. ## ## # define(`apt_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_manage_db'($*)) dnl gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_manage_db'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete apt ## package database content. ## ## ## ## Domain to not audit. ## ## # define(`apt_dontaudit_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `apt_dontaudit_manage_db'($*)) dnl gen_require(` type apt_var_lib_t; ') dontaudit $1 apt_var_lib_t:dir rw_dir_perms; dontaudit $1 apt_var_lib_t:file manage_file_perms; dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `apt_dontaudit_manage_db'($*)) dnl ') ## Ethernet activity monitor. ######################################## ## ## Execute arpwatch server in the ## arpwatch domain. ## ## ## ## Domain allowed to transition. ## ## # define(`arpwatch_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_initrc_domtrans'($*)) dnl gen_require(` type arpwatch_initrc_exec_t; ') init_labeled_script_domtrans($1, arpwatch_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search arpwatch data file directories. ## ## ## ## Domain allowed access. ## ## # define(`arpwatch_search_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_search_data'($*)) dnl gen_require(` type arpwatch_data_t; ') files_search_var_lib($1) allow $1 arpwatch_data_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_search_data'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## arpwatch data files. ## ## ## ## Domain allowed access. ## ## # define(`arpwatch_manage_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_manage_data_files'($*)) dnl gen_require(` type arpwatch_data_t; ') files_search_var_lib($1) manage_files_pattern($1, arpwatch_data_t, arpwatch_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_manage_data_files'($*)) dnl ') ######################################## ## ## Read and write arpwatch temporary ## files. ## ## ## ## Domain allowed access. ## ## # define(`arpwatch_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_rw_tmp_files'($*)) dnl gen_require(` type arpwatch_tmp_t; ') files_search_tmp($1) allow $1 arpwatch_tmp_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_rw_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## arpwatch temporary files. ## ## ## ## Domain allowed access. ## ## # define(`arpwatch_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_manage_tmp_files'($*)) dnl gen_require(` type arpwatch_tmp_t; ') files_search_tmp($1) allow $1 arpwatch_tmp_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_manage_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write arpwatch packet sockets. ## ## ## ## Domain to not audit. ## ## # define(`arpwatch_dontaudit_rw_packet_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl gen_require(` type arpwatch_t; ') dontaudit $1 arpwatch_t:packet_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_dontaudit_rw_packet_sockets'($*)) dnl ') ######################################## ## ## Execute arpwatch server in the arpwatch domain. ## ## ## ## Domain allowed to transition. ## ## # define(`arpwatch_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_systemctl'($*)) dnl gen_require(` type arpwatch_t; type arpwatch_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 arpwatch_unit_file_t:file read_file_perms; allow $1 arpwatch_unit_file_t:service manage_service_perms; ps_process_pattern($1, arpwatch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an arpwatch environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`arpwatch_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_admin'($*)) dnl gen_require(` type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; type arpwatch_data_t, arpwatch_var_run_t; type arpwatch_unit_file_t; ') allow $1 arpwatch_t:process signal_perms; ps_process_pattern($1, arpwatch_t) tunable_policy(`deny_ptrace',`',` allow $1 arpwatch_t:process ptrace; ') arpwatch_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 arpwatch_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, arpwatch_tmp_t) files_list_var($1) admin_pattern($1, arpwatch_data_t) files_list_pids($1) admin_pattern($1, arpwatch_var_run_t) arpwatch_systemctl($1) admin_pattern($1, arpwatch_unit_file_t) allow $1 arpwatch_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_admin'($*)) dnl ') ######################################## ## ## Create objects in the arpwatch home directory ## with an automatic type transition to a specified type ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object being created. ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`arpwatch_data_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `arpwatch_data_filetrans'($*)) dnl gen_require(` type arpwatch_data_t; ') filetrans_pattern($1, arpwatch_data_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `arpwatch_data_filetrans'($*)) dnl ') ## Asterisk IP telephony server. ###################################### ## ## Execute asterisk in the asterisk domain. ## ## ## ## Domain allowed to transition. ## ## # define(`asterisk_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_domtrans'($*)) dnl gen_require(` type asterisk_t, asterisk_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, asterisk_exec_t, asterisk_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_domtrans'($*)) dnl ') ###################################### ## ## Execute asterisk in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`asterisk_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_exec'($*)) dnl gen_require(` type asterisk_exec_t; ') corecmd_search_bin($1) can_exec($1, asterisk_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_exec'($*)) dnl ') ##################################### ## ## Connect to asterisk over a unix domain. ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`asterisk_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_stream_connect'($*)) dnl gen_require(` type asterisk_t, asterisk_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_stream_connect'($*)) dnl ') ####################################### ## ## Set attributes of asterisk log ## files and directories. ## ## ## ## Domain allowed access. ## ## # define(`asterisk_setattr_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_setattr_logs'($*)) dnl gen_require(` type asterisk_log_t; ') setattr_files_pattern($1, asterisk_log_t, asterisk_log_t) setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_setattr_logs'($*)) dnl ') ####################################### ## ## Set attributes of the asterisk ## PID content. ## ## ## ## Domain allowed access. ## ## # define(`asterisk_setattr_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_setattr_pid_files'($*)) dnl gen_require(` type asterisk_var_run_t; ') setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t) setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_setattr_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an asterisk environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`asterisk_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `asterisk_admin'($*)) dnl gen_require(` type asterisk_t, asterisk_var_run_t, asterisk_spool_t; type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; type asterisk_var_lib_t, asterisk_initrc_exec_t; ') allow $1 asterisk_t:process signal_perms; ps_process_pattern($1, asterisk_t) tunable_policy(`deny_ptrace',`',` allow $1 asterisk_t:process ptrace; ') init_labeled_script_domtrans($1, asterisk_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 asterisk_initrc_exec_t system_r; allow $2 system_r; asterisk_exec($1) files_list_tmp($1) admin_pattern($1, asterisk_tmp_t) files_list_etc($1) admin_pattern($1, asterisk_etc_t) logging_list_logs($1) admin_pattern($1, asterisk_log_t) files_list_spool($1) admin_pattern($1, asterisk_spool_t) files_list_var_lib($1) admin_pattern($1, asterisk_var_lib_t) files_list_pids($1) admin_pattern($1, asterisk_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `asterisk_admin'($*)) dnl ') ## policy for authconfig ######################################## ## ## Execute TEMPLATE in the authconfig domin. ## ## ## ## Domain allowed to transition. ## ## # define(`authconfig_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_domtrans'($*)) dnl gen_require(` type authconfig_t, authconfig_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, authconfig_exec_t, authconfig_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_domtrans'($*)) dnl ') ######################################## ## ## Search authconfig lib directories. ## ## ## ## Domain allowed access. ## ## # define(`authconfig_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_search_lib'($*)) dnl gen_require(` type authconfig_var_lib_t; ') allow $1 authconfig_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_search_lib'($*)) dnl ') ######################################## ## ## Read authconfig lib files. ## ## ## ## Domain allowed access. ## ## # define(`authconfig_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_read_lib_files'($*)) dnl gen_require(` type authconfig_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_read_lib_files'($*)) dnl ') ######################################## ## ## Manage authconfig lib files. ## ## ## ## Domain allowed access. ## ## # define(`authconfig_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_manage_lib_files'($*)) dnl gen_require(` type authconfig_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage authconfig lib directories. ## ## ## ## Domain allowed access. ## ## # define(`authconfig_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_manage_lib_dirs'($*)) dnl gen_require(` type authconfig_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an authconfig environment ## ## ## ## Domain allowed access. ## ## # define(`authconfig_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authconfig_admin'($*)) dnl gen_require(` type authconfig_t; type authconfig_var_lib_t; ') allow $1 authconfig_t:process { ptrace signal_perms }; ps_process_pattern($1, authconfig_t) files_search_var_lib($1) admin_pattern($1, authconfig_var_lib_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authconfig_admin'($*)) dnl ') ## Filesystem automounter service. ######################################## ## ## Execute automount in the automount domain. ## ## ## ## Domain allowed to transition. ## ## # define(`automount_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_domtrans'($*)) dnl gen_require(` type automount_t, automount_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, automount_exec_t, automount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to automount. ## ## ## ## Domain allowed access. ## ## # define(`automount_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_signal'($*)) dnl gen_require(` type automount_t; ') allow $1 automount_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_signal'($*)) dnl ') ######################################## ## ## Execute automount in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`automount_exec_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_exec_config'($*)) dnl refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') files_exec_etc_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_exec_config'($*)) dnl ') ######################################## ## ## Read automount process state. ## ## ## ## Domain to allow access. ## ## # define(`automount_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_read_state'($*)) dnl gen_require(` type automount_t; ') kernel_search_proc($1) allow $1 automount_t:dir list_dir_perms; read_files_pattern($1, automount_t, automount_t) read_lnk_files_pattern($1, automount_t, automount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_read_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## automount file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`automount_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_dontaudit_use_fds'($*)) dnl gen_require(` type automount_t; ') dontaudit $1 automount_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Write to a automount unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`automount_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_write_pipes'($*)) dnl gen_require(` type automount_t; ') allow $1 automount_t:fd use; allow $1 automount_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_write_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to write ## automount unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`automount_dontaudit_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_dontaudit_write_pipes'($*)) dnl gen_require(` type automount_t; ') dontaudit $1 automount_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_dontaudit_write_pipes'($*)) dnl ') ######################################## ## ## Allow domain to search of automount temporary ## directories. ## ## ## ## Domain to not audit. ## ## # define(`automount_search_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_search_tmp_dirs'($*)) dnl gen_require(` type automount_tmp_t; ') search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_search_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get ## attributes of automount temporary ## directories. ## ## ## ## Domain to not audit. ## ## # define(`automount_dontaudit_getattr_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_dontaudit_getattr_tmp_dirs'($*)) dnl gen_require(` type automount_tmp_t; ') dontaudit $1 automount_tmp_t:dir getattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_dontaudit_getattr_tmp_dirs'($*)) dnl ') ######################################## ## ## Execute automount server in the automount domain. ## ## ## ## Domain allowed to transition. ## ## # define(`automount_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_systemctl'($*)) dnl gen_require(` type automount_t; type automount_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 automount_unit_file_t:file read_file_perms; allow $1 automount_unit_file_t:service manage_service_perms; ps_process_pattern($1, automount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an automount environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`automount_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `automount_admin'($*)) dnl gen_require(` type automount_t, automount_lock_t, automount_tmp_t; type automount_var_run_t, automount_initrc_exec_t; type automount_unit_file_t, automount_keytab_t; ') allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) tunable_policy(`deny_ptrace',`',` allow $1 automount_t:process ptrace; ') init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, automount_keytab_t) files_list_var($1) admin_pattern($1, automount_lock_t) files_list_tmp($1) admin_pattern($1, automount_tmp_t) files_list_pids($1) admin_pattern($1, automount_var_run_t) automount_systemctl($1) admin_pattern($1, automount_unit_file_t) allow $1 automount_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `automount_admin'($*)) dnl ') ## mDNS/DNS-SD daemon implementing Apple ZeroConf architecture. ######################################## ## ## Execute avahi server in the avahi domain. ## ## ## ## Domain allowed to transition. ## ## # define(`avahi_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_domtrans'($*)) dnl gen_require(` type avahi_exec_t, avahi_t; ') corecmd_search_bin($1) domtrans_pattern($1, avahi_exec_t, avahi_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_domtrans'($*)) dnl ') ######################################## ## ## Execute avahi init scripts in the ## init script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`avahi_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_initrc_domtrans'($*)) dnl gen_require(` type avahi_initrc_exec_t; ') init_labeled_script_domtrans($1, avahi_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_initrc_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to avahi. ## ## ## ## Domain allowed access. ## ## # define(`avahi_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_signal'($*)) dnl gen_require(` type avahi_t; ') allow $1 avahi_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_signal'($*)) dnl ') ######################################## ## ## Send kill signals to avahi. ## ## ## ## Domain allowed access. ## ## # define(`avahi_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_kill'($*)) dnl gen_require(` type avahi_t; ') allow $1 avahi_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_kill'($*)) dnl ') ######################################## ## ## Send null signals to avahi. ## ## ## ## Domain allowed access. ## ## # define(`avahi_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_signull'($*)) dnl gen_require(` type avahi_t; ') allow $1 avahi_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_signull'($*)) dnl ') ######################################## ## ## Send and receive messages from ## avahi over dbus. ## ## ## ## Domain allowed access. ## ## # define(`avahi_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_dbus_chat'($*)) dnl gen_require(` type avahi_t; class dbus send_msg; ') allow $1 avahi_t:dbus send_msg; allow avahi_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_dbus_chat'($*)) dnl ') ######################################## ## ## Connect to avahi using a unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`avahi_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_stream_connect'($*)) dnl gen_require(` type avahi_t, avahi_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, avahi_var_run_t, avahi_var_run_t, avahi_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_stream_connect'($*)) dnl ') ######################################## ## ## Create avahi pid directories. ## ## ## ## Domain allowed access. ## ## # define(`avahi_create_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_create_pid_dirs'($*)) dnl gen_require(` type avahi_var_run_t; ') files_search_pids($1) allow $1 avahi_var_run_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_create_pid_dirs'($*)) dnl ') ######################################## ## ## Set attributes of avahi pid directories. ## ## ## ## Domain allowed access. ## ## # define(`avahi_setattr_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_setattr_pid_dirs'($*)) dnl gen_require(` type avahi_var_run_t; ') files_search_pids($1) allow $1 avahi_var_run_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_setattr_pid_dirs'($*)) dnl ') ######################################## ## ## Create, read, and write avahi pid files. ## ## ## ## Domain allowed access. ## ## # define(`avahi_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_manage_pid_files'($*)) dnl gen_require(` type avahi_var_run_t; ') files_search_pids($1) manage_files_pattern($1, avahi_var_run_t, avahi_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_manage_pid_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## avahi pid directories. ## ## ## ## Domain to not audit. ## ## # define(`avahi_dontaudit_search_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_dontaudit_search_pid'($*)) dnl gen_require(` type avahi_var_run_t; ') dontaudit $1 avahi_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_dontaudit_search_pid'($*)) dnl ') ######################################## ## ## Execute avahi server in the avahi domain. ## ## ## ## Domain allowed to transition. ## ## # define(`avahi_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_systemctl'($*)) dnl gen_require(` type avahi_t; type avahi_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 avahi_unit_file_t:file read_file_perms; allow $1 avahi_unit_file_t:service manage_service_perms; ps_process_pattern($1, avahi_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_systemctl'($*)) dnl ') ######################################## ## ## Create specified objects in generic ## pid directories with the avahi pid file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`avahi_filetrans_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_filetrans_pid'($*)) dnl gen_require(` type avahi_var_run_t; ') files_pid_filetrans($1, avahi_var_run_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_filetrans_pid'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an avahi environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`avahi_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `avahi_admin'($*)) dnl gen_require(` type avahi_t, avahi_var_run_t, avahi_initrc_exec_t; type avahi_unit_file_t; type avahi_var_lib_t; ') allow $1 avahi_t:process signal_perms; ps_process_pattern($1, avahi_t) tunable_policy(`deny_ptrace',`',` allow $1 avahi_t:process ptrace; ') avahi_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 avahi_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, avahi_var_run_t) files_search_var_lib($1) admin_pattern($1, avahi_var_lib_t) avahi_systemctl($1) admin_pattern($1, avahi_unit_file_t) allow $1 avahi_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `avahi_admin'($*)) dnl ') ## Log file analyzer for advanced statistics. ######################################## ## ## Execute the awstats program in ## the awstats domain. ## ## ## ## Domain allowed to transition. ## ## # define(`awstats_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `awstats_domtrans'($*)) dnl gen_require(` type awstats_t, awstats_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, awstats_exec_t, awstats_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `awstats_domtrans'($*)) dnl ') ######################################## ## ## Read and write awstats unnamed pipes. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`awstats_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `awstats_rw_pipes'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `awstats_rw_pipes'($*)) dnl ') ######################################## ## ## Execute awstats cgi scripts in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`awstats_cgi_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `awstats_cgi_exec'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `awstats_cgi_exec'($*)) dnl ') ## System backup scripts. ######################################## ## ## Execute backup in the backup domain. ## ## ## ## Domain allowed to transition. ## ## # define(`backup_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `backup_domtrans'($*)) dnl gen_require(` type backup_t, backup_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, backup_exec_t, backup_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `backup_domtrans'($*)) dnl ') ######################################## ## ## Execute backup in the backup ## domain, and allow the specified ## role the backup domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`backup_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `backup_run'($*)) dnl gen_require(` attribute_role backup_roles; ') backup_domtrans($1) roleattribute $2 backup_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `backup_run'($*)) dnl ') ######################################## ## ## Create, read, and write backup ## store files. ## ## ## ## Domain allowed access. ## ## # define(`backup_manage_store_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `backup_manage_store_files'($*)) dnl gen_require(` type backup_store_t; ') files_search_var($1) manage_files_pattern($1, backup_store_t, backup_store_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `backup_manage_store_files'($*)) dnl ') ## Cross platform network backup. ######################################## ## ## Execute bacula admin bacula ## admin domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bacula_domtrans_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bacula_domtrans_admin'($*)) dnl gen_require(` type bacula_admin_t, bacula_admin_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bacula_admin_exec_t, bacula_admin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bacula_domtrans_admin'($*)) dnl ') ######################################## ## ## Execute user interfaces in the ## bacula admin domain, and allow the ## specified role the bacula admin domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`bacula_run_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bacula_run_admin'($*)) dnl gen_require(` attribute_role bacula_admin_roles; ') bacula_domtrans_admin($1) roleattribute $2 bacula_admin_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bacula_run_admin'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bacula environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bacula_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bacula_admin'($*)) dnl gen_require(` type bacula_t, bacula_etc_t, bacula_log_t; type bacula_spool_t, bacula_var_lib_t; type bacula_var_run_t, bacula_initrc_exec_t; attribute_role bacula_admin_roles; ') allow $1 bacula_t:process { ptrace signal_perms }; ps_process_pattern($1, bacula_t) init_labeled_script_domtrans($1, bacula_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bacula_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, bacula_etc_t) logging_search_logs($1) admin_pattern($1, bacula_log_t) files_search_var($1) admin_pattern($1, bacula_spool_t) files_search_var_lib($1) admin_pattern($1, bacula_var_lib_t) files_search_pids($1) admin_pattern($1, bacula_var_run_t) bacula_run_admin($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bacula_admin'($*)) dnl ') ## configuration management suite. ######################################## ## ## Execute bcfg2 in the bcfg2 domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bcfg2_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_domtrans'($*)) dnl gen_require(` type bcfg2_t, bcfg2_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_domtrans'($*)) dnl ') ######################################## ## ## Execute bcfg2 server in the bcfg2 domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bcfg2_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_initrc_domtrans'($*)) dnl gen_require(` type bcfg2_initrc_exec_t; ') init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search bcfg2 lib directories. ## ## ## ## Domain allowed access. ## ## # define(`bcfg2_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_search_lib'($*)) dnl gen_require(` type bcfg2_var_lib_t; ') allow $1 bcfg2_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_search_lib'($*)) dnl ') ######################################## ## ## Read bcfg2 lib files. ## ## ## ## Domain allowed access. ## ## # define(`bcfg2_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_read_lib_files'($*)) dnl gen_require(` type bcfg2_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bcfg2 lib files. ## ## ## ## Domain allowed access. ## ## # define(`bcfg2_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_files'($*)) dnl gen_require(` type bcfg2_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bcfg2 lib directories. ## ## ## ## Domain allowed access. ## ## # define(`bcfg2_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_manage_lib_dirs'($*)) dnl gen_require(` type bcfg2_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute bcfg2 server in the bcfg2 domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bcfg2_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_systemctl'($*)) dnl gen_require(` type bcfg2_t; type bcfg2_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 bcfg2_unit_file_t:file read_file_perms; allow $1 bcfg2_unit_file_t:service manage_service_perms; ps_process_pattern($1, bcfg2_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bcfg2 environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bcfg2_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bcfg2_admin'($*)) dnl gen_require(` type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t; type bcfg2_var_run_t; type bcfg2_unit_file_t; ') allow $1 bcfg2_t:process { signal_perms }; ps_process_pattern($1, bcfg2_t) tunable_policy(`deny_ptrace',`',` allow $1 bcfg2_t:process ptrace; ') bcfg2_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 bcfg2_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, bcfg2_var_run_t) files_search_var_lib($1) admin_pattern($1, bcfg2_var_lib_t) bcfg2_systemctl($1) admin_pattern($1, bcfg2_unit_file_t) allow $1 bcfg2_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bcfg2_admin'($*)) dnl ') ## Berkeley Internet name domain DNS server. ######################################## ## ## Execute bind server in the bind domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bind_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_initrc_domtrans'($*)) dnl gen_require(` type named_initrc_exec_t; ') init_labeled_script_domtrans($1, named_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute bind server in the bind domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bind_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_systemctl'($*)) dnl gen_require(` type named_unit_file_t; type named_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 named_unit_file_t:file read_file_perms; allow $1 named_unit_file_t:service manage_service_perms; ps_process_pattern($1, named_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_systemctl'($*)) dnl ') ######################################## ## ## Execute ndc in the ndc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bind_domtrans_ndc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_domtrans_ndc'($*)) dnl gen_require(` type ndc_t, ndc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ndc_exec_t, ndc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_domtrans_ndc'($*)) dnl ') ######################################## ## ## Send generic signals to bind. ## ## ## ## Domain allowed access. ## ## # define(`bind_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_signal'($*)) dnl gen_require(` type named_t; ') allow $1 named_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_signal'($*)) dnl ') ######################################## ## ## Send null signals to bind. ## ## ## ## Domain allowed access. ## ## # define(`bind_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_signull'($*)) dnl gen_require(` type named_t; ') allow $1 named_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_signull'($*)) dnl ') ######################################## ## ## Send kill signals to bind. ## ## ## ## Domain allowed access. ## ## # define(`bind_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_kill'($*)) dnl gen_require(` type named_t; ') allow $1 named_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_kill'($*)) dnl ') ######################################## ## ## Execute ndc in the ndc domain, and ## allow the specified role the ndc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`bind_run_ndc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_run_ndc'($*)) dnl gen_require(` attribute_role ndc_roles; ') bind_domtrans_ndc($1) roleattribute $2 ndc_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_run_ndc'($*)) dnl ') ######################################## ## ## Execute bind in the named domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bind_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_domtrans'($*)) dnl gen_require(` type named_t, named_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, named_exec_t, named_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_domtrans'($*)) dnl ') ######################################## ## ## Read dnssec key files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_dnssec_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_dnssec_keys'($*)) dnl gen_require(` type named_conf_t, named_zone_t, dnssec_t; ') read_files_pattern($1, { named_conf_t named_zone_t }, dnssec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_dnssec_keys'($*)) dnl ') ######################################## ## ## Mmap dnssec key files. ## ## ## ## Domain allowed access. ## ## # define(`bind_map_dnssec_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_map_dnssec_keys'($*)) dnl gen_require(` type named_conf_t, named_zone_t, dnssec_t; ') allow $1 dnssec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_map_dnssec_keys'($*)) dnl ') ######################################## ## ## Read bind named configuration files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_config'($*)) dnl gen_require(` type named_conf_t; ') allow $1 named_conf_t:dir list_dir_perms; read_files_pattern($1, named_conf_t, named_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_config'($*)) dnl ') ######################################## ## ## Write bind named configuration files. ## ## ## ## Domain allowed access. ## ## # define(`bind_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_write_config'($*)) dnl gen_require(` type named_conf_t; ') write_files_pattern($1, named_conf_t, named_conf_t) allow $1 named_conf_t:file setattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_write_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bind configuration directories. ## ## ## ## Domain allowed access. ## ## # define(`bind_manage_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_manage_config_dirs'($*)) dnl gen_require(` type named_conf_t; ') manage_dirs_pattern($1, named_conf_t, named_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_manage_config_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## BIND configuration files. ## ## ## ## Domain allowed access. ## ## # define(`bind_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_manage_config'($*)) dnl gen_require(` type named_conf_t; ') manage_files_pattern($1, named_conf_t, named_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_manage_config'($*)) dnl ') ######################################## ## ## Search bind cache directories. ## ## ## ## Domain allowed access. ## ## # define(`bind_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_search_cache'($*)) dnl gen_require(` type named_conf_t, named_cache_t, named_zone_t; ') files_search_var($1) allow $1 named_conf_t:dir search_dir_perms; allow $1 named_zone_t:dir search_dir_perms; allow $1 named_cache_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_search_cache'($*)) dnl ') ######################################## ## ## Read bind cache files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_cache'($*)) dnl gen_require(` type named_cache_t; ') files_search_var($1) allow $1 named_cache_t:dir list_dir_perms; read_files_pattern($1, named_cache_t, named_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_cache'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## and write Bind cache files. ## ## ## ## Domain allowed access. ## ## # define(`bind_rw_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_rw_cache'($*)) dnl gen_require(` type named_cache_t; ') allow $1 named_cache_t:dir list_dir_perms; allow $1 named_cache_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_rw_cache'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bind cache files. ## ## ## ## Domain allowed access. ## ## # define(`bind_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_manage_cache'($*)) dnl gen_require(` type named_cache_t, named_zone_t; ') files_search_var($1) allow $1 named_zone_t:dir search_dir_perms; manage_files_pattern($1, named_cache_t, named_cache_t) manage_lnk_files_pattern($1, named_cache_t, named_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_manage_cache'($*)) dnl ') ######################################## ## ## Read bind pid files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_pid_files'($*)) dnl gen_require(` type named_var_run_t; ') files_search_pids($1) read_files_pattern($1, named_var_run_t, named_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_pid_files'($*)) dnl ') ######################################## ## ## Set attributes of bind pid directories. ## ## ## ## Domain allowed access. ## ## # define(`bind_setattr_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_setattr_pid_dirs'($*)) dnl gen_require(` type named_var_run_t; ') allow $1 named_var_run_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_setattr_pid_dirs'($*)) dnl ') ######################################## ## ## Set attributes of bind zone directories. ## ## ## ## Domain allowed access. ## ## # define(`bind_setattr_zone_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_setattr_zone_dirs'($*)) dnl gen_require(` type named_zone_t; ') allow $1 named_zone_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_setattr_zone_dirs'($*)) dnl ') ######################################## ## ## Read bind zone files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_zone',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_zone'($*)) dnl gen_require(` type named_zone_t; ') files_search_var($1) read_files_pattern($1, named_zone_t, named_zone_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_zone'($*)) dnl ') ######################################## ## ## Read BIND zone files. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_log'($*)) dnl gen_require(` type named_zone_t; type named_log_t; ') files_search_var($1) allow $1 named_zone_t:dir search_dir_perms; read_files_pattern($1, named_log_t, named_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bind zone files. ## ## ## ## Domain allowed access. ## ## # define(`bind_manage_zone_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_manage_zone_dirs'($*)) dnl gen_require(` type named_zone_t; ') files_search_var($1) allow $1 named_zone_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_manage_zone_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## bind zone files. ## ## ## ## Domain allowed access. ## ## # define(`bind_manage_zone',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_manage_zone'($*)) dnl gen_require(` type named_zone_t; ') files_search_var($1) manage_files_pattern($1, named_zone_t, named_zone_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_manage_zone'($*)) dnl ') ######################################## ## ## Send and receive datagrams to and from named. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`bind_udp_chat_named',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_udp_chat_named'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_udp_chat_named'($*)) dnl ') ######################################## ## ## Allow the domain to read bind state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`bind_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_read_state'($*)) dnl gen_require(` type named_t; ') kernel_search_proc($1) ps_process_pattern($1, named_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_read_state'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bind environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bind_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_admin'($*)) dnl gen_require(` type named_t, named_tmp_t, named_log_t; type named_cache_t, named_zone_t, named_initrc_exec_t; type dnssec_t, ndc_t, named_conf_t, named_var_run_t; type named_keytab_t, named_unit_file_t; ') allow $1 named_t:process signal_perms; ps_process_pattern($1, named_t) tunable_policy(`deny_ptrace',`',` allow $1 named_t:process ptrace; ') bind_run_ndc($1, $2) init_labeled_script_domtrans($1, named_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 named_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, named_tmp_t) logging_list_logs($1) admin_pattern($1, named_log_t) files_list_etc($1) admin_pattern($1, { named_keytab_t named_conf_t }) admin_pattern($1, named_keytab_t) files_list_var($1) admin_pattern($1, { dnssec_t named_cache_t named_zone_t }) files_list_pids($1) admin_pattern($1, named_var_run_t) admin_pattern($1, named_unit_file_t) bind_systemctl($1) allow $1 named_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_admin'($*)) dnl ') ###################################### ## ## Execute bind in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`bind_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bind_exec'($*)) dnl gen_require(` type named_exec_t; ') corecmd_search_bin($1) can_exec($1, named_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bind_exec'($*)) dnl ') ## BIRD Internet Routing Daemon. ######################################## ## ## All of the rules required to ## administrate an bird environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bird_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bird_admin'($*)) dnl gen_require(` type bird_t, bird_etc_t, bird_log_t; type bird_var_run_t, bird_initrc_exec_t; ') allow $1 bird_t:process { ptrace signal_perms }; ps_process_pattern($1, bird_t) init_labeled_script_domtrans($1, bird_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bird_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, bird_etc_t) logging_list_logs($1) admin_pattern($1, bird_log_t) files_list_pids($1) admin_pattern($1, bird_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bird_admin'($*)) dnl ') ## Tunnels instant messaging traffic to a virtual IRC channel. ######################################## ## ## Read bitlbee configuration files. ## ## ## ## Domain allowed access. ## ## # define(`bitlbee_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bitlbee_read_config'($*)) dnl gen_require(` type bitlbee_conf_t; ') files_search_etc($1) allow $1 bitlbee_conf_t:dir list_dir_perms; allow $1 bitlbee_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bitlbee_read_config'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bitlbee environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bitlbee_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bitlbee_admin'($*)) dnl gen_require(` type bitlbee_t, bitlbee_conf_t, bitlbee_var_t; type bitlbee_initrc_exec_t, bitlbee_var_run_t; type bitlbee_log_t, bitlbee_tmp_t; ') allow $1 bitlbee_t:process signal_perms; ps_process_pattern($1, bitlbee_t) tunable_policy(`deny_ptrace',`',` allow $1 bitlbee_t:process ptrace; ') init_labeled_script_domtrans($1, bitlbee_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bitlbee_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, bitlbee_conf_t) logging_search_logs($1) admin_pattern($1, bitlbee_log_t) files_search_tmp($1) admin_pattern($1, bitlbee_tmp_t) files_search_pids($1) admin_pattern($1, bitlbee_var_run_t) files_search_var_lib($1) admin_pattern($1, bitlbee_var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bitlbee_admin'($*)) dnl ') ## The blkmapd daemon performs device discovery and mapping for pNFS block layout client. ######################################## ## ## Execute blkmapd_exec_t in the blkmapd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`blkmapd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blkmapd_domtrans'($*)) dnl gen_require(` type blkmapd_t, blkmapd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, blkmapd_exec_t, blkmapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blkmapd_domtrans'($*)) dnl ') ###################################### ## ## Execute blkmapd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`blkmapd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blkmapd_exec'($*)) dnl gen_require(` type blkmapd_exec_t; ') corecmd_search_bin($1) can_exec($1, blkmapd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blkmapd_exec'($*)) dnl ') ######################################## ## ## Execute blkmapd server in the blkmapd domain. ## ## ## ## Domain allowed access. ## ## # define(`blkmapd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blkmapd_initrc_domtrans'($*)) dnl gen_require(` type blkmapd_initrc_exec_t; ') init_labeled_script_domtrans($1, blkmapd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blkmapd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read blkmapd PID files. ## ## ## ## Domain allowed access. ## ## # define(`blkmapd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blkmapd_read_pid_files'($*)) dnl gen_require(` type blkmapd_var_run_t; ') files_search_pids($1) read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blkmapd_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an blkmapd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`blkmapd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blkmapd_admin'($*)) dnl gen_require(` type blkmapd_t; type blkmapd_initrc_exec_t; type blkmapd_var_run_t; ') allow $1 blkmapd_t:process { signal_perms }; ps_process_pattern($1, blkmapd_t) tunable_policy(`deny_ptrace',`',` allow $1 blkmapd_t:process ptrace; ') blkmapd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 blkmapd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, blkmapd_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blkmapd_admin'($*)) dnl ') ## Tool to manage Bluetooth devices. ######################################## ## ## Execute blueman in the blueman domain. ## ## ## ## Domain allowed to transition. ## ## # define(`blueman_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blueman_domtrans'($*)) dnl gen_require(` type blueman_t, blueman_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, blueman_exec_t, blueman_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blueman_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## blueman over dbus. ## ## ## ## Domain allowed access. ## ## # define(`blueman_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blueman_dbus_chat'($*)) dnl gen_require(` type blueman_t; class dbus send_msg; ') allow $1 blueman_t:dbus send_msg; allow blueman_t $1:dbus send_msg; ps_process_pattern(blueman_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blueman_dbus_chat'($*)) dnl ') ######################################## ## ## Search blueman lib directories. ## ## ## ## Domain allowed access. ## ## # define(`blueman_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blueman_search_lib'($*)) dnl gen_require(` type blueman_var_lib_t; ') allow $1 blueman_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blueman_search_lib'($*)) dnl ') ######################################## ## ## Read blueman lib files. ## ## ## ## Domain allowed access. ## ## # define(`blueman_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blueman_read_lib_files'($*)) dnl gen_require(` type blueman_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blueman_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## blueman lib files. ## ## ## ## Domain allowed access. ## ## # define(`blueman_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `blueman_manage_lib_files'($*)) dnl gen_require(` type blueman_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `blueman_manage_lib_files'($*)) dnl ') ## Bluetooth tools and system services. ######################################## ## ## Role access for bluetooth. ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`bluetooth_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_role'($*)) dnl gen_require(` attribute_role bluetooth_helper_roles; type bluetooth_t, bluetooth_helper_t, bluetooth_helper_exec_t; type bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_var_run_t; ') ######################################## # # Declarations # roleattribute $1 bluetooth_helper_roles; ######################################## # # Policy # domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t) ps_process_pattern($2, bluetooth_helper_t) allow $2 bluetooth_helper_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 bluetooth_helper_t:process ptrace; ') allow $2 bluetooth_t:socket rw_socket_perms; allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t) bluetooth_stream_connect($2) stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_role'($*)) dnl ') ##################################### ## ## Connect to bluetooth over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`bluetooth_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_stream_connect'($*)) dnl gen_require(` type bluetooth_t, bluetooth_var_run_t; type bluetooth_tmp_t; ') files_search_pids($1) allow $1 bluetooth_t:socket rw_socket_perms; stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t) stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t) tunable_policy(`deny_bluetooth',`',` allow $1 bluetooth_t:bluetooth_socket rw_socket_perms; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_stream_connect'($*)) dnl ') ######################################## ## ## Execute bluetooth in the bluetooth domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bluetooth_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans'($*)) dnl gen_require(` type bluetooth_t, bluetooth_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bluetooth_exec_t, bluetooth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_domtrans'($*)) dnl ') ######################################## ## ## Read bluetooth configuration files. ## ## ## ## Domain allowed access. ## ## # define(`bluetooth_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_read_config'($*)) dnl gen_require(` type bluetooth_conf_t; ') allow $1 bluetooth_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_read_config'($*)) dnl ') ######################################## ## ## Send and receive messages from ## bluetooth over dbus. ## ## ## ## Domain allowed access. ## ## # define(`bluetooth_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_dbus_chat'($*)) dnl gen_require(` type bluetooth_t; class dbus send_msg; ') allow $1 bluetooth_t:dbus send_msg; allow bluetooth_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_dbus_chat'($*)) dnl ') ######################################## ## ## dontaudit Send and receive messages from ## bluetooth over dbus. ## ## ## ## Domain to not audit. ## ## # define(`bluetooth_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_dbus_chat'($*)) dnl gen_require(` type bluetooth_t; class dbus send_msg; ') dontaudit $1 bluetooth_t:dbus send_msg; dontaudit bluetooth_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## # define(`bluetooth_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_domtrans_helper'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute bluetooth_helper in the bluetooth_helper domain, and ## allow the specified role the bluetooth_helper domain. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## ## ## The type of the terminal allow the bluetooth_helper domain to use. ## ## ## # define(`bluetooth_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_run_helper'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_run_helper'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## bluetooth process state files. ## ## ## ## Domain to not audit. ## ## # define(`bluetooth_dontaudit_read_helper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_dontaudit_read_helper_state'($*)) dnl gen_require(` type bluetooth_helper_t; ') dontaudit $1 bluetooth_helper_t:dir search_dir_perms; dontaudit $1 bluetooth_helper_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_dontaudit_read_helper_state'($*)) dnl ') ######################################## ## ## Execute bluetooth server in the bluetooth domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bluetooth_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_systemctl'($*)) dnl gen_require(` type bluetooth_t; type bluetooth_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 bluetooth_unit_file_t:file read_file_perms; allow $1 bluetooth_unit_file_t:service manage_service_perms; ps_process_pattern($1, bluetooth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bluetooth environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`bluetooth_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bluetooth_admin'($*)) dnl gen_require(` type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t; type bluetooth_var_lib_t, bluetooth_var_run_t; type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t; type bluetooth_unit_file_t, bluetooth_initrc_exec_t; ') allow $1 bluetooth_t:process signal_perms; ps_process_pattern($1, bluetooth_t) tunable_policy(`deny_ptrace',`',` allow $1 bluetooth_t:process ptrace; ') init_labeled_script_domtrans($1, bluetooth_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 bluetooth_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, bluetooth_tmp_t) files_list_var($1) admin_pattern($1, bluetooth_lock_t) files_list_etc($1) admin_pattern($1, { bluetooth_conf_t bluetooth_conf_rw_t }) files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) files_list_pids($1) admin_pattern($1, bluetooth_var_run_t) bluetooth_systemctl($1) admin_pattern($1, bluetooth_unit_file_t) allow $1 bluetooth_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bluetooth_admin'($*)) dnl ') ## policy for boinc ######################################## ## ## Execute a domain transition to run boinc. ## ## ## ## Domain allowed to transition. ## ## # define(`boinc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_domtrans'($*)) dnl gen_require(` type boinc_t, boinc_exec_t; ') domtrans_pattern($1, boinc_exec_t, boinc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_domtrans'($*)) dnl ') ####################################### ## ## Execute boinc server in the boinc domain. ## ## ## ## Domain allowed access. ## ## # define(`boinc_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_initrc_domtrans'($*)) dnl gen_require(` type boinc_initrc_exec_t; ') init_labeled_script_domtrans($1, boinc_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_initrc_domtrans'($*)) dnl ') ####################################### ## ## Dontaudit getattr on boinc lib files. ## ## ## ## Domain allowed access. ## ## # define(`boinc_dontaudit_getattr_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_dontaudit_getattr_lib'($*)) dnl gen_require(` type boinc_var_lib_t; ') dontaudit $1 boinc_var_lib_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_dontaudit_getattr_lib'($*)) dnl ') ######################################## ## ## Search boinc lib directories. ## ## ## ## Domain allowed access. ## ## # define(`boinc_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_search_lib'($*)) dnl gen_require(` type boinc_var_lib_t; ') allow $1 boinc_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_search_lib'($*)) dnl ') ######################################## ## ## Read boinc lib files. ## ## ## ## Domain allowed access. ## ## # define(`boinc_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_read_lib_files'($*)) dnl gen_require(` type boinc_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## boinc lib files. ## ## ## ## Domain allowed access. ## ## # define(`boinc_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_manage_lib_files'($*)) dnl gen_require(` type boinc_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage boinc var_lib files. ## ## ## ## Domain allowed access. ## ## # define(`boinc_manage_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_manage_var_lib'($*)) dnl gen_require(` type boinc_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t) manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_manage_var_lib'($*)) dnl ') ####################################### ## ## Execute boinc server in the boinc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`boinc_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_systemctl'($*)) dnl gen_require(` type boinc_t; type boinc_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 boinc_unit_file_t:file read_file_perms; allow $1 boinc_unit_file_t:service manage_service_perms; ps_process_pattern($1, boinc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an boinc environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`boinc_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boinc_admin'($*)) dnl gen_require(` type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t; type boinc_unit_file_t; ') allow $1 boinc_t:process signal_perms; ps_process_pattern($1, boinc_t) tunable_policy(`deny_ptrace',`',` allow $1 boinc_t:process ptrace; ') boinc_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 boinc_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, boinc_var_lib_t) boinc_systemctl($1) admin_pattern($1, boinc_unit_file_t) allow $1 boinc_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boinc_admin'($*)) dnl ') ## policy for boltd ######################################## ## ## Execute boltd_exec_t in the boltd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`boltd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_domtrans'($*)) dnl gen_require(` type boltd_t, boltd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, boltd_exec_t, boltd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_domtrans'($*)) dnl ') ###################################### ## ## Execute boltd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`boltd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_exec'($*)) dnl gen_require(` type boltd_exec_t; ') corecmd_search_bin($1) can_exec($1, boltd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_exec'($*)) dnl ') ######################################## ## ## Search boltd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`boltd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_search_lib'($*)) dnl gen_require(` type boltd_var_lib_t; ') allow $1 boltd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_search_lib'($*)) dnl ') ######################################## ## ## Read boltd lib files. ## ## ## ## Domain allowed access. ## ## # define(`boltd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_read_lib_files'($*)) dnl gen_require(` type boltd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage boltd lib files. ## ## ## ## Domain allowed access. ## ## # define(`boltd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_manage_lib_files'($*)) dnl gen_require(` type boltd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, boltd_var_lib_t, boltd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage boltd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`boltd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_manage_lib_dirs'($*)) dnl gen_require(` type boltd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, boltd_var_lib_t, boltd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an boltd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`boltd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_admin'($*)) dnl gen_require(` type boltd_t; type boltd_var_lib_t; ') allow $1 boltd_t:process { signal_perms }; ps_process_pattern($1, boltd_t) tunable_policy(`deny_ptrace',`',` allow $1 boltd_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, boltd_var_lib_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_admin'($*)) dnl ') ######################################## ## ## Mounton boltd lib directory. ## ## ## ## Domain allowed access. ## ## # define(`boltd_mounton_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_mounton_var_lib'($*)) dnl gen_require(` type boltd_var_lib_t; ') allow $1 boltd_var_lib_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_mounton_var_lib'($*)) dnl ') ######################################## ## ## Mounton boltd var_run directory. ## ## ## ## Domain allowed access. ## ## # define(`boltd_mounton_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_mounton_var_run'($*)) dnl gen_require(` type boltd_var_run_t; ') allow $1 boltd_var_run_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_mounton_var_run'($*)) dnl ') ###################################### ## ## Write to boltd named pipes. ## ## ## ## Domain allowed access. ## ## # define(`boltd_write_var_run_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_write_var_run_pipes'($*)) dnl gen_require(` type boltd_var_run_t; ') allow $1 boltd_var_run_t:fd use; allow $1 boltd_var_run_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_write_var_run_pipes'($*)) dnl ') ######################################## ## ## Send messages to boltd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`boltd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `boltd_dbus_chat'($*)) dnl gen_require(` type boltd_t; class dbus send_msg; ') allow $1 boltd_t:dbus send_msg; allow boltd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `boltd_dbus_chat'($*)) dnl ') ## Utilities for configuring the Linux ethernet bridge. ######################################## ## ## Execute a domain transition to run brctl. ## ## ## ## Domain allowed to transition. ## ## # define(`brctl_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `brctl_domtrans'($*)) dnl gen_require(` type brctl_t, brctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, brctl_exec_t, brctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `brctl_domtrans'($*)) dnl ') ######################################## ## ## Execute brctl in the brctl domain, and ## allow the specified role the brctl domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`brctl_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `brctl_run'($*)) dnl gen_require(` attribute_role brctl_roles; ') brctl_domtrans($1) roleattribute $2 brctl_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `brctl_run'($*)) dnl ') ## brltty is refreshable braille display driver for Linux/Unix ######################################## ## ## Execute brltty in the brltty domin. ## ## ## ## Domain allowed to transition. ## ## # define(`brltty_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `brltty_domtrans'($*)) dnl gen_require(` type brltty_t, brltty_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, brltty_exec_t, brltty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `brltty_domtrans'($*)) dnl ') ######################################## ## ## Execute brltty server in the brltty domain. ## ## ## ## Domain allowed to transition. ## ## # define(`brltty_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `brltty_systemctl'($*)) dnl gen_require(` type brltty_t; type brltty_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 brltty_unit_file_t:file read_file_perms; allow $1 brltty_unit_file_t:service manage_service_perms; ps_process_pattern($1, brltty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `brltty_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an brltty environment ## ## ## ## Domain allowed access. ## ## ## # define(`brltty_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `brltty_admin'($*)) dnl gen_require(` type brltty_t; type brltty_unit_file_t; ') allow $1 brltty_t:process { signal_perms }; ps_process_pattern($1, brltty_t) tunable_policy(`deny_ptrace',`',` allow $1 brltty_t:process ptrace; ') brltty_systemctl($1) admin_pattern($1, brltty_unit_file_t) allow $1 brltty_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `brltty_admin'($*)) dnl ') ## Bugtracker. ######################################## ## ## Search bugzilla directories. ## ## ## ## Domain allowed access. ## ## # define(`bugzilla_search_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bugzilla_search_content'($*)) dnl gen_require(` type bugzilla_content_t; ') allow $1 bugzilla_content_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bugzilla_search_content'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write bugzilla script unix domain ## stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`bugzilla_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type bugzilla_script_t; ') dontaudit $1 bugzilla_script_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bugzilla_dontaudit_rw_stream_sockets'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an bugzilla environment. ## ## ## ## Domain allowed access. ## ## # define(`bugzilla_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bugzilla_admin'($*)) dnl gen_require(` type bugzilla_script_t, bugzilla_content_t, bugzilla_ra_content_t; type bugzilla_rw_content_t, bugzilla_script_exec_t; type bugzilla_htaccess_t, bugzilla_tmp_t; ') allow $1 bugzilla_script_t:process signal_perms; ps_process_pattern($1, bugzilla_script_t) tunable_policy(`deny_ptrace',`',` allow $1 bugzilla_script_t:process ptrace; ') files_list_tmp($1) admin_pattern($1, bugzilla_tmp_t) files_list_var_lib(bugzilla_script_t) admin_pattern($1, bugzilla_script_exec_t) admin_pattern($1, bugzilla_script_t) admin_pattern($1, bugzilla_content_t) admin_pattern($1, bugzilla_htaccess_t) admin_pattern($1, bugzilla_ra_content_t) files_search_tmp($1) files_search_var_lib($1) admin_pattern($1, bugzilla_rw_content_t) optional_policy(` apache_list_sys_content($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bugzilla_admin'($*)) dnl ') ## policy for bumblebee ######################################## ## ## Execute bumblebee in the bumblebee domin. ## ## ## ## Domain allowed to transition. ## ## # define(`bumblebee_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bumblebee_domtrans'($*)) dnl gen_require(` type bumblebee_t, bumblebee_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, bumblebee_exec_t, bumblebee_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bumblebee_domtrans'($*)) dnl ') ######################################## ## ## Read bumblebee PID files. ## ## ## ## Domain allowed access. ## ## # define(`bumblebee_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bumblebee_read_pid_files'($*)) dnl gen_require(` type bumblebee_var_run_t; ') files_search_pids($1) read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bumblebee_read_pid_files'($*)) dnl ') ######################################## ## ## Execute bumblebee server in the bumblebee domain. ## ## ## ## Domain allowed to transition. ## ## # define(`bumblebee_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bumblebee_systemctl'($*)) dnl gen_require(` type bumblebee_t; type bumblebee_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 bumblebee_unit_file_t:file read_file_perms; allow $1 bumblebee_unit_file_t:service manage_service_perms; ps_process_pattern($1, bumblebee_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bumblebee_systemctl'($*)) dnl ') ######################################## ## ## Connect to bumblebee over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`bumblebee_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bumblebee_stream_connect'($*)) dnl gen_require(` type bumblebee_t, bumblebee_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bumblebee_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an bumblebee environment ## ## ## ## Domain allowed access. ## ## ## # define(`bumblebee_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `bumblebee_admin'($*)) dnl gen_require(` type bumblebee_t; type bumblebee_var_run_t; type bumblebee_unit_file_t; ') allow $1 bumblebee_t:process { signal_perms }; ps_process_pattern($1, bumblebee_t) tunable_policy(`deny_ptrace',`',` allow $1 bumblebee_t:process ptrace; ') files_search_pids($1) admin_pattern($1, bumblebee_var_run_t) bumblebee_systemctl($1) admin_pattern($1, bumblebee_unit_file_t) allow $1 bumblebee_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `bumblebee_admin'($*)) dnl ') ############################################################################### # # Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. # Written by David Howells (dhowells@redhat.com) # Karl MacMillan (kmacmill@redhat.com) # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version # 2 of the License, or (at your option) any later version. # ############################################################################### # # Define the policy interface for the CacheFiles userspace management daemon. # ## policy for cachefilesd ######################################## ## ## Execute a domain transition to run cachefilesd. ## ## ## ## Domain allowed to transition. ## ## # define(`cachefilesd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cachefilesd_domtrans'($*)) dnl gen_require(` type cachefilesd_t, cachefilesd_exec_t; ') domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cachefilesd_domtrans'($*)) dnl ') ## Squid log analysis. ######################################## ## ## Execute the calamaris in ## the calamaris domain. ## ## ## ## Domain allowed to transition. ## ## # define(`calamaris_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `calamaris_domtrans'($*)) dnl gen_require(` type calamaris_t, calamaris_exec_t; ') files_search_etc($1) domtrans_pattern($1, calamaris_exec_t, calamaris_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `calamaris_domtrans'($*)) dnl ') ######################################## ## ## Execute calamaris in the ## calamaris domain, and allow the ## specified role the calamaris domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`calamaris_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `calamaris_run'($*)) dnl gen_require(` attribute_role calamaris_roles; ') calamaris_domtrans($1) roleattribute $2 calamaris_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `calamaris_run'($*)) dnl ') ####################################### ## ## Read calamaris www files. ## ## ## ## Domain allowed access. ## ## # define(`calamaris_read_www_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `calamaris_read_www_files'($*)) dnl gen_require(` type calamaris_www_t; ') allow $1 calamaris_www_t:dir list_dir_perms; read_files_pattern($1, calamaris_www_t, calamaris_www_t) read_lnk_files_pattern($1, calamaris_www_t, calamaris_www_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `calamaris_read_www_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an calamaris environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`calamaris_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `calamaris_admin'($*)) dnl gen_require(` type calamaris_t, calamaris_log_t, calamaris_www_t; ') allow $1 calamaris_t:process { ptrace signal_perms }; ps_process_pattern($1, calamaris_t) calamaris_run($1, $2) logging_list_logs($1) admin_pattern($1, calamaris_log_t) apache_list_sys_content($1) admin_pattern($1, calamaris_www_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `calamaris_admin'($*)) dnl ') ## PBX software. ######################################## ## ## Execute callweaver in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`callweaver_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `callweaver_exec'($*)) dnl gen_require(` type callweaver_exec_t; ') corecmd_search_bin($1) can_exec($1, callweaver_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `callweaver_exec'($*)) dnl ') ######################################## ## ## Connect to callweaver over a ## unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`callweaver_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `callweaver_stream_connect'($*)) dnl gen_require(` type callweaver_t, callweaver_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `callweaver_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an callweaver environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`callweaver_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `callweaver_admin'($*)) dnl gen_require(` type callweaver_t, callweaver_initrc_exec_t, callweaver_log_t; type callweaver_var_lib_t, callweaver_var_run_t, callweaver_spool_t; ') allow $1 callweaver_t:process { ptrace signal_perms }; ps_process_pattern($1, callweaver_t) init_labeled_script_domtrans($1, callweaver_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 callweaver_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, callweaver_log_t) files_search_pids($1) admin_pattern($1, callweaver_var_run_t) files_search_var_lib($1) admin_pattern($1, { callweaver_spool_t callweaver_var_lib_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `callweaver_admin'($*)) dnl ') ## Kana-kanji conversion server. ######################################## ## ## Connect to Canna using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`canna_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `canna_stream_connect'($*)) dnl gen_require(` type canna_t, canna_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, canna_var_run_t, canna_var_run_t, canna_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `canna_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an canna environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`canna_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `canna_admin'($*)) dnl gen_require(` type canna_t, canna_log_t, canna_var_lib_t; type canna_var_run_t, canna_initrc_exec_t; ') allow $1 canna_t:process signal_perms; ps_process_pattern($1, canna_t) tunable_policy(`deny_ptrace',`',` allow $1 canna_t:process ptrace; ') init_labeled_script_domtrans($1, canna_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 canna_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, canna_log_t) files_list_var_lib($1) admin_pattern($1, canna_var_lib_t) files_list_pids($1) admin_pattern($1, canna_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `canna_admin'($*)) dnl ') ## Cluster Configuration System. ######################################## ## ## Execute a domain transition to run ccs. ## ## ## ## Domain allowed to transition. ## ## # define(`ccs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ccs_domtrans'($*)) dnl gen_require(` type ccs_t, ccs_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ccs_exec_t, ccs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ccs_domtrans'($*)) dnl ') ######################################## ## ## Connect to ccs over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ccs_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ccs_stream_connect'($*)) dnl gen_require(` type ccs_t, ccs_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ccs_var_run_t, ccs_var_run_t, ccs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ccs_stream_connect'($*)) dnl ') ######################################## ## ## Read cluster configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ccs_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ccs_read_config'($*)) dnl gen_require(` type cluster_conf_t; ') files_search_etc($1) read_files_pattern($1, cluster_conf_t, cluster_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ccs_read_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## cluster configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ccs_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ccs_manage_config'($*)) dnl gen_require(` type cluster_conf_t; ') files_search_etc($1) manage_dirs_pattern($1, cluster_conf_t, cluster_conf_t) manage_files_pattern($1, cluster_conf_t, cluster_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ccs_manage_config'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ccs environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ccs_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ccs_admin'($*)) dnl gen_require(` type ccs_t, ccs_initrc_exec_t, cluster_conf_t; type ccs_var_lib_t, ccs_var_log_t; type ccs_var_run_t, ccs_tmp_t; ') allow $1 ccs_t:process { signal_perms }; ps_process_pattern($1, ccs_t) tunable_policy(`deny_ptrace',`',` allow $1 ccs_t:process ptrace; ') init_labeled_script_domtrans($1, ccs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ccs_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, cluster_conf_t) files_search_var_lib($1) admin_pattern($1, ccs_var_lib_t) logging_search_logs($1) admin_pattern($1, ccs_var_log_t) files_search_pids($1) admin_pattern($1, ccs_var_run_t) files_search_tmp($1) admin_pattern($1, ccs_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ccs_admin'($*)) dnl ') ## Record audio or data Compact Discs from a master. ######################################## ## ## Role access for cdrecord. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`cdrecord_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cdrecord_role'($*)) dnl gen_require(` attribute_role cdrecord_roles; type cdrecord_t, cdrecord_exec_t; ') roleattribute $1 cdrecord_roles; domtrans_pattern($2, cdrecord_exec_t, cdrecord_t) allow cdrecord_t $2:unix_stream_socket rw_socket_perms; allow $2 cdrecord_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 cdrecord_t:process ptrace; ') ps_process_pattern($2, cdrecord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cdrecord_role'($*)) dnl ') ## Remote certificate distribution framework. ######################################## ## ## Execute a domain transition to run certmaster. ## ## ## ## Domain allowed to transition. ## ## # define(`certmaster_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_domtrans'($*)) dnl gen_require(` type certmaster_t, certmaster_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, certmaster_exec_t, certmaster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_domtrans'($*)) dnl ') #################################### ## ## Execute certmaster in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`certmaster_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_exec'($*)) dnl gen_require(` type certmaster_exec_t; ') can_exec($1, certmaster_exec_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_exec'($*)) dnl ') ####################################### ## ## read certmaster logs. ## ## ## ## Domain allowed access. ## ## # define(`certmaster_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_read_log'($*)) dnl gen_require(` type certmaster_var_log_t; ') read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_read_log'($*)) dnl ') ####################################### ## ## Append certmaster log files. ## ## ## ## Domain allowed access. ## ## # define(`certmaster_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_append_log'($*)) dnl gen_require(` type certmaster_var_log_t; ') append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_append_log'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## certmaster log content. ## ## ## ## Domain allowed access. ## ## # define(`certmaster_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_manage_log'($*)) dnl gen_require(` type certmaster_var_log_t; ') manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_manage_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an certmaster environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`certmaster_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmaster_admin'($*)) dnl gen_require(` type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; ') allow $1 certmaster_t:process signal_perms; ps_process_pattern($1, certmaster_t) tunable_policy(`deny_ptrace',`',` allow $1 certmaster_t:process ptrace; ') init_labeled_script_domtrans($1, certmaster_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 certmaster_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) miscfiles_manage_generic_cert_dirs($1) miscfiles_manage_generic_cert_files($1) admin_pattern($1, certmaster_etc_rw_t) files_list_pids($1) admin_pattern($1, certmaster_var_run_t) logging_list_logs($1) admin_pattern($1, certmaster_var_log_t) files_list_var_lib($1) admin_pattern($1, certmaster_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmaster_admin'($*)) dnl ') ## Certificate status monitor and PKI enrollment client. ######################################## ## ## Execute a domain transition to run certmonger. ## ## ## ## Domain allowed to transition. ## ## # define(`certmonger_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_domtrans'($*)) dnl gen_require(` type certmonger_t, certmonger_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, certmonger_exec_t, certmonger_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## certmonger over dbus. ## ## ## ## Domain allowed access. ## ## # define(`certmonger_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_dbus_chat'($*)) dnl gen_require(` type certmonger_t; class dbus send_msg; ') allow $1 certmonger_t:dbus send_msg; allow certmonger_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_dbus_chat'($*)) dnl ') ######################################## ## ## Execute certmonger server in ## the certmonger domain. ## ## ## ## Domain allowed to transition. ## ## # define(`certmonger_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_initrc_domtrans'($*)) dnl gen_require(` type certmonger_initrc_exec_t; ') init_labeled_script_domtrans($1, certmonger_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read certmonger PID files. ## ## ## ## Domain allowed access. ## ## # define(`certmonger_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_read_pid_files'($*)) dnl gen_require(` type certmonger_var_run_t; ') files_search_pids($1) allow $1 certmonger_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_read_pid_files'($*)) dnl ') ######################################## ## ## Search certmonger lib directories. ## ## ## ## Domain allowed access. ## ## # define(`certmonger_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_search_lib'($*)) dnl gen_require(` type certmonger_var_lib_t; ') allow $1 certmonger_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_search_lib'($*)) dnl ') ######################################## ## ## Read certmonger lib files. ## ## ## ## Domain allowed access. ## ## # define(`certmonger_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_read_lib_files'($*)) dnl gen_require(` type certmonger_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## certmonger lib files. ## ## ## ## Domain allowed access. ## ## # define(`certmonger_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_manage_lib_files'($*)) dnl gen_require(` type certmonger_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an certmonger environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`certmonger_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certmonger_admin'($*)) dnl gen_require(` type certmonger_t, certmonger_initrc_exec_t; type certmonger_var_lib_t, certmonger_var_run_t; ') ps_process_pattern($1, certmonger_t) allow $1 certmonger_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $1 certmonger_t:process ptrace; ') certmonger_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 certmonger_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, certmonger_var_lib_t) files_list_pids($1) admin_pattern($1, certmonger_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certmonger_admin'($*)) dnl ') ## Digital Certificate Tracking. ######################################## ## ## Domain transition to certwatch. ## ## ## ## Domain allowed to transition. ## ## # define(`certwatch_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certwatch_domtrans'($*)) dnl gen_require(` type certwatch_exec_t, certwatch_t; ') corecmd_search_bin($1) domtrans_pattern($1, certwatch_exec_t, certwatch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certwatch_domtrans'($*)) dnl ') ######################################## ## ## Execute certwatch in the certwatch ## domain, and allow the specified role ## the certwatch domain. ## backchannel. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`certwatch_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certwatch_run'($*)) dnl gen_require(` attribute_role certwatch_roles; ') certwatch_domtrans($1) roleattribute $2 certwatch_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certwatch_run'($*)) dnl ') ######################################## ## ## Execute certwatch in the certwatch domain, and ## allow the specified role the certwatch domain, ## and use the caller's terminal. Has a sigchld ## backchannel. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## ## ## The type of the terminal allow the certwatch domain to use. ## ## ## # define(`certwatach_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `certwatach_run'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.') certwatch_run($*) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `certwatach_run'($*)) dnl ') ## System administration tool for networks. ####################################### ## ## The template to define a cfengine domain. ## ## ## ## Domain prefix to be used. ## ## # define(`cfengine_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_domain_template'($*)) dnl gen_require(` attribute cfengine_domain; ') ######################################## # # Declarations # type cfengine_$1_t, cfengine_domain; type cfengine_$1_exec_t; init_daemon_domain(cfengine_$1_t, cfengine_$1_exec_t) ######################################## # # Policy # kernel_read_system_state(cfengine_$1_t) auth_use_nsswitch(cfengine_$1_t) logging_send_syslog_msg(cfengine_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_domain_template'($*)) dnl ') ###################################### ## ## Search cfengine lib files. ## ## ## ## Domain allowed access. ## ## # define(`cfengine_search_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_search_lib_files'($*)) dnl gen_require(` type cfengine_var_lib_t; ') allow $1 cfengine_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_search_lib_files'($*)) dnl ') ######################################## ## ## Read cfengine lib files. ## ## ## ## Domain allowed access. ## ## # define(`cfengine_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_read_lib_files'($*)) dnl gen_require(` type cfengine_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cfengine_var_lib_t, cfengine_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_read_lib_files'($*)) dnl ') #################################### ## ## Do not audit attempts to write ## cfengine log files. ## ## ## ## Domain to not audit. ## ## # define(`cfengine_dontaudit_write_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_dontaudit_write_log_files'($*)) dnl gen_require(` type cfengine_var_log_t; ') dontaudit $1 cfengine_var_log_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_dontaudit_write_log_files'($*)) dnl ') ##################################### ## ## Allow the specified domain to append cfengine's log files. ## ## ## ## Domain allowed access. ## ## # define(`cfengine_append_inherited_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_append_inherited_log'($*)) dnl gen_require(` type cfengine_var_log_t; ') cfengine_search_lib_files($1) allow $1 cfengine_var_log_t:file { getattr append ioctl lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_append_inherited_log'($*)) dnl ') #################################### ## ## Dontaudit the specified domain to write cfengine's log files. ## ## ## ## Domain allowed access. ## ## # define(`cfengine_dontaudit_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_dontaudit_write_log'($*)) dnl gen_require(` type cfengine_var_log_t; ') dontaudit $1 cfengine_var_log_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_dontaudit_write_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cfengine environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cfengine_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cfengine_admin'($*)) dnl gen_require(` attribute cfengine_domain; type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t; ') allow $1 cfengine_domain:process { signal_perms }; ps_process_pattern($1, cfengine_domain) init_labeled_script_domtrans($1, cfengine_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cfengine_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, { cfengine_log_t cfengine_var_lib_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cfengine_admin'($*)) dnl ') ## libcg is a library that abstracts the control group file system in Linux. ######################################## ## ## Execute a domain transition to run ## CG Clear. ## ## ## ## Domain allowed to transition. ## ## # define(`cgroup_domtrans_cgclear',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgclear'($*)) dnl gen_require(` type cgclear_t, cgclear_exec_t; ') domtrans_pattern($1, cgclear_exec_t, cgclear_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgclear'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## CG config parser. ## ## ## ## Domain allowed to transition. ## ## # define(`cgroup_domtrans_cgconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgconfig'($*)) dnl gen_require(` type cgconfig_t, cgconfig_exec_t; ') domtrans_pattern($1, cgconfig_exec_t, cgconfig_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgconfig'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## CG config parser. ## ## ## ## Domain allowed to transition. ## ## # define(`cgroup_initrc_domtrans_cgconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgconfig'($*)) dnl gen_require(` type cgconfig_initrc_exec_t; ') init_labeled_script_domtrans($1, cgconfig_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgconfig'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## ## ## ## Domain allowed to transition. ## ## # define(`cgroup_domtrans_cgred',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_domtrans_cgred'($*)) dnl gen_require(` type cgred_t, cgred_exec_t; ') domtrans_pattern($1, cgred_exec_t, cgred_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_domtrans_cgred'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ## CG rules engine daemon. ## domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cgroup_initrc_domtrans_cgred',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_initrc_domtrans_cgred'($*)) dnl gen_require(` type cgred_initrc_exec_t; ') init_labeled_script_domtrans($1, cgred_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_initrc_domtrans_cgred'($*)) dnl ') ######################################## ## ## Execute a domain transition to ## run CG Clear and allow the ## specified role the CG Clear ## domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`cgroup_run_cgclear',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_run_cgclear'($*)) dnl gen_require(` type cgclear_t; ') cgroup_domtrans_cgclear($1) role $2 types cgclear_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_run_cgclear'($*)) dnl ') ######################################## ## ## Connect to CG rules engine daemon ## over unix stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`cgroup_stream_connect_cgred',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_stream_connect_cgred'($*)) dnl gen_require(` type cgred_var_run_t, cgred_t; ') stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_stream_connect_cgred'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an cgroup environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cgroup_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cgroup_admin'($*)) dnl gen_require(` type cgred_t, cgconfig_t, cgred_var_run_t; type cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t; type cgrules_etc_t, cgclear_t; ') allow $1 cgclear_t:process signal_perms; ps_process_pattern($1, cgclear_t) tunable_policy(`deny_ptrace',`',` allow $1 cgclear_t:process ptrace; ') allow $1 cgconfig_t:process signal_perms; ps_process_pattern($1, cgconfig_t) tunable_policy(`deny_ptrace',`',` allow $1 cgconfig_t:process ptrace; ') allow $1 cgred_t:process signal_perms; ps_process_pattern($1, cgred_t) tunable_policy(`deny_ptrace',`',` allow $1 cgred_t:process ptrace; ') admin_pattern($1, { cgconfig_etc_t cgrules_etc_t }) files_list_etc($1) admin_pattern($1, cgred_var_run_t) files_list_pids($1) cgroup_initrc_domtrans_cgconfig($1) cgroup_initrc_domtrans_cgred($1) domain_system_change_exemption($1) role_transition $2 { cgconfig_initrc_exec_t cgred_initrc_exec_t } system_r; allow $2 system_r; cgroup_run_cgclear($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cgroup_admin'($*)) dnl ') ## policy for chrome ######################################## ## ## Execute a domain transition to run chrome_sandbox. ## ## ## ## Domain allowed to transition. ## ## # define(`chrome_domtrans_sandbox',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chrome_domtrans_sandbox'($*)) dnl gen_require(` type chrome_sandbox_t, chrome_sandbox_exec_t; ') domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t) ps_process_pattern(chrome_sandbox_t, $1) allow $1 chrome_sandbox_t:fd use; dontaudit chrome_sandbox_t $1:socket_class_set getattr; allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chrome_domtrans_sandbox'($*)) dnl ') ######################################## ## ## Execute chrome_sandbox in the chrome_sandbox domain, and ## allow the specified role the chrome_sandbox domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the chrome_sandbox domain. ## ## # define(`chrome_run_sandbox',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chrome_run_sandbox'($*)) dnl gen_require(` type chrome_sandbox_t; type chrome_sandbox_nacl_t; ') chrome_domtrans_sandbox($1) role $2 types chrome_sandbox_t; role $2 types chrome_sandbox_nacl_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chrome_run_sandbox'($*)) dnl ') ######################################## ## ## Role access for chrome sandbox ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`chrome_role_notrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chrome_role_notrans'($*)) dnl gen_require(` type chrome_sandbox_t; type chrome_sandbox_tmpfs_t; type chrome_sandbox_nacl_t; ') role $1 types chrome_sandbox_t; role $1 types chrome_sandbox_nacl_t; ps_process_pattern($2, chrome_sandbox_t) allow $2 chrome_sandbox_t:process signal_perms; allow chrome_sandbox_t $2:unix_dgram_socket { read write }; allow $2 chrome_sandbox_t:unix_dgram_socket { read write }; allow chrome_sandbox_t $2:unix_stream_socket rw_socket_perms; allow chrome_sandbox_t $2:udp_socket rw_socket_perms;; allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_socket_perms; allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write }; allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write }; allow $2 chrome_sandbox_t:shm rw_shm_perms; allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chrome_role_notrans'($*)) dnl ') ######################################## ## ## Role access for chrome sandbox ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`chrome_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chrome_role'($*)) dnl chrome_role_notrans($1, $2) chrome_domtrans_sandbox($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chrome_role'($*)) dnl ') ######################################## ## ## Dontaudit read/write to a chrome_sandbox leaks ## ## ## ## Domain to not audit. ## ## # define(`chrome_dontaudit_sandbox_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chrome_dontaudit_sandbox_leaks'($*)) dnl gen_require(` type chrome_sandbox_t; ') dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chrome_dontaudit_sandbox_leaks'($*)) dnl ') ## Chrony NTP background daemon. ##################################### ## ## Execute chronyd in the chronyd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`chronyd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_domtrans'($*)) dnl gen_require(` type chronyd_t, chronyd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, chronyd_exec_t, chronyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_domtrans'($*)) dnl ') ######################################## ## ## Execute chronyd server in the ## chronyd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`chronyd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_initrc_domtrans'($*)) dnl gen_require(` type chronyd_initrc_exec_t; ') init_labeled_script_domtrans($1, chronyd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_initrc_domtrans'($*)) dnl ') #################################### ## ## Execute chronyd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_exec'($*)) dnl gen_require(` type chronyd_exec_t; ') corecmd_search_bin($1) can_exec($1, chronyd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_exec'($*)) dnl ') ######################################## ## ## Send generic signals to chronyd. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_signal'($*)) dnl gen_require(` type chronyd_t; ') allow $1 chronyd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_signal'($*)) dnl ') ##################################### ## ## Read chronyd log files. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_read_log'($*)) dnl gen_require(` type chronyd_var_log_t; ') logging_search_logs($1) read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_read_log'($*)) dnl ') ######################################## ## ## Read and write chronyd shared memory. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_rw_shm'($*)) dnl gen_require(` type chronyd_t, chronyd_tmpfs_t; ') allow $1 chronyd_t:shm rw_shm_perms; allow $1 chronyd_tmpfs_t:dir list_dir_perms; rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_rw_shm'($*)) dnl ') ######################################## ## ## Read chronyd keys files. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_read_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_read_keys'($*)) dnl gen_require(` type chronyd_keys_t; ') read_files_pattern($1, chronyd_keys_t, chronyd_keys_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_read_keys'($*)) dnl ') ######################################## ## ## Append chronyd keys files. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_append_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_append_keys'($*)) dnl gen_require(` type chronyd_keys_t; ') append_files_pattern($1, chronyd_keys_t, chronyd_keys_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_append_keys'($*)) dnl ') ######################################## ## ## Execute chronyd server in the chronyd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`chronyd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_systemctl'($*)) dnl gen_require(` type chronyd_t; type chronyd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 chronyd_unit_file_t:file read_file_perms; allow $1 chronyd_unit_file_t:service manage_service_perms; ps_process_pattern($1, chronyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_systemctl'($*)) dnl ') ####################################### ## ## Connect to chronyd using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_stream_connect'($*)) dnl gen_require(` type chronyd_t, chronyd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_stream_connect'($*)) dnl ') ######################################## ## ## Send to chronyd using a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_dgram_send'($*)) dnl gen_require(` type chronyd_t, chronyd_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_dgram_send'($*)) dnl ') ######################################## ## ## Manage pid files used by chronyd ## ## ## ## Domain allowed access. ## ## # define(`chronyd_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_manage_pid'($*)) dnl gen_require(` type chronyd_var_run_t; ') files_search_pids($1) manage_files_pattern($1, chronyd_var_run_t, chronyd_var_run_t) manage_dirs_pattern($1, chronyd_var_run_t, chronyd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_manage_pid'($*)) dnl ') ###################################### ## ## Create objects in /var/run ## with chronyd runtime private file type. ## ## ## ## Domain allowed access. ## ## # define(`chronyd_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_pid_filetrans'($*)) dnl gen_require(` type chronyd_var_run_t; ') files_pid_filetrans($1, chronyd_var_run_t, dir, "chrony-dhcp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_pid_filetrans'($*)) dnl ') #################################### ## ## All of the rules required to ## administrate an chronyd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`chronyd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_admin'($*)) dnl gen_require(` type chronyd_t, chronyd_var_log_t, chronyd_var_run_t; type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t; type chronyd_keys_t, chronyd_unit_file_t; ') allow $1 chronyd_t:process signal_perms; ps_process_pattern($1, chronyd_t) tunable_policy(`deny_ptrace',`',` allow $1 chronyd_t:process ptrace; ') init_labeled_script_domtrans($1, chronyd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 chronyd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, chronyd_keys_t) logging_list_logs($1) admin_pattern($1, chronyd_var_log_t) files_list_var_lib($1) admin_pattern($1, chronyd_var_lib_t) files_list_pids($1) admin_pattern($1, chronyd_var_run_t) admin_pattern($1, chronyd_tmpfs_t) admin_pattern($1, chronyd_unit_file_t) chronyd_systemctl($1) allow $1 chronyd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_admin'($*)) dnl ') ####################################### ## ## Get chronyd service status ## ## ## ## Domain allowed to transition. ## ## # define(`chronyd_service_status',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_service_status'($*)) dnl gen_require(` type chronyd_unit_file_t; ') allow $1 chronyd_unit_file_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_service_status'($*)) dnl ') ######################################## ## ## Execute chronyc in the chronyc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`chronyd_domtrans_chronyc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_domtrans_chronyc'($*)) dnl gen_require(` type chronyc_t, chronyc_exec_t; ') domtrans_pattern($1, chronyc_exec_t, chronyc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_domtrans_chronyc'($*)) dnl ') ######################################## ## ## Execute chronyc in the chronyc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`chronyd_run_chronyc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `chronyd_run_chronyc'($*)) dnl gen_require(` type chronyc_t; attribute_role chronyc_roles; ') chronyd_domtrans_chronyc($1) roleattribute $2 chronyc_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `chronyd_run_chronyc'($*)) dnl ') ## openstack-cinder ###################################### ## ## Manage cinder lib files. ## ## ## ## Domain allowed access. ## ## # define(`cinder_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cinder_manage_lib_files'($*)) dnl gen_require(` type cinder_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, cinder_var_lib_t, cinder_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cinder_manage_lib_files'($*)) dnl ') ####################################### ## ## Creates types and rules for a basic ## openstack-cinder systemd daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`cinder_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cinder_domain_template'($*)) dnl gen_require(` attribute cinder_domain; ') type cinder_$1_t, cinder_domain; type cinder_$1_exec_t; init_daemon_domain(cinder_$1_t, cinder_$1_exec_t) type cinder_$1_unit_file_t; systemd_unit_file(cinder_$1_unit_file_t) type cinder_$1_tmp_t; files_tmp_file(cinder_$1_tmp_t) manage_dirs_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t) manage_files_pattern(cinder_$1_t, cinder_$1_tmp_t, cinder_$1_tmp_t) files_tmp_filetrans(cinder_$1_t, cinder_$1_tmp_t, { file dir }) can_exec(cinder_$1_t, cinder_$1_tmp_t) kernel_read_system_state(cinder_$1_t) logging_send_syslog_msg(cinder_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cinder_domain_template'($*)) dnl ') ## Encrypted tunnel daemon. ######################################## ## ## All of the rules required to ## administrate an cipe environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cipe_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cipe_admin'($*)) dnl gen_require(` type ciped_t, ciped_initrc_exec_t; ') allow $1 ciped_t:process { ptrace signal_perms }; ps_process_pattern($1, ciped_t) init_labeled_script_domtrans($1, ciped_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ciped_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cipe_admin'($*)) dnl ') ## ClamAV Virus Scanner ######################################## ## ## Execute a domain transition to run clamd. ## ## ## ## Domain allowed to transition. ## ## # define(`clamav_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_domtrans'($*)) dnl gen_require(` type clamd_t, clamd_exec_t; ') domtrans_pattern($1, clamd_exec_t, clamd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_domtrans'($*)) dnl ') ######################################## ## ## Connect to run clamd. ## ## ## ## Domain allowed access. ## ## # define(`clamav_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_stream_connect'($*)) dnl gen_require(` type clamd_t, clamd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_stream_connect'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## to clamav log files. ## ## ## ## Domain allowed access. ## ## # define(`clamav_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_append_log'($*)) dnl gen_require(` type clamd_var_log_t; ') logging_search_logs($1) allow $1 clamd_var_log_t:dir list_dir_perms; append_files_pattern($1, clamd_var_log_t, clamd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_append_log'($*)) dnl ') ######################################## ## ## Read clamav configuration files. ## ## ## ## Domain allowed access. ## ## # define(`clamav_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_read_config'($*)) dnl gen_require(` type clamd_etc_t; ') files_search_etc($1) allow $1 clamd_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_read_config'($*)) dnl ') ######################################## ## ## Search clamav libraries directories. ## ## ## ## Domain allowed access. ## ## # define(`clamav_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_search_lib'($*)) dnl gen_require(` type clamd_var_lib_t; ') files_search_var_lib($1) allow $1 clamd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_search_lib'($*)) dnl ') ######################################## ## ## Execute a domain transition to run clamscan. ## ## ## ## Domain allowed to transition. ## ## # define(`clamav_domtrans_clamscan',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_domtrans_clamscan'($*)) dnl gen_require(` type clamscan_t, clamscan_exec_t; ') domtrans_pattern($1, clamscan_exec_t, clamscan_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_domtrans_clamscan'($*)) dnl ') ######################################## ## ## Execute clamscan without a transition. ## ## ## ## Domain allowed access. ## ## # define(`clamav_exec_clamscan',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_exec_clamscan'($*)) dnl gen_require(` type clamscan_exec_t; ') can_exec($1, clamscan_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_exec_clamscan'($*)) dnl ') ######################################## ## ## Manage clamd pid content. ## ## ## ## Domain allowed access. ## ## # define(`clamav_manage_clamd_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_manage_clamd_pid'($*)) dnl gen_require(` type clamd_var_run_t; ') manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t) manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_manage_clamd_pid'($*)) dnl ') ####################################### ## ## Read clamd state files. ## ## ## ## Domain allowed access. ## ## # define(`clamav_read_state_clamd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_read_state_clamd'($*)) dnl gen_require(` type clamd_t; ') kernel_search_proc($1) ps_process_pattern($1, clamd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_read_state_clamd'($*)) dnl ') ####################################### ## ## Execute clamd server in the clamd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`clamd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamd_systemctl'($*)) dnl gen_require(` type clamd_t; type clamd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 clamd_unit_file_t:file read_file_perms; allow $1 clamd_unit_file_t:service manage_service_perms; ps_process_pattern($1, clamd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an clamav environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the clamav domain. ## ## ## # define(`clamav_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clamav_admin'($*)) dnl gen_require(` type clamd_t, clamd_etc_t, clamd_tmp_t; type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t; type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t; type freshclam_t, freshclam_var_log_t; type clamd_unit_file_t; ') allow $1 clamd_t:process signal_perms; ps_process_pattern($1, clamd_t) tunable_policy(`deny_ptrace',`',` allow $1 clamd_t:process ptrace; allow $1 clamscan_t:process ptrace; allow $1 freshclam_t:process ptrace; ') allow $1 clamscan_t:process signal_perms; ps_process_pattern($1, clamscan_t) allow $1 freshclam_t:process signal_perms; ps_process_pattern($1, freshclam_t) init_labeled_script_domtrans($1, clamd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 clamd_initrc_exec_t system_r; allow $2 system_r; clamd_systemctl($1) admin_pattern($1, clamd_unit_file_t) allow $1 clamd_unit_file_t:service all_service_perms; files_list_etc($1) admin_pattern($1, clamd_etc_t) files_list_var_lib($1) admin_pattern($1, clamd_var_lib_t) logging_list_logs($1) admin_pattern($1, clamd_var_log_t) files_list_pids($1) admin_pattern($1, clamd_var_run_t) files_list_tmp($1) admin_pattern($1, clamd_tmp_t) admin_pattern($1, clamscan_tmp_t) admin_pattern($1, freshclam_var_log_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clamav_admin'($*)) dnl ') ## Clock speed measurement and manipulation. ######################################## ## ## Execute clockspeed utilities in ## the clockspeed_cli domain. ## ## ## ## Domain allowed to transition. ## ## # define(`clockspeed_domtrans_cli',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clockspeed_domtrans_cli'($*)) dnl gen_require(` type clockspeed_cli_t, clockspeed_cli_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, clockspeed_cli_exec_t, clockspeed_cli_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clockspeed_domtrans_cli'($*)) dnl ') ######################################## ## ## Execute clockspeed utilities in the ## clockspeed cli domain, and allow the ## specified role the clockspeed cli domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`clockspeed_run_cli',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clockspeed_run_cli'($*)) dnl gen_require(` attribute_role clockspeed_cli_roles; ') clockspeed_domtrans_cli($1) roleattribute $2 clockspeed_cli_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clockspeed_run_cli'($*)) dnl ') ## Clustered Mirror Log Server. ###################################### ## ## Execute a domain transition to run clogd. ## ## ## ## Domain allowed to transition. ## ## # define(`clogd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clogd_domtrans'($*)) dnl gen_require(` type clogd_t, clogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, clogd_exec_t, clogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clogd_domtrans'($*)) dnl ') ##################################### ## ## Connect to clogd over a unix domain ## stream socket. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`clogd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clogd_stream_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clogd_stream_connect'($*)) dnl ') ##################################### ## ## Read and write clogd semaphores. ## ## ## ## Domain allowed access. ## ## # define(`clogd_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clogd_rw_semaphores'($*)) dnl gen_require(` type clogd_t; ') allow $1 clogd_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clogd_rw_semaphores'($*)) dnl ') ######################################## ## ## Read and write clogd shared memory. ## ## ## ## Domain allowed access. ## ## # define(`clogd_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clogd_rw_shm'($*)) dnl gen_require(` type clogd_t, clogd_tmpfs_t; ') allow $1 clogd_t:shm rw_shm_perms; allow $1 clogd_tmpfs_t:dir list_dir_perms; rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clogd_rw_shm'($*)) dnl ') ## cloudform policy ####################################### ## ## Creates types and rules for a basic ## cloudform daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`cloudform_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_domain_template'($*)) dnl gen_require(` attribute cloudform_domain; ') type $1_t, cloudform_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) kernel_read_system_state($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_domain_template'($*)) dnl ') ######################################## ## ## Execute a domain transition to run cloud_init. ## ## ## ## Domain allowed access. ## ## # define(`cloudform_init_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_init_domtrans'($*)) dnl gen_require(` type cloud_init_t, cloud_init_exec_t; ') domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_init_domtrans'($*)) dnl ') ###################################### ## ## Execute mongod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`cloudform_exec_mongod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_exec_mongod'($*)) dnl gen_require(` type mongod_exec_t; ') can_exec($1, mongod_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_exec_mongod'($*)) dnl ') ####################################### ## ## Allow read to cloud lib files. ## ## ## ## Domain allowed access. ## ## # define(`cloudform_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_read_lib_files'($*)) dnl gen_require(` type cloud_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_read_lib_files'($*)) dnl ') ####################################### ## ## Allow read to cloud lib files. ## ## ## ## Domain allowed access. ## ## # define(`cloudform_read_lib_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_read_lib_lnk_files'($*)) dnl gen_require(` type cloud_var_lib_t; ') files_search_var_lib($1) read_lnk_files_pattern($1, cloud_var_lib_t, cloud_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_read_lib_lnk_files'($*)) dnl ') ###################################### ## ## Execute mongod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`cloudform_dontaudit_write_cloud_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloudform_dontaudit_write_cloud_log'($*)) dnl gen_require(` type cloud_log_t; ') dontaudit $1 cloud_log_t:file write_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloudform_dontaudit_write_cloud_log'($*)) dnl ') ## Cluster mirror log daemon. ######################################## ## ## Execute a domain transition to ## run cmirrord. ## ## ## ## Domain allowed to transition. ## ## # define(`cmirrord_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cmirrord_domtrans'($*)) dnl gen_require(` type cmirrord_t, cmirrord_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cmirrord_domtrans'($*)) dnl ') ######################################## ## ## Execute cmirrord server in the ## cmirrord domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cmirrord_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cmirrord_initrc_domtrans'($*)) dnl gen_require(` type cmirrord_initrc_exec_t; ') init_labeled_script_domtrans($1, cmirrord_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cmirrord_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read cmirrord PID files. ## ## ## ## Domain allowed access. ## ## # define(`cmirrord_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cmirrord_read_pid_files'($*)) dnl gen_require(` type cmirrord_var_run_t; ') files_search_pids($1) allow $1 cmirrord_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cmirrord_read_pid_files'($*)) dnl ') ####################################### ## ## Read and write cmirrord shared memory. ## ## ## ## Domain allowed access. ## ## # define(`cmirrord_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cmirrord_rw_shm'($*)) dnl gen_require(` type cmirrord_t, cmirrord_tmpfs_t; ') allow $1 cmirrord_t:shm { rw_shm_perms destroy }; allow $1 cmirrord_tmpfs_t:dir list_dir_perms; rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cmirrord_rw_shm'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cmirrord environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cmirrord_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cmirrord_admin'($*)) dnl gen_require(` type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t; ') allow $1 cmirrord_t:process signal_perms; ps_process_pattern($1, cmirrord_t) tunable_policy(`deny_ptrace',`',` allow $1 cmirrord_t:process ptrace; ') cmirrord_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cmirrord_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, cmirrord_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cmirrord_admin'($*)) dnl ') ## Cobbler installation server. ######################################## ## ## Execute a domain transition to run cobblerd. ## ## ## ## Domain allowed to transition. ## ## # define(`cobblerd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobblerd_domtrans'($*)) dnl gen_require(` type cobblerd_t, cobblerd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cobblerd_exec_t, cobblerd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobblerd_domtrans'($*)) dnl ') ######################################## ## ## Execute cobblerd init scripts in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cobblerd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobblerd_initrc_domtrans'($*)) dnl gen_require(` type cobblerd_initrc_exec_t; ') init_labeled_script_domtrans($1, cobblerd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobblerd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read cobbler configuration dirs. ## ## ## ## Domain allowed access. ## ## # define(`cobbler_list_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_list_config'($*)) dnl gen_require(` type cobbler_etc_t; ') list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_list_config'($*)) dnl ') ######################################## ## ## Read cobbler configuration files. ## ## ## ## Domain allowed access. ## ## # define(`cobbler_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_read_config'($*)) dnl gen_require(` type cobbler_etc_t; ') read_files_pattern($1, cobbler_etc_t, cobbler_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_read_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## cobbler log files. ## ## ## ## Domain to not audit. ## ## # define(`cobbler_dontaudit_rw_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_dontaudit_rw_log'($*)) dnl gen_require(` type cobbler_var_log_t; ') dontaudit $1 cobbler_var_log_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_dontaudit_rw_log'($*)) dnl ') ######################################## ## ## Search cobbler lib directories. ## ## ## ## Domain allowed access. ## ## # define(`cobbler_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_search_lib'($*)) dnl gen_require(` type cobbler_var_lib_t; ') files_search_var_lib($1) search_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_search_lib'($*)) dnl ') ######################################## ## ## Read cobbler lib files. ## ## ## ## Domain allowed access. ## ## # define(`cobbler_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_read_lib_files'($*)) dnl gen_require(` type cobbler_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## cobbler lib files. ## ## ## ## Domain allowed access. ## ## # define(`cobbler_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_manage_lib_files'($*)) dnl gen_require(` type cobbler_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cobbler environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cobblerd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobblerd_admin'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use cobbler_admin() instead.') cobbler_admin($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobblerd_admin'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cobbler environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cobbler_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cobbler_admin'($*)) dnl gen_require(` type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t; type cobbler_etc_t, cobblerd_initrc_exec_t; type cobbler_tmp_t; ') allow $1 cobblerd_t:process { ptrace signal_perms }; ps_process_pattern($1, cobblerd_t) cobblerd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 cobblerd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, cobbler_etc_t) files_search_tmp($1) admin_pattern($1, cobbler_tmp_t) files_search_var_lib($1) admin_pattern($1, cobbler_var_lib_t) logging_search_logs($1) admin_pattern($1, cobbler_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cobbler_admin'($*)) dnl ') ## policy for cockpit ######################################## ## ## Execute TEMPLATE in the cockpit domin. ## ## ## ## Domain allowed to transition. ## ## # define(`cockpit_ws_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_ws_domtrans'($*)) dnl gen_require(` type cockpit_ws_t, cockpit_ws_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cockpit_ws_exec_t, cockpit_ws_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_ws_domtrans'($*)) dnl ') ######################################## ## ## Execute TEMPLATE in the cockpit domin. ## ## ## ## Domain allowed to transition. ## ## # define(`cockpit_session_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_session_domtrans'($*)) dnl gen_require(` type cockpit_session_t, cockpit_session_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cockpit_session_exec_t, cockpit_session_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_session_domtrans'($*)) dnl ') ######################################## ## ## Read and write cockpit_session_t unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_rw_pipes'($*)) dnl gen_require(` type cockpit_session_t; ') allow $1 cockpit_session_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_rw_pipes'($*)) dnl ') ######################################## ## ## Create cockpit unix_stream_sockets. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_manage_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_manage_unix_stream_sockets'($*)) dnl gen_require(` type cockpit_ws_t; ') allow $1 cockpit_ws_t:unix_stream_socket { create_stream_socket_perms connectto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_manage_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Search cockpit lib directories. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_search_lib'($*)) dnl gen_require(` type cockpit_var_lib_t; ') allow $1 cockpit_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_search_lib'($*)) dnl ') ######################################## ## ## Read cockpit lib files. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_read_lib_files'($*)) dnl gen_require(` type cockpit_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_read_lib_files'($*)) dnl ') ######################################## ## ## Manage cockpit lib files. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_manage_lib_files'($*)) dnl gen_require(` type cockpit_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage cockpit lib directories. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_manage_lib_dirs'($*)) dnl gen_require(` type cockpit_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, cockpit_var_lib_t, cockpit_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read cockpit pid files. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_read_pid_files'($*)) dnl gen_require(` type cockpit_var_run_t; ') read_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t) read_lnk_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_read_pid_files'($*)) dnl ') ######################################## ## ## Manage cockpit pid dirs. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_manage_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_manage_pid_dirs'($*)) dnl gen_require(` type cockpit_var_run_t; ') manage_dirs_pattern($1, cockpit_var_run_t, cockpit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_manage_pid_dirs'($*)) dnl ') ######################################## ## ## Manage cockpit pid dirs. ## ## ## ## Domain allowed access. ## ## # define(`cockpit_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_manage_pid_files'($*)) dnl gen_require(` type cockpit_var_run_t; ') manage_files_pattern($1, cockpit_var_run_t, cockpit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_manage_pid_files'($*)) dnl ') ######################################## ## ## Execute cockpit server in the cockpit domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cockpit_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_systemctl'($*)) dnl gen_require(` type cockpit_ws_t; type cockpit_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 cockpit_unit_file_t:file read_file_perms; allow $1 cockpit_unit_file_t:service manage_service_perms; ps_process_pattern($1, cockpit_ws_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an cockpit environment ## ## ## ## Domain allowed access. ## ## ## # define(`cockpit_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cockpit_admin'($*)) dnl gen_require(` type cockpit_ws_t; type cockpit_session_t; type cockpit_var_lib_t; type cockpit_var_run_t; type cockpit_unit_file_t; ') allow $1 cockpit_ws_t:process { signal_perms }; ps_process_pattern($1, cockpit_ws_t) allow $1 cockpit_session_t:process { signal_perms }; ps_process_pattern($1, cockpit_session_t) tunable_policy(`deny_ptrace',`',` allow $1 cockpit_ws_t:process ptrace; allow $1 cockpit_session_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, cockpit_var_lib_t) files_search_pids($1) admin_pattern($1, cockpit_var_run_t) cockpit_systemctl($1) admin_pattern($1, cockpit_unit_file_t) allow $1 cockpit_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cockpit_admin'($*)) dnl ') ## Statistics collection daemon for filling RRD files. ######################################## ## ## Transition to collectd. ## ## ## ## Domain allowed to transition. ## ## # define(`collectd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_domtrans'($*)) dnl gen_require(` type collectd_t, collectd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, collectd_exec_t, collectd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_domtrans'($*)) dnl ') ######################################## ## ## Execute collectd server in the collectd domain. ## ## ## ## Domain allowed access. ## ## # define(`collectd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_initrc_domtrans'($*)) dnl gen_require(` type collectd_initrc_exec_t; ') init_labeled_script_domtrans($1, collectd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search collectd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`collectd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_search_lib'($*)) dnl gen_require(` type collectd_var_lib_t; ') allow $1 collectd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_search_lib'($*)) dnl ') ######################################## ## ## Read collectd lib files. ## ## ## ## Domain allowed access. ## ## # define(`collectd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_read_lib_files'($*)) dnl gen_require(` type collectd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage collectd lib files. ## ## ## ## Domain allowed access. ## ## # define(`collectd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_manage_lib_files'($*)) dnl gen_require(` type collectd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage collectd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`collectd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_manage_lib_dirs'($*)) dnl gen_require(` type collectd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Manage collectd httpd rw content. ## ## ## ## Domain allowed access. ## ## # define(`collectd_manage_rw_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_manage_rw_content'($*)) dnl gen_require(` type collectd_rw_content_t; ') manage_dirs_pattern($1, collectd_rw_content_t, collectd_rw_content_t) manage_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t) manage_lnk_files_pattern($1, collectd_rw_content_t, collectd_rw_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_manage_rw_content'($*)) dnl ') ######################################## ## ## Execute collectd server in the collectd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`collectd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_systemctl'($*)) dnl gen_require(` type collectd_t; type collectd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 collectd_unit_file_t:file read_file_perms; allow $1 collectd_unit_file_t:service manage_service_perms; ps_process_pattern($1, collectd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an collectd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`collectd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `collectd_admin'($*)) dnl gen_require(` type collectd_t, collectd_initrc_exec_t, collectd_var_run_t; type collectd_var_lib_t, collectd_unit_file_t; ') allow $1 collectd_t:process signal_perms; ps_process_pattern($1, collectd_t) tunable_policy(`deny_ptrace',`',` allow $1 collectd_t:process ptrace; ') collectd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 collectd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, collectd_var_run_t) files_search_var_lib($1) admin_pattern($1, collectd_var_lib_t) collectd_systemctl($1) admin_pattern($1, collectd_unit_file_t) allow $1 collectd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `collectd_admin'($*)) dnl ') ## GNOME color manager ######################################## ## ## Execute a domain transition to run colord. ## ## ## ## Domain allowed access. ## ## # define(`colord_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `colord_domtrans'($*)) dnl gen_require(` type colord_t, colord_exec_t; ') domtrans_pattern($1, colord_exec_t, colord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `colord_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## colord over dbus. ## ## ## ## Domain allowed access. ## ## # define(`colord_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `colord_dbus_chat'($*)) dnl gen_require(` type colord_t; class dbus send_msg; ') allow $1 colord_t:dbus send_msg; allow colord_t $1:dbus send_msg; ps_process_pattern(colord_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `colord_dbus_chat'($*)) dnl ') ###################################### ## ## Read colord lib files. ## ## ## ## Domain allowed access. ## ## # define(`colord_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `colord_read_lib_files'($*)) dnl gen_require(` type colord_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, colord_var_lib_t, colord_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `colord_read_lib_files'($*)) dnl ') ######################################## ## ## Execute colord server in the colord domain. ## ## ## ## Domain allowed to transition. ## ## # define(`colord_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `colord_systemctl'($*)) dnl gen_require(` type colord_t; type colord_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 colord_unit_file_t:file read_file_perms; allow $1 colord_unit_file_t:service manage_service_perms; ps_process_pattern($1, colord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `colord_systemctl'($*)) dnl ') ## Comsat, a biff server. ## policy for condor ##################################### ## ## Creates types and rules for a basic ## condor init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`condor_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_domain_template'($*)) dnl gen_require(` type condor_master_t; attribute condor_domain; ') ############################# # # Declarations # type condor_$1_t, condor_domain; type condor_$1_exec_t; init_daemon_domain(condor_$1_t, condor_$1_exec_t) role system_r types condor_$1_t; domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t) allow condor_master_t condor_$1_exec_t:file ioctl; kernel_read_system_state(condor_$1_t) corenet_all_recvfrom_netlabel(condor_$1_t) corenet_all_recvfrom_unlabeled(condor_$1_t) auth_use_nsswitch(condor_$1_t) logging_send_syslog_msg(condor_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_domain_template'($*)) dnl ') ######################################## ## ## Transition to condor. ## ## ## ## Domain allowed to transition. ## ## # define(`condor_domtrans_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_domtrans_master'($*)) dnl gen_require(` type condor_master_t, condor_master_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, condor_master_exec_t, condor_master_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_domtrans_master'($*)) dnl ') ####################################### ## ## Allows to start userland processes ## by transitioning to the specified domain, ## with a range transition. ## ## ## ## The process type entered by condor_startd. ## ## ## ## ## The executable type for the entrypoint. ## ## ## ## ## Range for the domain. ## ## # define(`condor_startd_ranged_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_startd_ranged_domtrans_to'($*)) dnl gen_require(` type sshd_t; ') condor_startd_domtrans_to($1, $2) ifdef(`enable_mcs',` range_transition condor_startd_t $2:process $3; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_startd_ranged_domtrans_to'($*)) dnl ') ####################################### ## ## Allows to start userlandprocesses ## by transitioning to the specified domain. ## ## ## ## The process type entered by condor_startd. ## ## ## ## ## The executable type for the entrypoint. ## ## # define(`condor_startd_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_startd_domtrans_to'($*)) dnl gen_require(` type condor_startd_t; ') domtrans_pattern(condor_startd_t, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_startd_domtrans_to'($*)) dnl ') ######################################## ## ## Read condor's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`condor_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_read_log'($*)) dnl gen_require(` type condor_log_t; ') logging_search_logs($1) read_files_pattern($1, condor_log_t, condor_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_read_log'($*)) dnl ') ######################################## ## ## Append to condor log files. ## ## ## ## Domain allowed access. ## ## # define(`condor_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_append_log'($*)) dnl gen_require(` type condor_log_t; ') logging_search_logs($1) append_files_pattern($1, condor_log_t, condor_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_append_log'($*)) dnl ') ######################################## ## ## Manage condor log files ## ## ## ## Domain allowed access. ## ## # define(`condor_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_manage_log'($*)) dnl gen_require(` type condor_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, condor_log_t, condor_log_t) manage_files_pattern($1, condor_log_t, condor_log_t) manage_lnk_files_pattern($1, condor_log_t, condor_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_manage_log'($*)) dnl ') ######################################## ## ## Search condor lib directories. ## ## ## ## Domain allowed access. ## ## # define(`condor_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_search_lib'($*)) dnl gen_require(` type condor_var_lib_t; ') allow $1 condor_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_search_lib'($*)) dnl ') ######################################## ## ## Read condor lib files. ## ## ## ## Domain allowed access. ## ## # define(`condor_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_read_lib_files'($*)) dnl gen_require(` type condor_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, condor_var_lib_t, condor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_read_lib_files'($*)) dnl ') ###################################### ## ## Read and write condor lib files. ## ## ## ## Domain allowed access. ## ## # define(`condor_rw_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_rw_lib_files'($*)) dnl gen_require(` type condor_var_lib_t; ') files_search_var_lib($1) rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_rw_lib_files'($*)) dnl ') ######################################## ## ## Manage condor lib files. ## ## ## ## Domain allowed access. ## ## # define(`condor_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_manage_lib_files'($*)) dnl gen_require(` type condor_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage condor lib directories. ## ## ## ## Domain allowed access. ## ## # define(`condor_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_manage_lib_dirs'($*)) dnl gen_require(` type condor_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read condor PID files. ## ## ## ## Domain allowed access. ## ## # define(`condor_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_read_pid_files'($*)) dnl gen_require(` type condor_var_run_t; ') files_search_pids($1) allow $1 condor_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_read_pid_files'($*)) dnl ') ######################################## ## ## Execute condor server in the condor domain. ## ## ## ## Domain allowed to transition. ## ## # define(`condor_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_systemctl'($*)) dnl gen_require(` attribute condor_domain; type condor_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 condor_unit_file_t:file read_file_perms; allow $1 condor_unit_file_t:service manage_service_perms; ps_process_pattern($1, condor_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_systemctl'($*)) dnl ') ####################################### ## ## Read and write condor_startd server TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`condor_rw_tcp_sockets_startd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_rw_tcp_sockets_startd'($*)) dnl gen_require(` type condor_startd_t; ') allow $1 condor_startd_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_rw_tcp_sockets_startd'($*)) dnl ') ###################################### ## ## Read and write condor_schedd server TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`condor_rw_tcp_sockets_schedd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_rw_tcp_sockets_schedd'($*)) dnl gen_require(` type condor_schedd_t; ') allow $1 condor_schedd_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_rw_tcp_sockets_schedd'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an condor environment ## ## ## ## Domain allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`condor_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `condor_admin'($*)) dnl gen_require(` attribute condor_domain; type condor_initrc_exec_t, condor_log_t, condor_conf_t; type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t; type condor_var_run_t, condor_startd_tmp_t; type condor_unit_file_t; ') allow $1 condor_domain:process { signal_perms }; ps_process_pattern($1, condor_domain) init_labeled_script_domtrans($1, condor_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 condor_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, condor_conf_t) logging_search_logs($1) admin_pattern($1, condor_log_t) files_search_locks($1) admin_pattern($1, condor_var_lock_t) files_search_var_lib($1) admin_pattern($1, condor_var_lib_t) files_search_pids($1) admin_pattern($1, condor_var_run_t) files_search_tmp($1) admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t }) condor_systemctl($1) admin_pattern($1, condor_unit_file_t) allow $1 condor_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `condor_admin'($*)) dnl ') ## Conman is a program for connecting to remote consoles being managed by conmand ######################################## ## ## Execute conman in the conman domin. ## ## ## ## Domain allowed to transition. ## ## # define(`conman_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_domtrans'($*)) dnl gen_require(` type conman_t, conman_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, conman_exec_t, conman_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_domtrans'($*)) dnl ') ######################################## ## ## Read conman's log files. ## ## ## ## Domain allowed access. ## ## # define(`conman_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_read_log'($*)) dnl gen_require(` type conman_log_t; ') logging_search_logs($1) read_files_pattern($1, conman_log_t, conman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_read_log'($*)) dnl ') ######################################## ## ## Append to conman log files. ## ## ## ## Domain allowed access. ## ## # define(`conman_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_append_log'($*)) dnl gen_require(` type conman_log_t; ') logging_search_logs($1) append_files_pattern($1, conman_log_t, conman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_append_log'($*)) dnl ') ######################################## ## ## Manage conman log files ## ## ## ## Domain allowed access. ## ## # define(`conman_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_manage_log'($*)) dnl gen_require(` type conman_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, conman_log_t, conman_log_t) manage_files_pattern($1, conman_log_t, conman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_manage_log'($*)) dnl ') ######################################## ## ## Execute conman server in the conman domain. ## ## ## ## Domain allowed to transition. ## ## # define(`conman_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_systemctl'($*)) dnl gen_require(` type conman_t; type conman_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 conman_unit_file_t:file read_file_perms; allow $1 conman_unit_file_t:service manage_service_perms; ps_process_pattern($1, conman_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an conman environment ## ## ## ## Domain allowed access. ## ## ## # define(`conman_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conman_admin'($*)) dnl gen_require(` type conman_t; type conman_log_t; type conman_unit_file_t; ') allow $1 conman_t:process { signal_perms }; ps_process_pattern($1, conman_t) tunable_policy(`deny_ptrace',`',` allow $1 conman_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, conman_log_t) conman_systemctl($1) admin_pattern($1, conman_unit_file_t) allow $1 conman_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conman_admin'($*)) dnl ') ## Conntrackd connection tracking service ######################################## ## ## Read the configuration files for conntrackd. ## ## ## ## Domain allowed access. ## ## ## # define(`conntrackd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conntrackd_read_config'($*)) dnl gen_require(` type conntrackd_conf_t; ') files_search_etc($1) allow $1 conntrackd_conf_t:dir list_dir_perms; read_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t) read_lnk_files_pattern($1, conntrackd_conf_t, conntrackd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conntrackd_read_config'($*)) dnl ') ######################################## ## ## Connect to conntrackd over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`conntrackd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conntrackd_stream_connect'($*)) dnl gen_require(` type conntrackd_t, conntrackd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, conntrackd_var_run_t, conntrackd_var_run_t, conntrackd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conntrackd_stream_connect'($*)) dnl ') ####################################### ## ## Execute conntrackd services in the conntrackd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`conntrackd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conntrackd_systemctl'($*)) dnl gen_require(` type conntrackd_t; type conntrackd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 conntrackd_unit_file_t:file read_file_perms; allow $1 conntrackd_unit_file_t:service manage_service_perms; ps_process_pattern($1, conntrackd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conntrackd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an conntrackd environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the conntrackd domain. ## ## ## # define(`conntrackd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `conntrackd_admin'($*)) dnl gen_require(` type conntrackd_t, conntrackd_tmp_t, conntrackd_log_t; type conntrackd_conf_t, conntrackd_var_run_t, conntrackd_initrc_exec_t; ') allow $1 conntrackd_t:process signal_perms; ps_process_pattern($1, conntrackd_t) tunable_policy(`deny_ptrace',`',` allow $1 conntrackd_t:process ptrace; ') init_labeled_script_domtrans($1, conntrackd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 conntrackd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, conntrackd_conf_t) logging_list_logs($1) admin_pattern($1, conntrackd_log_t) files_list_tmp($1) admin_pattern($1, conntrackd_tmp_t) files_list_pids($1) admin_pattern($1, conntrackd_var_run_t) conntrackd_systemctl($1) admin_pattern($1, conntrackd_unit_file_t) allow $1 conntrackd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `conntrackd_admin'($*)) dnl ') ## Framework for facilitating multiple user sessions on desktops. ######################################## ## ## Execute a domain transition to run consolekit. ## ## ## ## Domain allowed to transition. ## ## # define(`consolekit_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_domtrans'($*)) dnl gen_require(` type consolekit_t, consolekit_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, consolekit_exec_t, consolekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_domtrans'($*)) dnl ') ######################################## ## ## dontaudit Send and receive messages from ## consolekit over dbus. ## ## ## ## Domain to not audit. ## ## # define(`consolekit_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_dontaudit_dbus_chat'($*)) dnl gen_require(` type consolekit_t; class dbus send_msg; ') dontaudit $1 consolekit_t:dbus send_msg; dontaudit consolekit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## consolekit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_dbus_chat'($*)) dnl gen_require(` type consolekit_t; class dbus send_msg; ') allow $1 consolekit_t:dbus send_msg; allow consolekit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_dbus_chat'($*)) dnl ') ######################################## ## ## Dontaudit attempts to read consolekit log files. ## ## ## ## Domain to not audit. ## ## # define(`consolekit_dontaudit_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_dontaudit_read_log'($*)) dnl gen_require(` type consolekit_log_t; ') dontaudit $1 consolekit_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_dontaudit_read_log'($*)) dnl ') ######################################## ## ## Read consolekit log files. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_read_log'($*)) dnl gen_require(` type consolekit_log_t; ') read_files_pattern($1, consolekit_log_t, consolekit_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_read_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## consolekit log files. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_manage_log'($*)) dnl gen_require(` type consolekit_log_t; ') manage_files_pattern($1, consolekit_log_t, consolekit_log_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_manage_log'($*)) dnl ') ######################################## ## ## Read consolekit PID files. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_read_pid_files'($*)) dnl gen_require(` type consolekit_var_run_t; ') files_search_pids($1) allow $1 consolekit_var_run_t:dir list_dir_perms; read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_read_pid_files'($*)) dnl ') ######################################## ## ## List consolekit PID files. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_list_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_list_pid_files'($*)) dnl gen_require(` type consolekit_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_list_pid_files'($*)) dnl ') ######################################## ## ## Allow the domain to read consolekit state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`consolekit_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_read_state'($*)) dnl gen_require(` type consolekit_t; ') kernel_search_proc($1) ps_process_pattern($1, consolekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_read_state'($*)) dnl ') ######################################## ## ## Execute consolekit server in the consolekit domain. ## ## ## ## Domain allowed to transition. ## ## # define(`consolekit_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `consolekit_systemctl'($*)) dnl gen_require(` type consolekit_t; type consolekit_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 consolekit_unit_file_t:file read_file_perms; allow $1 consolekit_unit_file_t:service manage_service_perms; ps_process_pattern($1, consolekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `consolekit_systemctl'($*)) dnl ') ## The open-source application container engine. ######################################## ## ## Execute container in the container domain. ## ## ## ## Domain allowed to transition. ## ## # define(`container_runtime_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_domtrans'($*)) dnl gen_require(` type container_runtime_t, container_runtime_exec_t; type container_runtime_tmpfs_t; ') corecmd_search_bin($1) domtrans_pattern($1, container_runtime_exec_t, container_runtime_t) allow container_runtime_t $1:fifo_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_domtrans'($*)) dnl ') ######################################## ## ## Execute container runtime in the container runtime domain ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`container_runtime_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_run'($*)) dnl gen_require(` type container_runtime_t; ') container_runtime_domtrans($1) role $2 types container_runtime_t; allow $1 container_runtime_t:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_run'($*)) dnl ') ######################################## ## ## Execute container in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`container_runtime_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_exec'($*)) dnl gen_require(` type container_runtime_exec_t; ') corecmd_search_bin($1) can_exec($1, container_runtime_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_exec'($*)) dnl ') ######################################## ## ## Read the process state of container runtime ## ## ## ## Domain allowed access. ## ## # define(`container_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_read_state'($*)) dnl gen_require(` type container_runtime_t; ') ps_process_pattern($1, container_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_read_state'($*)) dnl ') ######################################## ## ## Search container lib directories. ## ## ## ## Domain allowed access. ## ## # define(`container_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_search_lib'($*)) dnl gen_require(` type container_var_lib_t; ') allow $1 container_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_search_lib'($*)) dnl ') ######################################## ## ## Execute container lib directories. ## ## ## ## Domain allowed access. ## ## # define(`container_exec_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_exec_lib'($*)) dnl gen_require(` type container_var_lib_t; ') allow $1 container_var_lib_t:dir search_dir_perms; can_exec($1, container_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_exec_lib'($*)) dnl ') ######################################## ## ## Read container lib files. ## ## ## ## Domain allowed access. ## ## # define(`container_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_read_lib_files'($*)) dnl gen_require(` type container_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, container_var_lib_t, container_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_read_lib_files'($*)) dnl ') ######################################## ## ## Read container share files. ## ## ## ## Domain allowed access. ## ## # define(`container_read_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_read_share_files'($*)) dnl gen_require(` type container_ro_file_t; ') files_search_var_lib($1) list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) read_files_pattern($1, container_ro_file_t, container_ro_file_t) read_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_read_share_files'($*)) dnl ') ######################################## ## ## Read container runtime tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`container_runtime_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_read_tmpfs_files'($*)) dnl gen_require(` type container_runtime_tmpfs_t; ') files_search_var_lib($1) list_dirs_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) read_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) read_lnk_files_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_read_tmpfs_files'($*)) dnl ') ######################################## ## ## Manage container share files. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_share_files'($*)) dnl gen_require(` type container_ro_file_t; ') files_search_var_lib($1) list_dirs_pattern($1, container_ro_file_t, container_ro_file_t) manage_files_pattern($1, container_ro_file_t, container_ro_file_t) manage_lnk_files_pattern($1, container_ro_file_t, container_ro_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_share_files'($*)) dnl ') ######################################## ## ## Manage container share dirs. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_share_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_share_dirs'($*)) dnl gen_require(` type container_ro_file_t; ') files_search_var_lib($1) manage_dirs_pattern($1, container_ro_file_t, container_ro_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_share_dirs'($*)) dnl ') ###################################### ## ## Allow the specified domain to execute container shared files ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`container_exec_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_exec_share_files'($*)) dnl gen_require(` type container_ro_file_t; ') can_exec($1, container_ro_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_exec_share_files'($*)) dnl ') ######################################## ## ## Manage container config files. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_config_files'($*)) dnl gen_require(` type container_config_t; type kubernetes_file_t; ') files_search_var_lib($1) manage_files_pattern($1, container_config_t, container_config_t) manage_dirs_pattern($1, kubernetes_file_t, kubernetes_file_t) manage_files_pattern($1, kubernetes_file_t, kubernetes_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_config_files'($*)) dnl ') ######################################## ## ## Manage container lib files. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_lib_files'($*)) dnl gen_require(` type container_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, container_var_lib_t, container_var_lib_t) manage_lnk_files_pattern($1, container_var_lib_t, container_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage container files. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_files'($*)) dnl gen_require(` type container_files_t; ') manage_files_pattern($1, container_files_t, container_files_t) manage_lnk_files_pattern($1, container_files_t, container_files_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_files'($*)) dnl ') ######################################## ## ## Manage container directories. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_dirs'($*)) dnl gen_require(` type container_files_t; ') manage_dirs_pattern($1, container_files_t, container_files_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_dirs'($*)) dnl ') ######################################## ## ## Manage container lib directories. ## ## ## ## Domain allowed access. ## ## # define(`container_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_manage_lib_dirs'($*)) dnl gen_require(` type container_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, container_var_lib_t, container_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Create objects in a container var lib directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`container_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_lib_filetrans'($*)) dnl gen_require(` type container_var_lib_t; ') filetrans_pattern($1, container_var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_lib_filetrans'($*)) dnl ') ######################################## ## ## Read container PID files. ## ## ## ## Domain allowed access. ## ## # define(`container_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_read_pid_files'($*)) dnl gen_require(` type container_var_run_t; ') files_search_pids($1) read_files_pattern($1, container_var_run_t, container_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_read_pid_files'($*)) dnl ') ######################################## ## ## Execute container server in the container domain. ## ## ## ## Domain allowed to transition. ## ## # define(`container_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_systemctl'($*)) dnl gen_require(` type container_runtime_t; type container_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 container_unit_file_t:file read_file_perms; allow $1 container_unit_file_t:service manage_service_perms; ps_process_pattern($1, container_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_systemctl'($*)) dnl ') ######################################## ## ## Read and write container shared memory. ## ## ## ## Domain allowed access. ## ## # define(`container_rw_sem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_rw_sem'($*)) dnl gen_require(` type container_runtime_t; ') allow $1 container_runtime_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_rw_sem'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## to container files. ## ## ## ## Domain allowed access. ## ## # define(`container_append_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_append_file'($*)) dnl gen_require(` type container_file_t; ') append_files_pattern($1, container_file_t, container_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_append_file'($*)) dnl ') ####################################### ## ## Read and write the container pty type. ## ## ## ## Domain allowed access. ## ## # define(`container_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_use_ptys'($*)) dnl gen_require(` type container_devpts_t; ') allow $1 container_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_use_ptys'($*)) dnl ') ####################################### ## ## Allow domain to create container content ## ## ## ## Domain allowed access. ## ## # define(`container_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_filetrans_named_content'($*)) dnl gen_require(` type container_var_lib_t; type container_file_t; type container_ro_file_t; type container_log_t; type container_var_run_t; type container_home_t; type kubernetes_file_t; type container_runtime_tmpfs_t; type container_kvm_var_run_t; type data_home_t; ') files_pid_filetrans($1, container_var_run_t, file, "container.pid") files_pid_filetrans($1, container_var_run_t, file, "docker.pid") files_pid_filetrans($1, container_var_run_t, sock_file, "container.sock") files_pid_filetrans($1, container_var_run_t, dir, "container-client") files_pid_filetrans($1, container_var_run_t, dir, "docker") files_pid_filetrans($1, container_var_run_t, dir, "containerd") files_pid_filetrans($1, container_var_run_t, dir, "ocid") files_pid_filetrans($1, container_var_run_t, dir, "containers") files_pid_filetrans($1, container_kvm_var_run_t, dir, "kata-containers") logging_log_filetrans($1, container_log_t, dir, "lxc") files_var_lib_filetrans($1, container_var_lib_t, dir, "containers") files_var_lib_filetrans($1, container_file_t, dir, "origin") files_var_lib_filetrans($1, container_var_lib_t, dir, "ocid") files_var_lib_filetrans($1, container_var_lib_t, dir, "docker") files_var_lib_filetrans($1, container_var_lib_t, dir, "docker-latest") files_var_filetrans($1, container_ro_file_t, dir, "kata-containers") files_var_lib_filetrans($1, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "_data") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "config.env") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hosts") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "hostname") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, file, "resolv.conf") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "sandboxes") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "snapshots") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "init") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-images") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay-layers") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-images") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "overlay2-layers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-images") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay-layers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-images") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "overlay2-layers") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") userdom_admin_home_dir_filetrans($1, container_home_t, dir, ".container") filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, data_home_t, container_ro_file_t, dir, "kata-containers") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") files_pid_filetrans($1, kubernetes_file_t, dir, "kubernetes") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_filetrans_named_content'($*)) dnl ') ######################################## ## ## Connect to container over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`container_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_stream_connect'($*)) dnl gen_require(` type container_runtime_t, container_var_run_t, container_runtime_tmpfs_t; ') files_search_pids($1) stream_connect_pattern($1, container_var_run_t, container_var_run_t, container_runtime_t) stream_connect_pattern($1, container_runtime_tmpfs_t, container_runtime_tmpfs_t, container_runtime_t) allow $1 container_runtime_tmpfs_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_stream_connect'($*)) dnl ') ######################################## ## ## Connect to SPC containers over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`container_spc_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_spc_stream_connect'($*)) dnl gen_require(` type spc_t, spc_var_run_t; ') files_search_pids($1) allow $1 spc_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_spc_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an container environment ## ## ## ## Domain allowed access. ## ## # define(`container_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_admin'($*)) dnl gen_require(` type container_runtime_t; type container_var_lib_t, container_var_run_t; type container_unit_file_t; type container_lock_t; type container_log_t; type container_config_t; type container_file_t; ') allow $1 container_runtime_t:process { ptrace signal_perms }; ps_process_pattern($1, container_runtime_t) admin_pattern($1, container_config_t) files_search_var_lib($1) admin_pattern($1, container_var_lib_t) files_search_pids($1) admin_pattern($1, container_var_run_t) files_search_locks($1) admin_pattern($1, container_lock_t) logging_search_logs($1) admin_pattern($1, container_log_t) container_systemctl($1) admin_pattern($1, container_unit_file_t) allow $1 container_unit_file_t:service all_service_perms; admin_pattern($1, container_file_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_admin'($*)) dnl ') ######################################## ## ## Execute container_auth_exec_t in the container_auth domain. ## ## ## ## Domain allowed to transition. ## ## # define(`container_auth_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_auth_domtrans'($*)) dnl gen_require(` type container_auth_t, container_auth_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, container_auth_exec_t, container_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_auth_domtrans'($*)) dnl ') ###################################### ## ## Execute container_auth in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`container_auth_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_auth_exec'($*)) dnl gen_require(` type container_auth_exec_t; ') corecmd_search_bin($1) can_exec($1, container_auth_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_auth_exec'($*)) dnl ') ######################################## ## ## Connect to container_auth over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`container_auth_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_auth_stream_connect'($*)) dnl gen_require(` type container_auth_t, container_plugin_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, container_plugin_var_run_t, container_plugin_var_run_t, container_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_auth_stream_connect'($*)) dnl ') ######################################## ## ## container domain typebounds calling domain. ## ## ## ## Domain to be typebound. ## ## # define(`container_runtime_typebounds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_typebounds'($*)) dnl gen_require(` type container_runtime_t; ') allow container_runtime_t $1:process2 nnp_transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_typebounds'($*)) dnl ') ######################################## ## ## Allow any container_runtime_exec_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`container_runtime_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_entrypoint'($*)) dnl gen_require(` type container_runtime_exec_t; ') allow $1 container_runtime_exec_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_entrypoint'($*)) dnl ') define(`docker_exec_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_exec_lib'($*)) dnl container_exec_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_exec_lib'($*)) dnl ') define(`docker_read_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_read_share_files'($*)) dnl container_read_share_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_read_share_files'($*)) dnl ') define(`docker_exec_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_exec_share_files'($*)) dnl container_exec_share_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_exec_share_files'($*)) dnl ') define(`docker_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_manage_lib_files'($*)) dnl container_manage_lib_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_manage_lib_files'($*)) dnl ') define(`docker_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_manage_lib_dirs'($*)) dnl container_manage_lib_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_manage_lib_dirs'($*)) dnl ') define(`docker_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_lib_filetrans'($*)) dnl container_lib_filetrans($1, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_lib_filetrans'($*)) dnl ') define(`docker_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_read_pid_files'($*)) dnl container_read_pid_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_read_pid_files'($*)) dnl ') define(`docker_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_systemctl'($*)) dnl container_systemctl($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_systemctl'($*)) dnl ') define(`docker_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_use_ptys'($*)) dnl container_use_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_use_ptys'($*)) dnl ') define(`docker_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_stream_connect'($*)) dnl container_stream_connect($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_stream_connect'($*)) dnl ') define(`docker_spc_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `docker_spc_stream_connect'($*)) dnl container_spc_stream_connect($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `docker_spc_stream_connect'($*)) dnl ') ######################################## ## ## Read the process state of spc containers ## ## ## ## Domain allowed access. ## ## # define(`container_spc_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_spc_read_state'($*)) dnl gen_require(` type spc_t; ') ps_process_pattern($1, spc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_spc_read_state'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## container runtime process domain. ## ## ## ## Prefix for the domain. ## ## # define(`container_runtime_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_runtime_domain_template'($*)) dnl gen_require(` attribute container_runtime_domain; type container_runtime_t; type container_var_lib_t; type container_ro_file_t; role system_r, sysadm_r; ') type $1_t, container_runtime_domain; role system_r types $1_t; role sysadm_r types $1_t; domain_type($1_t) domain_subj_id_change_exemption($1_t) domain_role_change_exemption($1_t) kernel_read_system_state($1_t) kernel_read_all_proc($1_t) mls_file_read_to_clearance($1_t) mls_file_write_to_clearance($1_t) storage_raw_rw_fixed_disk($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_runtime_domain_template'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## container process domain. ## ## ## ## Prefix for the domain. ## ## # define(`container_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_domain_template'($*)) dnl gen_require(` attribute container_domain; type container_runtime_t; type container_var_lib_t; type container_ro_file_t; ') type $1_t, container_domain; domain_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) role system_r types $1_t; kernel_read_all_proc($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_domain_template'($*)) dnl ') ######################################## ## ## Read and write a spc_t unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`container_spc_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `container_spc_rw_pipes'($*)) dnl gen_require(` type spc_t; ') allow $1 spc_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `container_spc_rw_pipes'($*)) dnl ') ## Corosync Cluster Engine. ######################################## ## ## Execute a domain transition to run corosync. ## ## ## ## Domain allowed to transition. ## ## # define(`corosync_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_domtrans'($*)) dnl gen_require(` type corosync_t, corosync_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, corosync_exec_t, corosync_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_domtrans'($*)) dnl ') ######################################## ## ## Execute corosync init scripts in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`corosync_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_initrc_domtrans'($*)) dnl gen_require(` type corosync_initrc_exec_t; ') init_labeled_script_domtrans($1, corosync_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_initrc_domtrans'($*)) dnl ') ###################################### ## ## Execute corosync in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`corosync_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_exec'($*)) dnl gen_require(` type corosync_exec_t; ') corecmd_search_bin($1) can_exec($1, corosync_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_exec'($*)) dnl ') ####################################### ## ## Read corosync log files. ## ## ## ## Domain allowed access. ## ## # define(`corosync_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_read_log'($*)) dnl gen_require(` type corosync_var_log_t; ') logging_search_logs($1) list_dirs_pattern($1, corosync_var_log_t, corosync_var_log_t) read_files_pattern($1, corosync_var_log_t, corosync_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_read_log'($*)) dnl ') ####################################### ## ## Setattr corosync log files. ## ## ## ## Domain allowed access. ## ## # define(`corosync_setattr_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_setattr_log'($*)) dnl gen_require(` type corosync_var_log_t; ') setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_setattr_log'($*)) dnl ') ##################################### ## ## Connect to corosync over a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`corosync_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_stream_connect'($*)) dnl gen_require(` type corosync_t, corosync_var_run_t; type corosync_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t) stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_stream_connect'($*)) dnl ') ###################################### ## ## Allow the specified domain to read/write corosync's tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`corosync_rw_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_rw_tmpfs'($*)) dnl gen_require(` type corosync_tmpfs_t; ') rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_rw_tmpfs'($*)) dnl ') ######################################## ## ## Execute corosync server in the corosync domain. ## ## ## ## Domain allowed to transition. ## ## # define(`corosync_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_systemctl'($*)) dnl gen_require(` type corosync_t; type corosync_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 corosync_unit_file_t:file read_file_perms; allow $1 corosync_unit_file_t:service manage_service_perms; ps_process_pattern($1, corosync_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_systemctl'($*)) dnl ') ###################################### ## ## All of the rules required to ## administrate an corosync environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`corosyncd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosyncd_admin'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corosync_admin() instead.') corosync_admin($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosyncd_admin'($*)) dnl ') ###################################### ## ## All of the rules required to ## administrate an corosync environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`corosync_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corosync_admin'($*)) dnl gen_require(` type corosync_t, corosync_var_lib_t, corosync_var_log_t; type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t; type corosync_initrc_exec_t; type corosync_unit_file_t; ') allow $1 corosync_t:process signal_perms; ps_process_pattern($1, corosync_t) tunable_policy(`deny_ptrace',`',` allow $1 corosync_t:process ptrace; ') init_labeled_script_domtrans($1, corosync_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 corosync_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, corosync_tmp_t) admin_pattern($1, corosync_tmpfs_t) files_list_var_lib($1) admin_pattern($1, corosync_var_lib_t) logging_list_logs($1) admin_pattern($1, corosync_var_log_t) files_list_pids($1) admin_pattern($1, corosync_var_run_t) corosync_systemctl($1) admin_pattern($1, corosync_unit_file_t) allow $1 corosync_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corosync_admin'($*)) dnl ') ## Document database server. ######################################## ## ## Allow to read couchdb log files. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_read_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_read_log_files'($*)) dnl gen_require(` type couchdb_log_t; ') files_search_var_lib($1) read_files_pattern($1, couchdb_log_t, couchdb_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_read_log_files'($*)) dnl ') ######################################## ## ## Allow to read couchdb lib files. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_read_lib_files'($*)) dnl gen_require(` type couchdb_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_read_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an couchdb environment. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_manage_lib_files'($*)) dnl gen_require(` type couchdb_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage couchdb lib directories. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_manage_lib_dirs'($*)) dnl gen_require(` type couchdb_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Allow to read couchdb conf files. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_read_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_read_conf_files'($*)) dnl gen_require(` type couchdb_conf_t; ') files_search_var_lib($1) read_files_pattern($1, couchdb_conf_t, couchdb_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_read_conf_files'($*)) dnl ') ######################################## ## ## Read couchdb PID files. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_read_pid_files'($*)) dnl gen_require(` type couchdb_var_run_t; ') files_search_pids($1) allow $1 couchdb_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_read_pid_files'($*)) dnl ') ####################################### ## ## Search couchdb PID dirs. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_search_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_search_pid_dirs'($*)) dnl gen_require(` type couchdb_var_run_t; ') files_search_pids($1) allow $1 couchdb_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_search_pid_dirs'($*)) dnl ') ####################################### ## ## Allow domain to manage couchdb content. ## ## ## ## Domain allowed access. ## ## # define(`couchdb_manage_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_manage_files'($*)) dnl gen_require(` type couchdb_var_run_t; type couchdb_log_t; type couchdb_var_lib_t; type couchdb_conf_t; ') manage_files_pattern($1, couchdb_log_t, couchdb_log_t) manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t) manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t) manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_manage_files'($*)) dnl ') ######################################## ## ## Execute couchdb server in the couchdb domain. ## ## ## ## Domain allowed to transition. ## ## # define(`couchdb_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_systemctl'($*)) dnl gen_require(` type couchdb_t; type couchdb_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 couchdb_unit_file_t:file read_file_perms; allow $1 couchdb_unit_file_t:service manage_service_perms; ps_process_pattern($1, couchdb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an couchdb environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`couchdb_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `couchdb_admin'($*)) dnl gen_require(` type couchdb_unit_file_t; type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t; type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t; type couchdb_tmp_t; ') allow $1 couchdb_t:process { signal_perms }; ps_process_pattern($1, couchdb_t) tunable_policy(`deny_ptrace',`',` allow $1 couchdb_t:process ptrace; ') init_labeled_script_domtrans($1, couchdb_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 couchdb_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, couchdb_conf_t) logging_search_logs($1) admin_pattern($1, couchdb_log_t) files_search_tmp($1) admin_pattern($1, couchdb_tmp_t) files_search_var_lib($1) admin_pattern($1, couchdb_var_lib_t) files_search_pids($1) admin_pattern($1, couchdb_var_run_t) admin_pattern($1, couchdb_unit_file_t) couchdb_systemctl($1) allow $1 couchdb_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `couchdb_admin'($*)) dnl ') ## Courier IMAP and POP3 email servers ######################################## ## ## Template for creating courier server processes. ## ## ## ## Prefix name of the server process. ## ## # define(`courier_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_domain_template'($*)) dnl gen_require(` attribute courier_domain; ') ############################## # # Declarations # type courier_$1_t, courier_domain; type courier_$1_exec_t; init_daemon_domain(courier_$1_t, courier_$1_exec_t) ############################## # # Declarations # can_exec(courier_$1_t, courier_$1_exec_t) kernel_read_system_state(courier_$1_t) corenet_all_recvfrom_netlabel(courier_$1_t) corenet_tcp_sendrecv_generic_if(courier_$1_t) corenet_udp_sendrecv_generic_if(courier_$1_t) corenet_tcp_sendrecv_generic_node(courier_$1_t) corenet_udp_sendrecv_generic_node(courier_$1_t) corenet_tcp_sendrecv_all_ports(courier_$1_t) corenet_udp_sendrecv_all_ports(courier_$1_t) logging_send_syslog_msg(courier_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_domain_template'($*)) dnl ') ######################################## ## ## Execute the courier authentication daemon with ## a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`courier_domtrans_authdaemon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_domtrans_authdaemon'($*)) dnl gen_require(` type courier_authdaemon_t, courier_authdaemon_exec_t; ') domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_domtrans_authdaemon'($*)) dnl ') ####################################### ## ## Connect to courier-authdaemon over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`courier_stream_connect_authdaemon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_stream_connect_authdaemon'($*)) dnl gen_require(` type courier_authdaemon_t, courier_spool_t; ') files_search_spool($1) stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_stream_connect_authdaemon'($*)) dnl ') ######################################## ## ## Execute the courier POP3 and IMAP server with ## a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`courier_domtrans_pop',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_domtrans_pop'($*)) dnl gen_require(` type courier_pop_t, courier_pop_exec_t; ') domtrans_pattern($1, courier_pop_exec_t, courier_pop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_domtrans_pop'($*)) dnl ') ######################################## ## ## Read courier config files ## ## ## ## Domain allowed access. ## ## # define(`courier_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_read_config'($*)) dnl gen_require(` type courier_etc_t; ') files_search_etc($1) read_files_pattern($1, courier_etc_t, courier_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_read_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete courier ## spool directories. ## ## ## ## Domain allowed access. ## ## # define(`courier_manage_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_manage_spool_dirs'($*)) dnl gen_require(` type courier_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, courier_spool_t, courier_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_manage_spool_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete courier ## spool files. ## ## ## ## Domain allowed access. ## ## # define(`courier_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_manage_spool_files'($*)) dnl gen_require(` type courier_spool_t; ') files_search_spool($1) manage_files_pattern($1, courier_spool_t, courier_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_manage_spool_files'($*)) dnl ') ######################################## ## ## Manage named socket in a courier spool directory. ## ## ## ## Domain allowed access. ## ## # define(`courier_manage_spool_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_manage_spool_sockets'($*)) dnl gen_require(` type courier_spool_t; ') files_search_spool($1) manage_sock_files_pattern($1, courier_spool_t, courier_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_manage_spool_sockets'($*)) dnl ') ######################################## ## ## Read courier spool files. ## ## ## ## Domain allowed access. ## ## # define(`courier_read_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_read_spool'($*)) dnl gen_require(` type courier_spool_t; ') files_search_spool($1) read_files_pattern($1, courier_spool_t, courier_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_read_spool'($*)) dnl ') ######################################## ## ## Read and write to courier spool pipes. ## ## ## ## Domain allowed access. ## ## # define(`courier_rw_spool_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `courier_rw_spool_pipes'($*)) dnl gen_require(` type courier_spool_t; ') allow $1 courier_spool_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `courier_rw_spool_pipes'($*)) dnl ') ## Services for loading CPU microcode and CPU frequency scaling. ######################################## ## ## CPUcontrol stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`cpucontrol_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cpucontrol_stub'($*)) dnl gen_require(` type cpucontrol_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cpucontrol_stub'($*)) dnl ') ## Command-line CPU frequency settings. ######################################## ## ## Send and receive messages from ## cpufreq-selector over dbus. ## ## ## ## Domain allowed access. ## ## # define(`cpufreqselector_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cpufreqselector_dbus_chat'($*)) dnl gen_require(` type cpufreqselector_t; class dbus send_msg; ') allow $1 cpufreqselector_t:dbus send_msg; allow cpufreqselector_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cpufreqselector_dbus_chat'($*)) dnl ') ## cpuplugd - Linux on System z CPU and memory hotplug daemon ######################################## ## ## Execute cpuplug in the cpuplug domin. ## ## ## ## Domain allowed to transition. ## ## # define(`cpuplug_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cpuplug_domtrans'($*)) dnl gen_require(` type cpuplug_t, cpuplug_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cpuplug_exec_t, cpuplug_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cpuplug_domtrans'($*)) dnl ') ## Periodic execution of scheduled commands. ####################################### ## ## The common rules for a crontab domain. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`cron_common_crontab_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_common_crontab_template'($*)) dnl gen_require(` type crontab_exec_t; ') ############################## # # Declarations # userdom_user_application_domain($1_t, crontab_exec_t) ############################## # # Local policy # kernel_read_system_state($1_t) auth_domtrans_chk_passwd($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) userdom_home_reader($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_common_crontab_template'($*)) dnl ') ######################################## ## ## Role access for cron ## ## ## ## Role allowed access ## ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`cron_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_role'($*)) dnl gen_require(` type cronjob_t, crontab_t, crontab_exec_t; type user_cron_spool_t, crond_t; bool cron_userdomain_transition; ') ############################## # # Declarations # role $1 types { cronjob_t crontab_t }; ############################## # # Local policy # # Transition from the user domain to the derived domain. domtrans_pattern($2_t, crontab_exec_t, crontab_t) dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; allow $2_t crond_t:process sigchld; allow $2_t user_cron_spool_t:file { getattr read write ioctl }; # crontab shows up in user ps allow $2_t crontab_t:process signal_perms; ps_process_pattern($2_t, crontab_t) cron_common_crontab_template($2) tunable_policy(`deny_ptrace',`',` allow $2_t crontab_t:process ptrace; ') # Run helper programs as the user domain #corecmd_bin_domtrans(crontab_t, $2) #corecmd_shell_domtrans(crontab_t, $2) corecmd_exec_bin(crontab_t) corecmd_exec_shell(crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; # needs to be authorized SELinux context for cron allow $2_t user_cron_spool_t:file entrypoint; allow $2_t crond_t:fifo_file rw_fifo_file_perms; allow $2_t cronjob_t:process { signal_perms }; ps_process_pattern($2_t, cronjob_t) ',` dontaudit crond_t $2_t:process transition; dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; dontaudit $2_t user_cron_spool_t:file entrypoint; dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; dontaudit $2_t cronjob_t:process { signal_perms }; ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(cronjob_t) allow cronjob_t $2_t:dbus send_msg; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_role'($*)) dnl ') ######################################## ## ## Role access for unconfined cronjobs ## ## ## ## Role allowed access ## ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`cron_unconfined_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_unconfined_role'($*)) dnl gen_require(` attribute crontab_domain; type unconfined_cronjob_t, crontab_t, crontab_exec_t; type crond_t, user_cron_spool_t; bool cron_userdomain_transition; ') ############################## # # Declarations # role $1 types unconfined_cronjob_t; ############################## # # Local policy # dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; allow $2_t crond_t:process sigchld; allow $2_t user_cron_spool_t:file { getattr read write ioctl }; # cronjob shows up in user ps ps_process_pattern($2_t, unconfined_cronjob_t) allow $2_t unconfined_cronjob_t:process signal_perms; cron_common_crontab_template($2) typeattribute $2_t crontab_domain; tunable_policy(`deny_ptrace',`',` allow $2_t unconfined_cronjob_t:process ptrace; ') tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; allow $2_t user_cron_spool_t:file entrypoint; allow $2_t crond_t:fifo_file rw_fifo_file_perms; ',` dontaudit crond_t $2_t:process transition; dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; dontaudit $2_t user_cron_spool_t:file entrypoint; dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(unconfined_cronjob_t) allow unconfined_cronjob_t $2_t:dbus send_msg; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_unconfined_role'($*)) dnl ') ######################################## ## ## Role access for cron ## ## ## ## Role allowed access ## ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`cron_admin_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_admin_role'($*)) dnl gen_require(` attribute crontab_domain; type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t; type user_cron_spool_t, crond_t; class passwd crontab; bool cron_userdomain_transition; ') ############################## # # Declarations # role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t }; ############################## # # Local policy # # Transition from the user domain to the derived domain. domtrans_pattern($2_t, crontab_exec_t, admin_crontab_t) dontaudit crond_t $2_t:process { noatsecure siginh rlimitinh }; allow $2_t crond_t:process sigchld; # crontab shows up in user ps ps_process_pattern($2_t, admin_crontab_t) allow $2_t admin_crontab_t:process signal_perms; cron_common_crontab_template($2) typeattribute $2_t crontab_domain; tunable_policy(`deny_ptrace',`',` allow $2_t admin_crontab_t:process ptrace; ') # Manipulate other users crontab. allow $2_t self:passwd crontab; corecmd_exec_bin(admin_crontab_t) corecmd_exec_shell(admin_crontab_t) tunable_policy(`cron_userdomain_transition',` allow crond_t $2_t:process transition; allow crond_t $2_t:fd use; allow crond_t $2_t:key manage_key_perms; allow $2_t user_cron_spool_t:file entrypoint; allow $2_t crond_t:fifo_file rw_fifo_file_perms; allow $2_t cronjob_t:process { signal_perms }; ps_process_pattern($2_t, cronjob_t) ',` dontaudit crond_t $2_t:process transition; dontaudit crond_t $2_t:fd use; dontaudit crond_t $2_t:key manage_key_perms; dontaudit $2_t user_cron_spool_t:file entrypoint; dontaudit $2_t crond_t:fifo_file rw_fifo_file_perms; dontaudit $2_t cronjob_t:process { signal_perms }; ') optional_policy(` gen_require(` class dbus send_msg; ') dbus_stub(admin_cronjob_t) allow cronjob_t $2_t:dbus send_msg; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_admin_role'($*)) dnl ') ######################################## ## ## Make the specified program domain accessable ## from the system cron jobs. ## ## ## ## The type of the process to transition to. ## ## ## ## ## The type of the file used as an entrypoint to this domain. ## ## # define(`cron_system_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_system_entry'($*)) dnl gen_require(` type crond_t, system_cronjob_t; ') domtrans_pattern(system_cronjob_t, $2, $1) domtrans_pattern(crond_t, $2, $1) role system_r types $1; allow $1 crond_t:fifo_file rw_fifo_file_perms; allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_system_entry'($*)) dnl ') ######################################## ## ## Execute cron in the cron system domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cron_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_domtrans'($*)) dnl gen_require(` type system_cronjob_t, crond_exec_t; ') domtrans_pattern($1, crond_exec_t, system_cronjob_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_domtrans'($*)) dnl ') ######################################## ## ## Execute crond_exec_t ## ## ## ## Domain allowed access. ## ## # define(`cron_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_exec'($*)) dnl gen_require(` type crond_exec_t; ') can_exec($1, crond_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_exec'($*)) dnl ') ######################################## ## ## Execute crond server in the crond domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cron_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_initrc_domtrans'($*)) dnl gen_require(` type crond_initrc_exec_t; ') init_labeled_script_domtrans($1, crond_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute crond server in the crond domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cron_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_systemctl'($*)) dnl gen_require(` type crond_unit_file_t; type crond_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 crond_unit_file_t:file read_file_perms; allow $1 crond_unit_file_t:service manage_service_perms; ps_process_pattern($1, crond_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_systemctl'($*)) dnl ') ######################################## ## ## Inherit and use a file descriptor ## from the cron daemon. ## ## ## ## Domain allowed access. ## ## # define(`cron_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_use_fds'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_use_fds'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the cron daemon. ## ## ## ## Domain allowed access. ## ## # define(`cron_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_sigchld'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_sigchld'($*)) dnl ') ######################################## ## ## Send a generic signal to cron daemon. ## ## ## ## Domain allowed access. ## ## # define(`cron_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_signal'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_signal'($*)) dnl ') ######################################## ## ## Read a cron daemon unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`cron_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_read_pipes'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_read_pipes'($*)) dnl ') ######################################## ## ## Read crond state files. ## ## ## ## Domain allowed access. ## ## # define(`cron_read_state_crond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_read_state_crond'($*)) dnl gen_require(` type crond_t; ') kernel_search_proc($1) ps_process_pattern($1, crond_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_read_state_crond'($*)) dnl ') ######################################## ## ## Send and receive messages from ## crond over dbus. ## ## ## ## Domain allowed access. ## ## # define(`cron_dbus_chat_crond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dbus_chat_crond'($*)) dnl gen_require(` type crond_t; class dbus send_msg; ') allow $1 crond_t:dbus send_msg; allow crond_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dbus_chat_crond'($*)) dnl ') ######################################## ## ## Send and receive messages from ## the cron system domain over dbus. ## ## ## ## Domain allowed access. ## ## # define(`cron_dbus_chat_system_job',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dbus_chat_system_job'($*)) dnl gen_require(` type system_cronjob_t; class dbus send_msg; ') allow $1 system_cronjob_t:dbus send_msg; allow system_cronjob_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dbus_chat_system_job'($*)) dnl ') ######################################## ## ## Do not audit attempts to write cron daemon unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`cron_dontaudit_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_pipes'($*)) dnl gen_require(` type crond_t; ') dontaudit $1 crond_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_pipes'($*)) dnl ') ######################################## ## ## Read and write a cron daemon unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_pipes'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to setattr cron daemon unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`cron_dontaudit_setattr_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dontaudit_setattr_pipes'($*)) dnl gen_require(` type crond_t; ') dontaudit $1 crond_t:fifo_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dontaudit_setattr_pipes'($*)) dnl ') ######################################## ## ## Read and write inherited user spool files. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_inherited_user_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_inherited_user_spool_files'($*)) dnl gen_require(` type user_cron_spool_t; ') allow $1 user_cron_spool_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_inherited_user_spool_files'($*)) dnl ') ######################################## ## ## Read and write inherited spool files. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_inherited_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_inherited_spool_files'($*)) dnl gen_require(` type cron_spool_t; ') allow $1 cron_spool_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_inherited_spool_files'($*)) dnl ') ######################################## ## ## Read, and write cron daemon TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_tcp_sockets'($*)) dnl gen_require(` type crond_t; ') allow $1 crond_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Dontaudit Read, and write cron daemon TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`cron_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type crond_t; ') dontaudit $1 crond_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Search the directory containing user cron tables. ## ## ## ## Domain allowed access. ## ## # define(`cron_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_search_spool'($*)) dnl gen_require(` type cron_spool_t; ') files_search_spool($1) allow $1 cron_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_search_spool'($*)) dnl ') ######################################## ## ## Search the directory containing user cron tables. ## ## ## ## Domain allowed access. ## ## # define(`cron_manage_system_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_manage_system_spool'($*)) dnl gen_require(` type cron_system_spool_t; ') files_search_spool($1) manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_manage_system_spool'($*)) dnl ') ######################################## ## ## Manage pid files used by cron ## ## ## ## Domain allowed access. ## ## # define(`cron_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_manage_pid_files'($*)) dnl gen_require(` type crond_var_run_t; ') files_search_pids($1) manage_files_pattern($1, crond_var_run_t, crond_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_manage_pid_files'($*)) dnl ') ######################################## ## ## Read pid files used by cron ## ## ## ## Domain allowed access. ## ## # define(`cron_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_read_pid_files'($*)) dnl gen_require(` type crond_var_run_t; ') files_search_pids($1) read_files_pattern($1, crond_var_run_t, crond_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_read_pid_files'($*)) dnl ') ######################################## ## ## Execute anacron in the cron system domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cron_anacron_domtrans_system_job',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_anacron_domtrans_system_job'($*)) dnl gen_require(` type system_cronjob_t, anacron_exec_t; ') domtrans_pattern($1, anacron_exec_t, system_cronjob_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_anacron_domtrans_system_job'($*)) dnl ') ######################################## ## ## Inherit and use a file descriptor ## from system cron jobs. ## ## ## ## Domain allowed access. ## ## # define(`cron_use_system_job_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_use_system_job_fds'($*)) dnl gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_use_system_job_fds'($*)) dnl ') ######################################## ## ## Write a system cron job unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`cron_write_system_job_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_write_system_job_pipes'($*)) dnl gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_write_system_job_pipes'($*)) dnl ') ######################################## ## ## Read and write a system cron job unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_system_job_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_pipes'($*)) dnl gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_system_job_pipes'($*)) dnl ') ######################################## ## ## Allow read/write unix stream sockets from the system cron jobs. ## ## ## ## Domain allowed access. ## ## # define(`cron_rw_system_job_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_rw_system_job_stream_sockets'($*)) dnl gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_rw_system_job_stream_sockets'($*)) dnl ') ######################################## ## ## Read temporary files from the system cron jobs. ## ## ## ## Domain allowed access. ## ## # define(`cron_read_system_job_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_read_system_job_tmp_files'($*)) dnl gen_require(` type system_cronjob_tmp_t, cron_var_run_t; ') files_search_tmp($1) allow $1 system_cronjob_tmp_t:file read_file_perms; files_search_pids($1) allow $1 cron_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_read_system_job_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to append temporary ## files from the system cron jobs. ## ## ## ## Domain to not audit. ## ## # define(`cron_dontaudit_append_system_job_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dontaudit_append_system_job_tmp_files'($*)) dnl gen_require(` type system_cronjob_tmp_t; ') dontaudit $1 system_cronjob_tmp_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dontaudit_append_system_job_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write temporary ## files from the system cron jobs. ## ## ## ## Domain to not audit. ## ## # define(`cron_dontaudit_write_system_job_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dontaudit_write_system_job_tmp_files'($*)) dnl gen_require(` type system_cronjob_tmp_t; type cron_var_run_t; ') dontaudit $1 system_cronjob_tmp_t:file write_file_perms; dontaudit $1 cron_var_run_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dontaudit_write_system_job_tmp_files'($*)) dnl ') ######################################## ## ## Send to system_cronjob over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`cron_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_dgram_send'($*)) dnl gen_require(` type system_cronjob_t; ') allow $1 system_cronjob_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_dgram_send'($*)) dnl ') ######################################## ## ## Read temporary files from the system cron jobs. ## ## ## ## Domain allowed access. ## ## # define(`cron_read_system_job_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_read_system_job_lib_files'($*)) dnl gen_require(` type system_cronjob_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_read_system_job_lib_files'($*)) dnl ') ######################################## ## ## Manage files from the system cron jobs. ## ## ## ## Domain allowed access. ## ## # define(`cron_manage_system_job_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_manage_system_job_lib_files'($*)) dnl gen_require(` type system_cronjob_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_manage_system_job_lib_files'($*)) dnl ') ####################################### ## ## Create, read, write and delete ## cron log files. ## ## ## ## Domain allowed access. ## ## # define(`cron_manage_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_manage_log_files'($*)) dnl gen_require(` type cron_log_t; ') manage_files_pattern($1, cron_log_t, cron_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_manage_log_files'($*)) dnl ') ####################################### ## ## Create specified objects in generic ## log directories with the cron log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`cron_generic_log_filetrans_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_generic_log_filetrans_log'($*)) dnl gen_require(` type cron_log_t; ') logging_log_filetrans($1, cron_log_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_generic_log_filetrans_log'($*)) dnl ') ####################################### ## ## Create specified objects in generic ## log directories with the cron log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`cron_generic_log_filetrans_log_insights',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_generic_log_filetrans_log_insights'($*)) dnl gen_require(` type var_log_t; ') logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_generic_log_filetrans_log_insights'($*)) dnl ') ######################################## ## ## Allow system_cron_spool_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`cron_system_spool_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cron_system_spool_entrypoint'($*)) dnl gen_require(` attribute system_cron_spool_t; ') allow $1 system_cron_spool_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cron_system_spool_entrypoint'($*)) dnl ') ## policy for ctdbd ######################################## ## ## Transition to ctdbd. ## ## ## ## Domain allowed to transition. ## ## # define(`ctdbd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_domtrans'($*)) dnl gen_require(` type ctdbd_t, ctdbd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ctdbd_exec_t, ctdbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_domtrans'($*)) dnl ') ######################################## ## ## Execute ctdbd server in the ctdbd domain. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_initrc_domtrans'($*)) dnl gen_require(` type ctdbd_initrc_exec_t; ') init_labeled_script_domtrans($1, ctdbd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_initrc_domtrans'($*)) dnl ') ####################################### ## ## Allow domain to signal ctdbd. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_signal'($*)) dnl gen_require(` type ctdbd_t; ') allow $1 ctdbd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_signal'($*)) dnl ') ####################################### ## ## Allow domain to sigchld ctdbd. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_sigchld'($*)) dnl gen_require(` type ctdbd_t; ') allow $1 ctdbd_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_sigchld'($*)) dnl ') ######################################## ## ## Read ctdbd's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`ctdbd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_read_log'($*)) dnl gen_require(` type ctdbd_log_t; ') logging_search_logs($1) read_files_pattern($1, ctdbd_log_t, ctdbd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_read_log'($*)) dnl ') ######################################## ## ## Append to ctdbd log files. ## ## ## ## Domain allowed to transition. ## ## # define(`ctdbd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_append_log'($*)) dnl gen_require(` type ctdbd_log_t; ') logging_search_logs($1) append_files_pattern($1, ctdbd_log_t, ctdbd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_append_log'($*)) dnl ') ######################################## ## ## Manage ctdbd log files ## ## ## ## Domain to not audit. ## ## # define(`ctdbd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_manage_log'($*)) dnl gen_require(` type ctdbd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t) manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t) manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_manage_log'($*)) dnl ') ######################################## ## ## Search ctdbd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_search_lib'($*)) dnl gen_require(` type ctdbd_var_lib_t; ') allow $1 ctdbd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_search_lib'($*)) dnl ') ######################################## ## ## Read ctdbd lib files. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_read_lib_files'($*)) dnl gen_require(` type ctdbd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage ctdbd lib files. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_manage_lib_files'($*)) dnl gen_require(` type ctdbd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) allow $1 ctdbd_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage ctdbd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_manage_lib_dirs'($*)) dnl gen_require(` type ctdbd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read ctdbd PID files. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_read_pid_files'($*)) dnl gen_require(` type ctdbd_var_run_t; ') files_search_pids($1) allow $1 ctdbd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_read_pid_files'($*)) dnl ') ####################################### ## ## Connect to ctdbd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ctdbd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_stream_connect'($*)) dnl gen_require(` type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t; ') files_search_pids($1) stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t) stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ctdbd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ctdbd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ctdbd_admin'($*)) dnl gen_require(` type ctdbd_t, ctdbd_initrc_exec_t; type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t; ') allow $1 ctdbd_t:process signal_perms; ps_process_pattern($1, ctdbd_t) tunable_policy(`deny_ptrace',`',` allow $1 ctdbd_t:process ptrace; ') ctdbd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 ctdbd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, ctdbd_log_t) files_search_var_lib($1) admin_pattern($1, ctdbd_var_lib_t) files_search_pids($1) admin_pattern($1, ctdbd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ctdbd_admin'($*)) dnl ') ## Common UNIX printing system. ######################################## ## ## Create a domain which can be ## started by cupsd. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`cups_backend',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_backend'($*)) dnl gen_require(` type cupsd_t; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(cupsd_t, $2, $1) allow cupsd_t $1:process signal; allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms; cups_read_config($1) cups_append_log($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_backend'($*)) dnl ') ######################################## ## ## Execute cups in the cups domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cups_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_domtrans'($*)) dnl gen_require(` type cupsd_t, cupsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cupsd_exec_t, cupsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_domtrans'($*)) dnl ') ######################################## ## ## Connect to cupsd over an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`cups_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_stream_connect'($*)) dnl gen_require(` type cupsd_t, cupsd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_stream_connect'($*)) dnl ') ######################################## ## ## Connect to cups over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`cups_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_tcp_connect'($*)) dnl ') ######################################## ## ## Send and receive messages from ## cups over dbus. ## ## ## ## Domain allowed access. ## ## # define(`cups_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_dbus_chat'($*)) dnl gen_require(` type cupsd_t; class dbus send_msg; ') allow $1 cupsd_t:dbus send_msg; allow cupsd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_dbus_chat'($*)) dnl ') ######################################## ## ## Read cups PID files. ## ## ## ## Domain allowed access. ## ## # define(`cups_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_read_pid_files'($*)) dnl gen_require(` type cupsd_var_run_t; ') files_search_pids($1) allow $1 cupsd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_read_pid_files'($*)) dnl ') ######################################## ## ## Execute cups_config in the ## cups config domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cups_domtrans_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_domtrans_config'($*)) dnl gen_require(` type cupsd_config_t, cupsd_config_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cupsd_config_exec_t, cupsd_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_domtrans_config'($*)) dnl ') ######################################## ## ## Send generic signals to the cups ## configuration daemon. ## ## ## ## Domain allowed access. ## ## # define(`cups_signal_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_signal_config'($*)) dnl gen_require(` type cupsd_config_t; ') allow $1 cupsd_config_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_signal_config'($*)) dnl ') ######################################## ## ## Send and receive messages from ## cupsd_config over dbus. ## ## ## ## Domain allowed access. ## ## # define(`cups_dbus_chat_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_dbus_chat_config'($*)) dnl gen_require(` type cupsd_config_t; class dbus send_msg; ') allow $1 cupsd_config_t:dbus send_msg; allow cupsd_config_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_dbus_chat_config'($*)) dnl ') ######################################## ## ## Read cups configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`cups_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_read_config'($*)) dnl gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; type hplip_etc_t; ') files_search_etc($1) read_files_pattern($1, cupsd_etc_t, cupsd_etc_t) read_files_pattern($1, hplip_etc_t, hplip_etc_t) read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_read_config'($*)) dnl ') ######################################## ## ## Read cups-writable configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`cups_read_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_read_rw_config'($*)) dnl gen_require(` type cupsd_etc_t, cupsd_rw_etc_t; ') files_search_etc($1) read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_read_rw_config'($*)) dnl ') ######################################## ## ## Read cups log files. ## ## ## ## Domain allowed access. ## ## ## # define(`cups_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_read_log'($*)) dnl gen_require(` type cupsd_log_t; ') logging_search_logs($1) allow $1 cupsd_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_read_log'($*)) dnl ') ######################################## ## ## Append cups log files. ## ## ## ## Domain allowed access. ## ## # define(`cups_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_append_log'($*)) dnl gen_require(` type cupsd_log_t; ') logging_search_logs($1) append_files_pattern($1, cupsd_log_t, cupsd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_append_log'($*)) dnl ') ######################################## ## ## Write cups log files. ## ## ## ## Domain allowed access. ## ## # define(`cups_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_write_log'($*)) dnl gen_require(` type cupsd_log_t; ') logging_search_logs($1) allow $1 cupsd_log_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_write_log'($*)) dnl ') ######################################## ## ## Connect to ptal over an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`cups_stream_connect_ptal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_stream_connect_ptal'($*)) dnl gen_require(` type ptal_t, ptal_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_stream_connect_ptal'($*)) dnl ') ######################################## ## ## Execute cupsd server in the cupsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`cupsd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cupsd_systemctl'($*)) dnl gen_require(` type cupsd_t; type cupsd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 cupsd_unit_file_t:file read_file_perms; allow $1 cupsd_unit_file_t:service manage_service_perms; ps_process_pattern($1, cupsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cupsd_systemctl'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of cupsd. ## ## ## ## Domain allowed access. ## ## # define(`cups_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_read_state'($*)) dnl gen_require(` type cupsd_t; ') allow $1 cupsd_t:dir search_dir_perms; allow $1 cupsd_t:file read_file_perms; allow $1 cupsd_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_read_state'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cups environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cups_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_admin'($*)) dnl gen_require(` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; type cupsd_etc_t, cupsd_log_t; type cupsd_config_var_run_t, cupsd_lpd_var_run_t; type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t; type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; type ptal_t; type cupsd_unit_file_t; ') allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms }; allow $1 { cups_pdf_t ptal_t }:process { signal_perms }; ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) ps_process_pattern($1, { cups_pdf_t ptal_t }) tunable_policy(`deny_ptrace',`',` allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace; ') init_labeled_script_domtrans($1, cupsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cupsd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) logging_list_logs($1) admin_pattern($1, cupsd_log_t) files_list_tmp($1) admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t }) admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t }) admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t }) cupsd_systemctl($1) admin_pattern($1, cupsd_unit_file_t) allow $1 cupsd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_admin'($*)) dnl ') ######################################## ## ## Transition to cups named content ## ## ## ## Domain allowed access. ## ## # define(`cups_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cups_filetrans_named_content'($*)) dnl gen_require(` type cupsd_rw_etc_t; type cupsd_etc_t; ') filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat") filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, dir, "ppd") files_etc_filetrans($1, cupsd_rw_etc_t, file, "printcap") files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat") files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppd") files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf") files_etc_filetrans($1, cupsd_rw_etc_t, dir, "ppd") files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf") corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf") files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cups_filetrans_named_content'($*)) dnl ') ## Concurrent versions system. ###################################### ## ## Dontaudit Attempts to list the CVS data and metadata. ## ## ## ## Domain to not audit. ## ## # define(`cvs_dontaudit_list_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cvs_dontaudit_list_data'($*)) dnl gen_require(` type cvs_data_t; ') dontaudit $1 cvs_data_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cvs_dontaudit_list_data'($*)) dnl ') ######################################## ## ## Read CVS data and metadata content. ## ## ## ## Domain allowed access. ## ## # define(`cvs_read_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cvs_read_data'($*)) dnl gen_require(` type cvs_data_t; ') list_dirs_pattern($1, cvs_data_t, cvs_data_t) read_files_pattern($1, cvs_data_t, cvs_data_t) read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cvs_read_data'($*)) dnl ') ######################################## ## ## Execute cvs in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`cvs_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cvs_exec'($*)) dnl gen_require(` type cvs_exec_t; ') corecmd_search_bin($1) can_exec($1, cvs_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cvs_exec'($*)) dnl ') ######################################## ## ## Transition to cvs named content ## ## ## ## Domain allowed access. ## ## # define(`cvs_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cvs_filetrans_home_content'($*)) dnl gen_require(` type cvs_home_t; ') userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cvs_filetrans_home_content'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cvs environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cvs_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cvs_admin'($*)) dnl gen_require(` type cvs_t, cvs_tmp_t, cvs_initrc_exec_t; type cvs_data_t, cvs_var_run_t, cvs_keytab_t; type cvs_home_t; ') allow $1 cvs_t:process signal_perms; ps_process_pattern($1, cvs_t) tunable_policy(`deny_ptrace',`',` allow $1 cvs_t:process ptrace; ') # Allow cvs_t to restart the apache service init_labeled_script_domtrans($1, cvs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cvs_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, cvs_keytab_t) files_list_tmp($1) admin_pattern($1, cvs_tmp_t) files_search_usr($1) admin_pattern($1, cvs_data_t) files_list_pids($1) admin_pattern($1, cvs_var_run_t) userdom_search_user_home_dirs($1) admin_pattern($1, cvs_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cvs_admin'($*)) dnl ') ## Cyphesis WorldForge game server. ######################################## ## ## Execute a domain transition to run cyphesis. ## ## ## ## Domain allowed to transition. ## ## # define(`cyphesis_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyphesis_domtrans'($*)) dnl gen_require(` type cyphesis_t, cyphesis_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cyphesis_exec_t, cyphesis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyphesis_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cyphesis environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cyphesis_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyphesis_admin'($*)) dnl gen_require(` type cyphesis_t, cyphesis_initrc_exec_t, cyphesis_log_t; type cyphesis_var_run_t, cyphesis_tmp_t; ') allow $1 cyphesis_t:process { ptrace signal_perms }; ps_process_pattern($1, cyphesis_t) init_labeled_script_domtrans($1, cyphesis_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cyphesis_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, cyphesis_log_t) files_search_pids($1) admin_pattern($1, cyphesis_var_run_t) files_search_tmp($1) admin_pattern($1, cyphesis_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyphesis_admin'($*)) dnl ') ## Cyrus is an IMAP service intended to be run on sealed servers. ######################################## ## ## Create, read, write, and delete ## cyrus data files. ## ## ## ## Domain allowed access. ## ## # define(`cyrus_manage_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyrus_manage_data'($*)) dnl gen_require(` type cyrus_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyrus_manage_data'($*)) dnl ') ####################################### ## ## Allow write cyrus data files. ## ## ## ## Domain allowed access. ## ## # define(`cyrus_write_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyrus_write_data'($*)) dnl gen_require(` type cyrus_var_lib_t; ') files_search_var_lib($1) write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyrus_write_data'($*)) dnl ') ######################################## ## ## Connect to Cyrus using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`cyrus_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyrus_stream_connect'($*)) dnl gen_require(` type cyrus_t, cyrus_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t, cyrus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyrus_stream_connect'($*)) dnl ') ######################################## ## ## Connect to Cyrus using a unix ## domain stream socket in the runtime filesystem. ## ## ## ## Domain allowed access. ## ## # define(`cyrus_runtime_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyrus_runtime_stream_connect'($*)) dnl gen_require(` type cyrus_t, cyrus_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, cyrus_var_run_t, cyrus_var_run_t, cyrus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyrus_runtime_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an cyrus environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`cyrus_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cyrus_admin'($*)) dnl gen_require(` type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t; type cyrus_var_run_t, cyrus_initrc_exec_t; type cyrus_keytab_t; ') allow $1 cyrus_t:process signal_perms; ps_process_pattern($1, cyrus_t) tunable_policy(`deny_ptrace',`',` allow $1 cyrus_t:process ptrace; ') init_labeled_script_domtrans($1, cyrus_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cyrus_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, cyrus_keytab_t) files_list_tmp($1) admin_pattern($1, cyrus_tmp_t) files_list_var_lib($1) admin_pattern($1, cyrus_var_lib_t) files_list_pids($1) admin_pattern($1, cyrus_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cyrus_admin'($*)) dnl ') ## Collection of tools for managing UNIX services. ######################################## ## ## An ipc channel between the ## supervised domain and svc_start_t. ## ## ## ## Domain allowed access. ## ## # define(`daemontools_ipc_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_ipc_domain'($*)) dnl gen_require(` type svc_start_t; ') allow $1 svc_start_t:process sigchld; allow $1 svc_start_t:fd use; allow $1 svc_start_t:fifo_file rw_fifo_file_perms; allow svc_start_t $1:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_ipc_domain'($*)) dnl ') ######################################## ## ## Create a domain which can be ## started by daemontools. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`daemontools_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_service_domain'($*)) dnl gen_require(` type svc_run_t; ') domain_auto_trans(svc_run_t, $2, $1) daemontools_ipc_domain($1) allow svc_run_t $1:process signal; allow $1 svc_run_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_service_domain'($*)) dnl ') ######################################## ## ## Execute svc start in the svc ## start domain. ## ## ## ## Domain allowed to transition. ## ## # define(`daemontools_domtrans_start',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_start'($*)) dnl gen_require(` type svc_start_t, svc_start_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, svc_start_exec_t, svc_start_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_domtrans_start'($*)) dnl ') ###################################### ## ## Execute svc start in the svc ## start domain, and allow the ## specified role the svc start domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`daemonstools_run_start',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemonstools_run_start'($*)) dnl gen_require(` attribute_role svc_start_roles; ') daemontools_domtrans_start($1) roleattribute $2 svc_start_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemonstools_run_start'($*)) dnl ') ######################################## ## ## Execute avc run in the svc run domain. ## ## ## ## Domain allowed to transition. ## ## # define(`daemontools_domtrans_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_run'($*)) dnl gen_require(` type svc_run_t, svc_run_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, svc_run_exec_t, svc_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_domtrans_run'($*)) dnl ') ###################################### ## ## Send child terminated signals ## to svc run. ## ## ## ## Domain allowed access. ## ## # define(`daemontools_sigchld_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_sigchld_run'($*)) dnl gen_require(` type svc_run_t; ') allow $1 svc_run_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_sigchld_run'($*)) dnl ') ######################################## ## ## Execute avc multilog in the svc ## multilog domain. ## ## ## ## Domain allowed to transition. ## ## # define(`daemontools_domtrans_multilog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_domtrans_multilog'($*)) dnl gen_require(` type svc_multilog_t, svc_multilog_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, svc_multilog_exec_t, svc_multilog_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_domtrans_multilog'($*)) dnl ') ###################################### ## ## Search svc svc directories. ## ## ## ## Domain allowed access. ## ## # define(`daemontools_search_svc_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_search_svc_dir'($*)) dnl gen_require(` type svc_svc_t; ') files_search_var($1) allow $1 svc_svc_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_search_svc_dir'($*)) dnl ') ######################################## ## ## Read svc avc files. ## ## ## ## Domain allowed access. ## ## ## # define(`daemontools_read_svc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_read_svc'($*)) dnl gen_require(` type svc_svc_t; ') files_search_var($1) allow $1 svc_svc_t:dir list_dir_perms; allow $1 svc_svc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_read_svc'($*)) dnl ') ######################################## ## ## Create, read, write and delete ## svc svc content. ## ## ## ## Domain allowed access. ## ## ## # define(`daemontools_manage_svc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `daemontools_manage_svc'($*)) dnl gen_require(` type svc_svc_t; ') files_search_var($1) allow $1 svc_svc_t:dir manage_dir_perms; allow $1 svc_svc_t:fifo_file manage_fifo_file_perms; allow $1 svc_svc_t:file manage_file_perms; allow $1 svc_svc_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `daemontools_manage_svc'($*)) dnl ') ## Dante msproxy and socks4/5 proxy server. ######################################## ## ## All of the rules required to ## administrate an dante environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dante_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dante_admin'($*)) dnl gen_require(` type dante_t, dante_conf_t, dante_var_run_t; type dante_initrc_exec_t; ') allow $1 dante_t:process { ptrace signal_perms }; ps_process_pattern($1, dante_t) init_labeled_script_domtrans($1, dante_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dante_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, dante_conf_t) files_search_pids($1) admin_pattern($1, dante_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dante_admin'($*)) dnl ') ## Database administrator role. ######################################## ## ## Change to the database administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`dbadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbadm_role_change'($*)) dnl gen_require(` role dbadm_r; ') allow $1 dbadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbadm_role_change'($*)) dnl ') ######################################## ## ## Change from the database administrator role. ## ## ##

## Change from the database administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`dbadm_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbadm_role_change_to'($*)) dnl gen_require(` role dbadm_r; ') allow dbadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbadm_role_change_to'($*)) dnl ') ## Dictionary server for the SKK Japanese input method system. ## Desktop messaging bus ######################################## ## ## DBUS stub interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`dbus_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_stub'($*)) dnl gen_require(` type system_dbusd_t; class dbus all_dbus_perms; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_stub'($*)) dnl ') ######################################## ## ## Execute dbus-daemon in the caller domain. ## ## ## ## Domain allowed access ## ## # define(`dbus_exec_dbusd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_exec_dbusd'($*)) dnl gen_require(` type dbusd_exec_t; ') can_exec($1, dbusd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_exec_dbusd'($*)) dnl ') ######################################## ## ## Role access for dbus ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`dbus_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_role_template'($*)) dnl gen_require(` class dbus { send_msg acquire_svc }; attribute dbusd_unconfined, session_bus_type; type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t; type $1_t; ') ############################## # # Delcarations # type $1_dbusd_t, session_bus_type; application_domain($1_dbusd_t, dbusd_exec_t) ubac_constrained($1_dbusd_t) role $2 types $1_dbusd_t; kernel_read_system_state($1_dbusd_t) selinux_get_fs_mount($1_dbusd_t) userdom_home_manager($1_dbusd_t) ############################## # # Local policy # # For connecting to the bus allow $3 $1_dbusd_t:unix_stream_socket { accept connectto listen rw_socket_perms create }; allow $1_dbusd_t $3:unix_stream_socket { accept getattr getopt read write }; allow $1_dbusd_t $3:unix_dgram_socket sendto; # SE-DBus specific permissions allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc }; allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; # Permissions for dbus-broker running with systemd user sessions allow $3 $1_dbusd_t:process { noatsecure rlimitinh siginh }; allow $1_dbusd_t $3:dbus send_msg; allow $3 $1_dbusd_t:dbus send_msg; allow $1_dbusd_t $3:system { start reload }; allow $1_dbusd_t session_dbusd_tmp_t:service { start stop }; allow $3 session_dbusd_tmp_t:dir manage_dir_perms; allow $3 session_dbusd_tmp_t:file manage_file_perms; can_exec($1_dbusd_t, dbusd_exec_t) domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t) ps_process_pattern($3, $1_dbusd_t) allow $3 $1_dbusd_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $3 $1_dbusd_t:process ptrace; ') # cjp: this seems very broken corecmd_bin_domtrans($1_dbusd_t, $1_t) corecmd_shell_domtrans($1_dbusd_t, $1_t) allow $1_dbusd_t $3:process sigkill; allow $3 $1_dbusd_t:fd use; allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms; auth_use_nsswitch($1_dbusd_t) files_config_all_files($1_dbusd_t) logging_send_syslog_msg($1_dbusd_t) dontaudit $1_dbusd_t self:capability net_admin; optional_policy(` mozilla_domtrans_spec($1_dbusd_t, $1_t) ') optional_policy(` systemd_start_systemd_services($1_dbusd_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_role_template'($*)) dnl ') ####################################### ## ## Template for creating connections to ## the system DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_system_bus_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_system_bus_client'($*)) dnl gen_require(` type system_dbusd_t, system_dbusd_t; type system_dbusd_var_run_t, system_dbusd_var_lib_t; class dbus send_msg; attribute dbusd_unconfined; ') # SE-DBus specific permissions allow $1 { system_dbusd_t self }:dbus send_msg; allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg; read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) files_search_var_lib($1) dev_read_urand($1) # For connecting to the bus files_search_pids($1) stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t) dbus_read_config($1) optional_policy(` unconfined_server_dbus_chat($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_system_bus_client'($*)) dnl ') ####################################### ## ## Creating connections to specified ## DBUS sessions. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Domain allowed access. ## ## # define(`dbus_session_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_session_client'($*)) dnl gen_require(` class dbus send_msg; type $1_dbusd_t; ') allow $2 $1_dbusd_t:fd use; allow $2 { $1_dbusd_t self }:dbus send_msg; allow $2 $1_dbusd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_session_client'($*)) dnl ') ####################################### ## ## Template for creating connections to ## a user DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_session_bus_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_session_bus_client'($*)) dnl gen_require(` attribute session_bus_type; class dbus send_msg; ') # SE-DBus specific permissions allow $1 { session_bus_type self }:dbus send_msg; # For connecting to the bus allow $1 session_bus_type:unix_stream_socket connectto; allow session_bus_type $1:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_session_bus_client'($*)) dnl ') ######################################## ## ## Send a message the session DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_send_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_send_session_bus'($*)) dnl gen_require(` attribute session_bus_type; class dbus send_msg; ') allow $1 session_bus_type:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_send_session_bus'($*)) dnl ') ######################################## ## ## Read dbus configuration. ## ## ## ## Domain allowed access. ## ## # define(`dbus_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_read_config'($*)) dnl gen_require(` type dbusd_etc_t; ') allow $1 dbusd_etc_t:dir list_dir_perms; allow $1 dbusd_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_read_config'($*)) dnl ') ######################################## ## ## Watch dbus configuration. ## ## ## ## Domain allowed access. ## ## # define(`dbus_watch_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_watch_config'($*)) dnl gen_require(` type dbusd_etc_t; ') allow $1 dbusd_etc_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_watch_config'($*)) dnl ') ######################################## ## ## Read system dbus lib files. ## ## ## ## Domain allowed access. ## ## # define(`dbus_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_read_lib_files'($*)) dnl gen_require(` type system_dbusd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) read_lnk_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## system dbus lib files. ## ## ## ## Domain allowed access. ## ## # define(`dbus_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_manage_lib_files'($*)) dnl gen_require(` type system_dbusd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_manage_lib_files'($*)) dnl ') ######################################## ## ## Connect to the system DBUS ## for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # define(`dbus_connect_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_connect_session_bus'($*)) dnl gen_require(` attribute session_bus_type; class dbus acquire_svc; ') allow $1 session_bus_type:dbus acquire_svc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_connect_session_bus'($*)) dnl ') ######################################## ## ## Allow a application domain to be started ## by the session dbus. ## ## ## ## User domain prefix to be used. ## ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an ## entry point to this domain. ## ## # define(`dbus_session_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_session_domain'($*)) dnl gen_require(` type $1_dbusd_t; ') domtrans_pattern($1_dbusd_t, $2, $3) dbus_session_bus_client($3) dbus_connect_session_bus($3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_session_domain'($*)) dnl ') ######################################## ## ## Connect to the system DBUS ## for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # define(`dbus_connect_system_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_connect_system_bus'($*)) dnl gen_require(` type system_dbusd_t; class dbus acquire_svc; ') allow $1 system_dbusd_t:dbus acquire_svc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_connect_system_bus'($*)) dnl ') ######################################## ## ## Send a message on the system DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_send_system_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_send_system_bus'($*)) dnl gen_require(` type system_dbusd_t; class dbus send_msg; ') allow $1 system_dbusd_t:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_send_system_bus'($*)) dnl ') ######################################## ## ## Allow unconfined access to the system DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_system_bus_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_system_bus_unconfined'($*)) dnl gen_require(` type system_dbusd_t; class dbus all_dbus_perms; ') allow $1 system_dbusd_t:dbus *; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_system_bus_unconfined'($*)) dnl ') ######################################## ## ## Create a domain for processes ## which can be started by the system dbus ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`dbus_system_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_system_domain'($*)) dnl gen_require(` attribute system_bus_type; type system_dbusd_t; role system_r; ') typeattribute $1 system_bus_type; domain_type($1) domain_entry_file($1, $2) domtrans_pattern(system_dbusd_t, $2, $1) init_system_domain($1, $2) ps_process_pattern($1, system_dbusd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_system_domain'($*)) dnl ') ######################################## ## ## Use and inherit system DBUS file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`dbus_use_system_bus_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_use_system_bus_fds'($*)) dnl gen_require(` type system_dbusd_t; ') allow $1 system_dbusd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_use_system_bus_fds'($*)) dnl ') ######################################## ## ## Allow unconfined access to the system DBUS. ## ## ## ## Domain allowed access. ## ## # define(`dbus_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_unconfined'($*)) dnl gen_require(` attribute dbusd_unconfined; ') typeattribute $1 dbusd_unconfined; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_unconfined'($*)) dnl ') ######################################## ## ## Delete all dbus pid files ## ## ## ## Domain allowed access. ## ## # define(`dbus_delete_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_delete_pid_files'($*)) dnl gen_require(` type system_dbusd_var_run_t; ') files_search_pids($1) delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_delete_pid_files'($*)) dnl ') ######################################## ## ## Read all dbus pid files ## ## ## ## Domain allowed access. ## ## # define(`dbus_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_read_pid_files'($*)) dnl gen_require(` type system_dbusd_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_read_pid_files'($*)) dnl ') ######################################## ## ## Read all dbus pid files ## ## ## ## Domain allowed access. ## ## # define(`dbus_read_pid_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_read_pid_sock_files'($*)) dnl gen_require(` type system_dbusd_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) read_sock_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_read_pid_sock_files'($*)) dnl ') ######################################## ## ## Watch system dbus pid socket files ## ## ## ## Domain allowed access. ## ## # define(`dbus_watch_pid_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_watch_pid_sock_files'($*)) dnl gen_require(` type system_dbusd_var_run_t; ') files_search_pids($1) allow $1 system_dbusd_var_run_t:sock_file watch_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_watch_pid_sock_files'($*)) dnl ') ######################################## ## ## Watch system dbus pid directory ## ## ## ## Domain allowed access. ## ## # define(`dbus_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_watch_pid_dirs'($*)) dnl gen_require(` type system_dbusd_var_run_t; ') files_search_pids($1) allow $1 system_dbusd_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Read and write system dbus tmp socket files. ## ## ## ## Domain allowed access. ## ## # define(`dbus_rw_tmp_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_rw_tmp_sock_files'($*)) dnl gen_require(` type system_dbusd_tmp_t; ') rw_sock_files_pattern($1, system_dbusd_tmp_t, system_dbusd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_rw_tmp_sock_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect to ## session bus types with a unix ## stream socket. ## ## ## ## Domain to not audit. ## ## # define(`dbus_dontaudit_stream_connect_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_stream_connect_session_bus'($*)) dnl gen_require(` attribute session_bus_type; ') dontaudit $1 session_bus_type:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_dontaudit_stream_connect_session_bus'($*)) dnl ') ######################################## ## ## Allow attempts to connect to ## session bus types with a unix ## stream socket. ## ## ## ## Domain to not audit. ## ## # define(`dbus_stream_connect_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_stream_connect_session_bus'($*)) dnl gen_require(` attribute session_bus_type; ') allow $1 session_bus_type:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_stream_connect_session_bus'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dbus ## messages to session bus types. ## ## ## ## Domain to not audit. ## ## # define(`dbus_chat_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_chat_session_bus'($*)) dnl gen_require(` attribute session_bus_type; class dbus send_msg; ') allow $1 session_bus_type:dbus send_msg; allow session_bus_type $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_chat_session_bus'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dbus ## messages to session bus types. ## ## ## ## Domain to not audit. ## ## # define(`dbus_dontaudit_chat_session_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_chat_session_bus'($*)) dnl gen_require(` attribute session_bus_type; class dbus send_msg; ') dontaudit $1 session_bus_type:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_dontaudit_chat_session_bus'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dbus ## messages to system bus types. ## ## ## ## Domain to not audit. ## ## # define(`dbus_dontaudit_chat_system_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_chat_system_bus'($*)) dnl gen_require(` attribute system_bus_type; class dbus send_msg; ') dontaudit $1 system_bus_type:dbus send_msg; dontaudit system_bus_type $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_dontaudit_chat_system_bus'($*)) dnl ') ######################################## ## ## Allow attempts to connect to ## session bus types with a unix ## stream socket. ## ## ## ## Domain to not audit. ## ## # define(`dbus_stream_connect_system_dbusd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_stream_connect_system_dbusd'($*)) dnl gen_require(` type system_dbusd_t; ') allow $1 system_dbusd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_stream_connect_system_dbusd'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect to ## session bus types with a unix ## stream socket. ## ## ## ## Domain to not audit. ## ## # define(`dbus_dontaudit_stream_connect_system_dbusd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_dontaudit_stream_connect_system_dbusd'($*)) dnl gen_require(` type system_dbusd_t; type system_dbusd_var_run_t; ') dontaudit $1 system_dbusd_t:unix_stream_socket connectto; dontaudit $1 system_dbusd_t:sock_file write; dontaudit $1 system_dbusd_var_run_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_dontaudit_stream_connect_system_dbusd'($*)) dnl ') ######################################## ## ## Allow attempts to send dbus ## messages to system bus types. ## ## ## ## Domain to not audit. ## ## # define(`dbus_chat_system_bus',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_chat_system_bus'($*)) dnl gen_require(` attribute system_bus_type; class dbus send_msg; ') allow $1 system_bus_type:dbus send_msg; allow system_bus_type $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_chat_system_bus'($*)) dnl ') ####################################### ## ## Transition to dbus named content ## ## ## ## Domain allowed access. ## ## # define(`dbus_filetrans_named_content_system',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_filetrans_named_content_system'($*)) dnl gen_require(` type system_dbusd_var_lib_t; ') files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_filetrans_named_content_system'($*)) dnl ') ######################################## ## ## Allow attempts to send dbus ## messages to system dbusd type. ## ## ## ## Domain to not audit. ## ## # define(`dbus_acquire_svc_system_dbusd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_acquire_svc_system_dbusd'($*)) dnl gen_require(` type system_dbusd_t; class dbus acquire_svc; ') allow $1 system_dbusd_t:dbus acquire_svc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_acquire_svc_system_dbusd'($*)) dnl ') ######################################## ## ## Allow signal the system dbusd type. ## ## ## ## Domain to not audit. ## ## # define(`dbus_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_signal'($*)) dnl gen_require(` type system_dbusd_t; ') allow $1 system_dbusd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_signal'($*)) dnl ') ######################################## ## ## Manage session_dbusd tmp dirs. ## ## ## ## Domain allowed access. ## ## # define(`dbus_manage_session_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_manage_session_tmp_dirs'($*)) dnl gen_require(` type session_dbusd_tmp_t; ') manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_manage_session_tmp_dirs'($*)) dnl ') ######################################## ## ## Allow systemctl dbus services ## ## ## ## Domain allowed to transition. ## ## # define(`dbus_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dbus_systemctl'($*)) dnl gen_require(` type dbusd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 dbusd_unit_file_t:file read_file_perms; allow $1 dbusd_unit_file_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dbus_systemctl'($*)) dnl ') ## Distributed checksum clearinghouse spam filtering. ######################################## ## ## Execute cdcc in the cdcc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dcc_domtrans_cdcc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_domtrans_cdcc'($*)) dnl gen_require(` type cdcc_t, cdcc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cdcc_exec_t, cdcc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_domtrans_cdcc'($*)) dnl ') ######################################## ## ## Execute cdcc in the cdcc domain, and ## allow the specified role the ## cdcc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`dcc_run_cdcc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_run_cdcc'($*)) dnl gen_require(` attribute_role cdcc_roles; ') dcc_domtrans_cdcc($1) roleattribute $2 cdcc_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_run_cdcc'($*)) dnl ') ######################################## ## ## Execute dcc client in the dcc ## client domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dcc_domtrans_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_domtrans_client'($*)) dnl gen_require(` type dcc_client_t, dcc_client_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dcc_client_exec_t, dcc_client_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_domtrans_client'($*)) dnl ') ######################################## ## ## Send generic signals to dcc client. ## ## ## ## Domain allowed access. ## ## # define(`dcc_signal_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_signal_client'($*)) dnl gen_require(` type dcc_client_t; ') allow $1 dcc_client_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_signal_client'($*)) dnl ') ######################################## ## ## Execute dcc client in the dcc ## client domain, and allow the ## specified role the dcc client domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`dcc_run_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_run_client'($*)) dnl gen_require(` attribute_role dcc_client_roles; ') dcc_domtrans_client($1) roleattribute $2 dcc_client_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_run_client'($*)) dnl ') ######################################## ## ## Execute dbclean in the dcc dbclean domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dcc_domtrans_dbclean',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_domtrans_dbclean'($*)) dnl gen_require(` type dcc_dbclean_t, dcc_dbclean_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dcc_dbclean_exec_t, dcc_dbclean_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_domtrans_dbclean'($*)) dnl ') ######################################## ## ## Execute dbclean in the dcc dbclean ## domain, and allow the specified ## role the dcc dbclean domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`dcc_run_dbclean',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_run_dbclean'($*)) dnl gen_require(` attribute_role dcc_dbclean_roles; ') dcc_domtrans_dbclean($1) roleattribute $2 dcc_dbclean_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_run_dbclean'($*)) dnl ') ######################################## ## ## Connect to dccifd over a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`dcc_stream_connect_dccifd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dcc_stream_connect_dccifd'($*)) dnl gen_require(` type dcc_var_t, dccifd_var_run_t, dccifd_t; ') files_search_pids($1) stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dcc_stream_connect_dccifd'($*)) dnl ') ## Update dynamic IP address at DynDNS.org. ####################################### ## ## Execute ddclient in the ddclient domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ddclient_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ddclient_domtrans'($*)) dnl gen_require(` type ddclient_t, ddclient_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ddclient_exec_t, ddclient_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ddclient_domtrans'($*)) dnl ') ######################################## ## ## Execute ddclient in the ddclient ## domain, and allow the specified ## role the ddclient domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ddclient_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ddclient_run'($*)) dnl gen_require(` attribute_role ddclient_roles; ') ddclient_domtrans($1) roleattribute $2 ddclient_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ddclient_run'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ddclient environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ddclient_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ddclient_admin'($*)) dnl gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; type ddclient_var_run_t, ddclient_initrc_exec_t; ') allow $1 ddclient_t:process signal_perms; ps_process_pattern($1, ddclient_t) tunable_policy(`deny_ptrace',`',` allow $1 ddclient_t:process ptrace; ') init_labeled_script_domtrans($1, ddclient_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ddclient_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, ddclient_etc_t) logging_list_logs($1) admin_pattern($1, ddclient_log_t) files_list_var($1) admin_pattern($1, ddclient_var_t) files_list_var_lib($1) admin_pattern($1, ddclient_var_lib_t) files_list_pids($1) admin_pattern($1, ddclient_var_run_t) files_list_tmp($1) admin_pattern($1, ddclient_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ddclient_admin'($*)) dnl ') ## ddcprobe retrieves monitor and graphics card information. ######################################## ## ## Execute ddcprobe in the ddcprobe domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ddcprobe_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ddcprobe_domtrans'($*)) dnl gen_require(` type ddcprobe_t, ddcprobe_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ddcprobe_domtrans'($*)) dnl ') ######################################## ## ## Execute ddcprobe in the ddcprobe ## domain, and allow the specified ## role the ddcprobe domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ddcprobe_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ddcprobe_run'($*)) dnl gen_require(` attribute_role ddcprobe_roles; ') ddcprobe_domtrans($1) roleattribute $2 ddcprobe_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ddcprobe_run'($*)) dnl ') ## SSH dictionary attack mitigation. ######################################## ## ## Execute a domain transition to run denyhosts. ## ## ## ## Domain allowed to transition. ## ## # define(`denyhosts_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `denyhosts_domtrans'($*)) dnl gen_require(` type denyhosts_t, denyhosts_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, denyhosts_exec_t, denyhosts_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `denyhosts_domtrans'($*)) dnl ') ######################################## ## ## Execute denyhost server in the ## denyhost domain. ## ## ## ## Domain allowed to transition. ## ## # define(`denyhosts_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `denyhosts_initrc_domtrans'($*)) dnl gen_require(` type denyhosts_initrc_exec_t; ') init_labeled_script_domtrans($1, denyhosts_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `denyhosts_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an denyhosts environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`denyhosts_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `denyhosts_admin'($*)) dnl gen_require(` type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t; type denyhosts_var_log_t, denyhosts_initrc_exec_t; ') allow $1 denyhosts_t:process signal_perms; ps_process_pattern($1, denyhosts_t) tunable_policy(`deny_ptrace',`',` allow $1 denyhosts_t:process ptrace; ') denyhosts_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 denyhosts_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, denyhosts_var_lib_t) logging_list_logs($1) admin_pattern($1, denyhosts_var_log_t) files_list_locks($1) admin_pattern($1, denyhosts_var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `denyhosts_admin'($*)) dnl ') ## Devicekit modular hardware abstraction layer ######################################## ## ## Execute a domain transition to run devicekit. ## ## ## ## Domain allowed to transition. ## ## # define(`devicekit_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_domtrans'($*)) dnl gen_require(` type devicekit_t, devicekit_exec_t; ') domtrans_pattern($1, devicekit_exec_t, devicekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run devicekit_disk. ## ## ## ## Domain allowed to transition. ## ## # define(`devicekit_domtrans_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_domtrans_disk'($*)) dnl gen_require(` type devicekit_disk_t, devicekit_disk_exec_t; ') domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_domtrans_disk'($*)) dnl ') ######################################## ## ## Send to devicekit over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dgram_send'($*)) dnl gen_require(` type devicekit_t; ') allow $1 devicekit_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dgram_send'($*)) dnl ') ######################################## ## ## Send and receive messages from ## devicekit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat'($*)) dnl gen_require(` type devicekit_t; class dbus send_msg; ') allow $1 devicekit_t:dbus send_msg; allow devicekit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## devicekit disk over dbus. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_dbus_chat_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_disk'($*)) dnl gen_require(` type devicekit_disk_t; class dbus send_msg; ') allow $1 devicekit_disk_t:dbus send_msg; allow devicekit_disk_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_disk'($*)) dnl ') ######################################## ## ## Use file descriptors for devicekit_disk. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_use_fds_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_use_fds_disk'($*)) dnl gen_require(` type devicekit_disk_t; ') allow $1 devicekit_disk_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_use_fds_disk'($*)) dnl ') ######################################## ## ## Dontaudit Send and receive messages from ## devicekit disk over dbus. ## ## ## ## Domain to not audit. ## ## # define(`devicekit_dontaudit_dbus_chat_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_dbus_chat_disk'($*)) dnl gen_require(` type devicekit_disk_t; class dbus send_msg; ') dontaudit $1 devicekit_disk_t:dbus send_msg; dontaudit devicekit_disk_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_dbus_chat_disk'($*)) dnl ') ######################################## ## ## Send signal devicekit power ## ## ## ## Domain allowed access. ## ## # define(`devicekit_signal_power',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_signal_power'($*)) dnl gen_require(` type devicekit_power_t; ') allow $1 devicekit_power_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_signal_power'($*)) dnl ') ######################################## ## ## Send and receive messages from ## devicekit power over dbus. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_dbus_chat_power',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dbus_chat_power'($*)) dnl gen_require(` type devicekit_power_t; class dbus send_msg; ') allow $1 devicekit_power_t:dbus send_msg; allow devicekit_power_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dbus_chat_power'($*)) dnl ') ####################################### ## ## Use and inherit devicekit power ## file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_use_fds_power',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_use_fds_power'($*)) dnl gen_require(` type devicekit_power_t; ') allow $1 devicekit_power_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_use_fds_power'($*)) dnl ') ####################################### ## ## Append inherited devicekit log files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_append_inherited_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_append_inherited_log_files'($*)) dnl gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) allow $1 devicekit_var_log_t:file append_inherited_file_perms; devicekit_use_fds_power($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_append_inherited_log_files'($*)) dnl ') ####################################### ## ## Allow read devicekit log files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_read_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_read_log_files'($*)) dnl gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) allow $1 devicekit_var_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_read_log_files'($*)) dnl ') ####################################### ## ## Do not audit attempts to write the devicekit ## log files. ## ## ## ## Domain to not audit. ## ## # define(`devicekit_dontaudit_rw_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_rw_log'($*)) dnl gen_require(` type devicekit_var_log_t; ') dontaudit $1 devicekit_var_log_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_rw_log'($*)) dnl ') ######################################## ## ## Allow the domain to read devicekit_power state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_read_state_power',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_read_state_power'($*)) dnl gen_require(` type devicekit_power_t; ') kernel_search_proc($1) ps_process_pattern($1, devicekit_power_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_read_state_power'($*)) dnl ') ######################################## ## ## Read devicekit PID files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_read_pid_files'($*)) dnl gen_require(` type devicekit_var_run_t; ') files_search_pids($1) read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_read_pid_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## devicekit PID files. ## ## ## ## Domain to not audit. ## ## # define(`devicekit_dontaudit_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_dontaudit_read_pid_files'($*)) dnl gen_require(` type devicekit_var_run_t; ') dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_dontaudit_read_pid_files'($*)) dnl ') ######################################## ## ## Manage devicekit PID files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_manage_pid_files'($*)) dnl gen_require(` type devicekit_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t) files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_manage_pid_files'($*)) dnl ') ####################################### ## ## Relabel devicekit LOG files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_relabel_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_relabel_log_files'($*)) dnl gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_relabel_log_files'($*)) dnl ') ######################################## ## ## Manage devicekit LOG files. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_manage_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_manage_log_files'($*)) dnl gen_require(` type devicekit_var_log_t; ') logging_search_logs($1) manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t) #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_manage_log_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an devicekit environment ## ## ## ## Domain allowed access. ## ## ## # define(`devicekit_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_admin'($*)) dnl gen_require(` type devicekit_t, devicekit_disk_t, devicekit_power_t; type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t; ') allow $1 devicekit_t:process signal_perms; ps_process_pattern($1, devicekit_t) tunable_policy(`deny_ptrace',`',` allow $1 devicekit_t:process ptrace; allow $1 devicekit_disk_t:process ptrace; allow $1 devicekit_power_t:process ptrace; ') allow $1 devicekit_disk_t:process signal_perms; ps_process_pattern($1, devicekit_disk_t) allow $1 devicekit_power_t:process signal_perms; ps_process_pattern($1, devicekit_power_t) admin_pattern($1, devicekit_tmp_t) files_list_tmp($1) admin_pattern($1, devicekit_var_lib_t) files_list_var_lib($1) admin_pattern($1, devicekit_var_run_t) files_list_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_admin'($*)) dnl ') ######################################## ## ## Transition to devicekit named content ## ## ## ## Domain allowed access. ## ## # define(`devicekit_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_filetrans_named_content'($*)) dnl gen_require(` type devicekit_var_run_t, devicekit_var_log_t; ') files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils") logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log") logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_filetrans_named_content'($*)) dnl ') ######################################## ## ## Mounton devicekit lib directory. ## ## ## ## Domain allowed access. ## ## # define(`devicekit_mounton_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `devicekit_mounton_var_lib'($*)) dnl gen_require(` type devicekit_var_lib_t; ') allow $1 devicekit_var_lib_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `devicekit_mounton_var_lib'($*)) dnl ') ## Dynamic host configuration protocol server. ######################################## ## ## Execute a domain transition to run dhcpd. ## ## ## ## Domain allowed to transition. ## ## # define(`dhcpd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dhcpd_domtrans'($*)) dnl gen_require(` type dhcpd_t, dhcpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dhcpd_exec_t, dhcpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dhcpd_domtrans'($*)) dnl ') ######################################## ## ## Set attributes of dhcpd server ## state files. ## ## ## ## Domain allowed access. ## ## # define(`dhcpd_setattr_state_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dhcpd_setattr_state_files'($*)) dnl gen_require(` type dhcpd_state_t; ') sysnet_search_dhcp_state($1) allow $1 dhcpd_state_t:file setattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dhcpd_setattr_state_files'($*)) dnl ') ######################################## ## ## Execute dhcp server in the dhcp domain. ## ## ## ## Domain allowed to transition. ## ## # # define(`dhcpd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dhcpd_initrc_domtrans'($*)) dnl gen_require(` type dhcpd_initrc_exec_t; ') init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dhcpd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute dhcpd server in the dhcpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dhcpd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dhcpd_systemctl'($*)) dnl gen_require(` type dhcpd_unit_file_t; type dhcpd_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_search_unit_dirs($1) allow $1 dhcpd_unit_file_t:file read_file_perms; allow $1 dhcpd_unit_file_t:service manage_service_perms; ps_process_pattern($1, dhcpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dhcpd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an dhcpd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dhcpd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dhcpd_admin'($*)) dnl gen_require(` type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; type dhcpd_var_run_t, dhcpd_initrc_exec_t; type dhcpd_unit_file_t; ') allow $1 dhcpd_t:process signal_perms; ps_process_pattern($1, dhcpd_t) tunable_policy(`deny_ptrace',`',` allow $1 dhcpd_t:process ptrace; ') init_labeled_script_domtrans($1, dhcpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dhcpd_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, dhcpd_tmp_t) files_list_var_lib($1) admin_pattern($1, dhcpd_state_t) files_list_pids($1) admin_pattern($1, dhcpd_var_run_t) dhcpd_systemctl($1) admin_pattern($1, dhcpd_unit_file_t) allow $1 dhcpd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dhcpd_admin'($*)) dnl ') ## Dictionary daemon. ######################################## ## ## Use dictionary services by connecting ## over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`dictd_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dictd_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dictd_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an dictd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dictd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dictd_admin'($*)) dnl gen_require(` type dictd_t, dictd_etc_t, dictd_var_lib_t; type dictd_var_run_t, dictd_initrc_exec_t; ') allow $1 dictd_t:process signal_perms; ps_process_pattern($1, dictd_t) tunable_policy(`deny_ptrace',`',` allow $1 dictd_t:process ptrace; ') init_labeled_script_domtrans($1, dictd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dictd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, dictd_etc_t) files_list_var_lib($1) admin_pattern($1, dictd_var_lib_t) files_list_pids($1) admin_pattern($1, dictd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dictd_admin'($*)) dnl ') ## Server for managing and downloading certificate revocation lists. ######################################## ## ## All of the rules required to ## administrate an dirmngr environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dirmngr_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirmngr_admin'($*)) dnl gen_require(` type dirmngr_t, dirmngr_initrc_exec_t, dirmngr_var_run_t; type dirmngr_conf_t, dirmngr_var_lib_t, dirmngr_log_t; ') allow $1 dirmngr_t:process { ptrace signal_perms }; ps_process_pattern($1, dirmngr_t) init_labeled_script_domtrans($1, dirmngr_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dirmngr_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, dirmngr_conf_t) logging_search_logs($1) admin_pattern($1, dirmngr_log_t) files_search_pids($1) admin_pattern($1, dirmngr_var_run_t) files_search_var_lib($1) admin_pattern($1, dirmngr_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirmngr_admin'($*)) dnl ') ## Administration Server for Directory Server, dirsrv-admin. ######################################## ## ## Exec dirsrv-admin programs. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_run_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_run_exec'($*)) dnl gen_require(` type dirsrvadmin_exec_t; ') allow $1 dirsrvadmin_exec_t:dir search_dir_perms; can_exec($1, dirsrvadmin_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_run_exec'($*)) dnl ') ######################################## ## ## Exec cgi programs. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_run_script_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_run_script_exec'($*)) dnl gen_require(` type dirsrvadmin_script_exec_t; ') allow $1 dirsrvadmin_script_exec_t:dir search_dir_perms; can_exec($1, dirsrvadmin_script_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_run_script_exec'($*)) dnl ') ######################################## ## ## Manage dirsrv-adminserver configuration files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_read_config'($*)) dnl gen_require(` type dirsrvadmin_config_t; ') read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_read_config'($*)) dnl ') ######################################## ## ## Manage dirsrv-adminserver configuration files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_manage_config'($*)) dnl gen_require(` type dirsrvadmin_config_t; ') allow $1 dirsrvadmin_config_t:dir manage_dir_perms; allow $1 dirsrvadmin_config_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_manage_config'($*)) dnl ') ####################################### ## ## Read dirsrv-adminserver tmp files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_read_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_read_tmp'($*)) dnl gen_require(` type dirsrvadmin_tmp_t; ') read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_read_tmp'($*)) dnl ') ######################################## ## ## Manage dirsrv-adminserver tmp files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_manage_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_manage_tmp'($*)) dnl gen_require(` type dirsrvadmin_tmp_t; ') manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_manage_tmp'($*)) dnl ') ######################################## ## ## Execute dirsrv-admin server in the dirsrv-admin domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dirsrvadmin_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_systemctl'($*)) dnl gen_require(` type dirsrvadmin_t; type dirsrvadmin_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 dirsrvadmin_unit_file_t:file read_file_perms; allow $1 dirsrvadmin_unit_file_t:service manage_service_perms; ps_process_pattern($1, dirsrvadmin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_systemctl'($*)) dnl ') ####################################### ## ## Execute admin cgi programs in caller domain. ## ## ## ## Domain allowed access. ## ## # define(`dirsrvadmin_domtrans_unconfined_script_t',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrvadmin_domtrans_unconfined_script_t'($*)) dnl gen_require(` type dirsrvadmin_unconfined_script_t; type dirsrvadmin_unconfined_script_exec_t; ') domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t) allow $1 dirsrvadmin_unconfined_script_t:process signal_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrvadmin_domtrans_unconfined_script_t'($*)) dnl ') ## policy for dirsrv ######################################## ## ## Execute a domain transition to run dirsrv. ## ## ## ## Domain allowed to transition. ## ## # define(`dirsrv_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_domtrans'($*)) dnl gen_require(` type dirsrv_t, dirsrv_exec_t; ') domtrans_pattern($1, dirsrv_exec_t,dirsrv_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_domtrans'($*)) dnl ') ######################################## ## ## Execute dirsrv in the dirsrv domain, and ## allow the specified role the dirsrv domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`dirsrv_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_run'($*)) dnl gen_require(` type dirsrv_t; ') dirsrv_domtrans($1) role $2 types dirsrv_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_run'($*)) dnl ') ######################################## ## ## Allow caller to signal dirsrv. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_signal'($*)) dnl gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_signal'($*)) dnl ') ######################################## ## ## Send a null signal to dirsrv. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_signull'($*)) dnl gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_signull'($*)) dnl ') ######################################## ## ## Execute dirsrv server in the dirsrv domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dirsrv_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_systemctl'($*)) dnl gen_require(` type dirsrv_unit_file_t; type dirsrv_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 dirsrv_unit_file_t:file read_file_perms; allow $1 dirsrv_unit_file_t:service manage_service_perms; ps_process_pattern($1, dirsrv_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_systemctl'($*)) dnl ') ####################################### ## ## Allow a domain to manage dirsrv logs. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_manage_log'($*)) dnl gen_require(` type dirsrv_var_log_t; ') allow $1 dirsrv_var_log_t:dir manage_dir_perms; allow $1 dirsrv_var_log_t:file manage_file_perms; allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_manage_log'($*)) dnl ') ####################################### ## ## Allow a domain to manage dirsrv /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_manage_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_lib'($*)) dnl gen_require(` type dirsrv_var_lib_t; ') allow $1 dirsrv_var_lib_t:dir manage_dir_perms; allow $1 dirsrv_var_lib_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_lib'($*)) dnl ') ######################################## ## ## Connect to dirsrv over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_stream_connect'($*)) dnl gen_require(` type dirsrv_t, dirsrv_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_stream_connect'($*)) dnl ') ####################################### ## ## Allow a domain to manage dirsrv /var/run files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_manage_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_manage_var_run'($*)) dnl gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir manage_dir_perms; allow $1 dirsrv_var_run_t:file manage_file_perms; allow $1 dirsrv_var_run_t:sock_file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_manage_var_run'($*)) dnl ') ###################################### ## ## Allow a domain to create dirsrv pid directories. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_pid_filetrans'($*)) dnl gen_require(` type dirsrv_var_run_t; ') # Allow creating a dir in /var/run with this type files_pid_filetrans($1, dirsrv_var_run_t, dir) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_pid_filetrans'($*)) dnl ') ####################################### ## ## Allow a domain to read dirsrv /var/run files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_read_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_read_var_run'($*)) dnl gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir list_dir_perms; allow $1 dirsrv_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_read_var_run'($*)) dnl ') ######################################## ## ## Manage dirsrv configuration files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_manage_config'($*)) dnl gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir manage_dir_perms; allow $1 dirsrv_config_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_manage_config'($*)) dnl ') ######################################## ## ## Read dirsrv share files. ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_read_share',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_read_share'($*)) dnl gen_require(` type dirsrv_share_t; ') allow $1 dirsrv_share_t:dir list_dir_perms; allow $1 dirsrv_share_t:file { map read_file_perms }; allow $1 dirsrv_share_t:lnk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_read_share'($*)) dnl ') ######################################## ## ## Allow dirsrv noatsecure ## ## ## ## Domain allowed access. ## ## # define(`dirsrv_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dirsrv_noatsecure'($*)) dnl gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process { noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dirsrv_noatsecure'($*)) dnl ') ## Distributed compiler daemon. ######################################## ## ## All of the rules required to ## administrate an distcc environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`distcc_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `distcc_admin'($*)) dnl gen_require(` type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t; type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; ') allow $1 distccd_t:process { ptrace signal_perms }; ps_process_pattern($1, distccd_t) init_labeled_script_domtrans($1, distccd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 distccd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, distccd_log_t) files_search_tmp($1) admin_pattern($1, distccd_tmp_t) files_search_pids($1) admin_pattern($1, distccd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `distcc_admin'($*)) dnl ') ## Small and secure DNS daemon. ####################################### ## ## The template to define a djbdns domain. ## ## ## ## Domain prefix to be used. ## ## # define(`djbdns_daemontools_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `djbdns_daemontools_domain_template'($*)) dnl gen_require(` attribute djbdns_domain; ') ######################################## # # Declarations # type djbdns_$1_t, djbdns_domain; type djbdns_$1_exec_t; domain_type(djbdns_$1_t) domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) role system_r types djbdns_$1_t; type djbdns_$1_conf_t; files_config_file(djbdns_$1_conf_t) ######################################## # # Local policy # daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) daemontools_read_svc(djbdns_$1_t) allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; corenet_all_recvfrom_netlabel(djbdns_$1_t) corenet_tcp_sendrecv_generic_if(djbdns_$1_t) corenet_udp_sendrecv_generic_if(djbdns_$1_t) corenet_tcp_sendrecv_generic_node(djbdns_$1_t) corenet_udp_sendrecv_generic_node(djbdns_$1_t) corenet_tcp_sendrecv_all_ports(djbdns_$1_t) corenet_udp_sendrecv_all_ports(djbdns_$1_t) corenet_tcp_bind_generic_node(djbdns_$1_t) corenet_udp_bind_generic_node(djbdns_$1_t) corenet_tcp_bind_dns_port(djbdns_$1_t) corenet_udp_bind_dns_port(djbdns_$1_t) corenet_udp_bind_generic_port(djbdns_$1_t) corenet_sendrecv_dns_server_packets(djbdns_$1_t) corenet_sendrecv_generic_server_packets(djbdns_$1_t) files_search_var(djbdns_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `djbdns_daemontools_domain_template'($*)) dnl ') ##################################### ## ## Search djbdns-tinydns key ring. ## ## ## ## Domain allowed access. ## ## # define(`djbdns_search_tinydns_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `djbdns_search_tinydns_keys'($*)) dnl gen_require(` type djbdns_tinydns_t; ') allow $1 djbdns_tinydns_t:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `djbdns_search_tinydns_keys'($*)) dnl ') ##################################### ## ## Link djbdns-tinydns key ring. ## ## ## ## Domain allowed access. ## ## # define(`djbdns_link_tinydns_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `djbdns_link_tinydns_keys'($*)) dnl gen_require(` type djbdns_tinydn_t; ') allow $1 djbdns_tinydn_t:key link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `djbdns_link_tinydns_keys'($*)) dnl ') ## DomainKeys Identified Mail milter. ######################################## ## ## All of the rules required to ## administrate an dkim environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dkim_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dkim_admin'($*)) dnl gen_require(` type dkim_milter_t, dkim_milter_initrc_exec_t, dkim_milter_private_key_t; type dkim_milter_data_t; ') allow $1 dkim_milter_t:process { ptrace signal_perms }; ps_process_pattern($1, dkim_milter_t) init_labeled_script_domtrans($1, dkim_milter_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dkim_milter_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, dkim_milter_private_key_t) files_search_pids($1) admin_pattern($1, dkim_milter_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dkim_admin'($*)) dnl ') ## Decode DMI data for x86/ia64 bioses. ######################################## ## ## Execute dmidecode in the dmidecode domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dmidecode_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dmidecode_domtrans'($*)) dnl gen_require(` type dmidecode_t, dmidecode_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dmidecode_exec_t, dmidecode_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dmidecode_domtrans'($*)) dnl ') ###################################### ## ## Execute dmidecode in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`dmidecode_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dmidecode_exec'($*)) dnl gen_require(` type dmidecode_exec_t; ') corecmd_search_bin($1) can_exec($1, dmidecode_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dmidecode_exec'($*)) dnl ') ######################################## ## ## Execute dmidecode in the dmidecode ## domain, and allow the specified ## role the dmidecode domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`dmidecode_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dmidecode_run'($*)) dnl gen_require(` attribute_role dmidecode_roles; ') dmidecode_domtrans($1) roleattribute $2 dmidecode_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dmidecode_run'($*)) dnl ') ## DNS forwarder and DHCP server. ######################################## ## ## Execute dnsmasq server in the dnsmasq domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dnsmasq_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_domtrans'($*)) dnl gen_require(` type dnsmasq_exec_t, dnsmasq_t; ') corecmd_search_bin($1) domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_domtrans'($*)) dnl ') ####################################### ## ## Execute dnsmasq server in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dnsmasq_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_exec'($*)) dnl gen_require(` type dnsmasq_exec_t; ') can_exec($1, dnsmasq_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_exec'($*)) dnl ') ######################################## ## ## Allow read/write dnsmasq pipes ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_rw_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_rw_inherited_pipes'($*)) dnl gen_require(` type dnsmasq_t; ') allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_rw_inherited_pipes'($*)) dnl ') ######################################## ## ## Execute the dnsmasq init script in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # # define(`dnsmasq_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_initrc_domtrans'($*)) dnl gen_require(` type dnsmasq_initrc_exec_t; ') init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute dnsmasq server in the dnsmasq domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dnsmasq_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_systemctl'($*)) dnl gen_require(` type dnsmasq_unit_file_t; type dnsmasq_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 dnsmasq_unit_file_t:file read_file_perms; allow $1 dnsmasq_unit_file_t:service manage_service_perms; ps_process_pattern($1, dnsmasq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_systemctl'($*)) dnl ') ######################################## ## ## Send sigchld to dnsmasq. ## ## ## ## Domain allowed access. ## ## # # define(`dnsmasq_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_sigchld'($*)) dnl gen_require(` type dnsmasq_t; ') allow $1 dnsmasq_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_sigchld'($*)) dnl ') ######################################## ## ## Send generic signals to dnsmasq. ## ## ## ## Domain allowed access. ## ## # # define(`dnsmasq_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_signal'($*)) dnl gen_require(` type dnsmasq_t; ') allow $1 dnsmasq_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_signal'($*)) dnl ') ######################################## ## ## Send null signals to dnsmasq. ## ## ## ## Domain allowed access. ## ## # # define(`dnsmasq_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_signull'($*)) dnl gen_require(` type dnsmasq_t; ') allow $1 dnsmasq_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_signull'($*)) dnl ') ######################################## ## ## Send kill signals to dnsmasq. ## ## ## ## Domain allowed access. ## ## # # define(`dnsmasq_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_kill'($*)) dnl gen_require(` type dnsmasq_t; ') allow $1 dnsmasq_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_kill'($*)) dnl ') ######################################## ## ## Read dnsmasq config files. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_read_config'($*)) dnl gen_require(` type dnsmasq_etc_t; ') read_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_read_config'($*)) dnl ') ######################################## ## ## Write dnsmasq config files. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_write_config'($*)) dnl gen_require(` type dnsmasq_etc_t; ') write_files_pattern($1, dnsmasq_etc_t, dnsmasq_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_write_config'($*)) dnl ') ######################################## ## ## Delete dnsmasq pid files. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_delete_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_delete_pid_files'($*)) dnl gen_require(` type dnsmasq_var_run_t; ') files_search_pids($1) delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_delete_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## dnsmasq pid files ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_manage_pid_files'($*)) dnl gen_require(` type dnsmasq_var_run_t; ') files_search_pids($1) manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_manage_pid_files'($*)) dnl ') ######################################## ## ## Read dnsmasq pid files ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_read_pid_files'($*)) dnl gen_require(` type dnsmasq_var_run_t; ') files_search_pids($1) read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_read_pid_files'($*)) dnl ') ######################################## ## ## Create dnsmasq pid directories. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_create_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_create_pid_dirs'($*)) dnl gen_require(` type dnsmasq_var_run_t; ') files_search_pids($1) allow $1 dnsmasq_var_run_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_create_pid_dirs'($*)) dnl ') ######################################## ## ## Create dnsmasq pid directories. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_read_state'($*)) dnl gen_require(` type dnsmasq_t; ') ps_process_pattern($1, dnsmasq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_read_state'($*)) dnl ') ######################################## ## ## Transition to dnsmasq named content ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the directory for the object to be created. ## ## # define(`dnsmasq_filetrans_named_content_fromdir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_filetrans_named_content_fromdir'($*)) dnl gen_require(` type dnsmasq_var_run_t; ') filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network") filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_filetrans_named_content_fromdir'($*)) dnl ') ####################################### ## ## Transition to dnsmasq named content ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_filetrans_named_content'($*)) dnl gen_require(` type dnsmasq_etc_t; type dnsmasq_var_run_t; ') files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network") files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid") virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network") files_etc_filetrans($1, dnsmasq_etc_t, file, "dnsmasq.conf") files_etc_filetrans($1, dnsmasq_etc_t, dir, "dnsmasq.d") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an dnsmasq environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dnsmasq_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_admin'($*)) dnl gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; type dnsmasq_var_log_t; type dnsmasq_initrc_exec_t; type dnsmasq_unit_file_t; ') allow $1 dnsmasq_t:process signal_perms; ps_process_pattern($1, dnsmasq_t) tunable_policy(`deny_ptrace',`',` allow $1 dnsmasq_t:process ptrace; ') init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dnsmasq_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) logging_search_logs($1) admin_pattern($1, dnsmasq_var_log_t) files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) dnsmasq_systemctl($1) admin_pattern($1, dnsmasq_unit_file_t) allow $1 dnsmasq_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_admin'($*)) dnl ') ######################################## ## ## Send and receive messages from ## dnsmasq over dbus. ## ## ## ## Domain allowed access. ## ## # define(`dnsmasq_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnsmasq_dbus_chat'($*)) dnl gen_require(` type dnsmasq_t; class dbus send_msg; ') allow $1 dnsmasq_t:dbus send_msg; allow dnsmasq_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnsmasq_dbus_chat'($*)) dnl ') ## policy for dnssec_trigger ######################################## ## ## Transition to dnssec_trigger. ## ## ## ## Domain allowed to transition. ## ## # define(`dnssec_trigger_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_domtrans'($*)) dnl gen_require(` type dnssec_trigger_t, dnssec_trigger_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_domtrans'($*)) dnl ') ######################################## ## ## Read dnssec_trigger PID files. ## ## ## ## Domain allowed access. ## ## # define(`dnssec_trigger_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_read_pid_files'($*)) dnl gen_require(` type dnssec_trigger_var_run_t; ') files_search_pids($1) allow $1 dnssec_trigger_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_read_pid_files'($*)) dnl ') ######################################## ## ## Manage dnssec_trigger PID files. ## ## ## ## Domain allowed access. ## ## # define(`dnssec_trigger_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_manage_pid_files'($*)) dnl gen_require(` type dnssec_trigger_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) manage_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) manage_lnk_files_pattern($1, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_manage_pid_files'($*)) dnl ') ######################################## ## ## Send signull to dnssec_trigger. ## ## ## ## Domain allowed access. ## ## # # define(`dnssec_trigger_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_signull'($*)) dnl gen_require(` type dnssec_trigger_t; ') allow $1 dnssec_trigger_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_signull'($*)) dnl ') ######################################## ## ## Send sigkill to dnssec_trigger. ## ## ## ## Domain allowed access. ## ## # # define(`dnssec_trigger_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_sigkill'($*)) dnl gen_require(` type dnssec_trigger_t; ') allow $1 dnssec_trigger_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_sigkill'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an dnssec_trigger environment ## ## ## ## Domain allowed access. ## ## # define(`dnssec_trigger_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dnssec_trigger_admin'($*)) dnl gen_require(` type dnssec_trigger_t; type dnssec_trigger_var_run_t; ') allow $1 dnssec_trigger_t:process { ptrace signal_perms }; ps_process_pattern($1, dnssec_trigger_t) files_search_pids($1) admin_pattern($1, dnssec_trigger_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dnssec_trigger_admin'($*)) dnl ') ## Dovecot POP and IMAP mail server ###################################### ## ## Creates types and rules for a basic ## dovecot daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`dovecot_basic_types_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_basic_types_template'($*)) dnl gen_require(` attribute dovecot_domain; ') type $1_t, dovecot_domain; type $1_exec_t; kernel_read_system_state($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_basic_types_template'($*)) dnl ') ####################################### ## ## Connect to dovecot unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`dovecot_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect'($*)) dnl gen_require(` type dovecot_t, dovecot_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_stream_connect'($*)) dnl ') ######################################## ## ## Connect to dovecot auth unix domain stream socket. ## ## ## ## Domain allowed access. ## ## ## # define(`dovecot_stream_connect_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_stream_connect_auth'($*)) dnl gen_require(` type dovecot_auth_t, dovecot_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_stream_connect_auth'($*)) dnl ') ######################################## ## ## Execute dovecot_deliver in the dovecot_deliver domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dovecot_domtrans_deliver',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_domtrans_deliver'($*)) dnl gen_require(` type dovecot_deliver_t, dovecot_deliver_exec_t; ') domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_domtrans_deliver'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the dovecot spool files. ## ## ## ## Domain allowed access. ## ## # define(`dovecot_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_manage_spool'($*)) dnl gen_require(` type dovecot_spool_t; ') files_search_spool($1) manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_manage_spool'($*)) dnl ') ######################################## ## ## Do not audit attempts to delete dovecot lib files. ## ## ## ## Domain to not audit. ## ## # define(`dovecot_dontaudit_unlink_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_dontaudit_unlink_lib_files'($*)) dnl gen_require(` type dovecot_var_lib_t; ') dontaudit $1 dovecot_var_lib_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_dontaudit_unlink_lib_files'($*)) dnl ') ###################################### ## ## Allow attempts to write inherited ## dovecot tmp files. ## ## ## ## Domain to not audit. ## ## # define(`dovecot_write_inherited_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_write_inherited_tmp_files'($*)) dnl gen_require(` type dovecot_tmp_t; ') allow $1 dovecot_tmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_write_inherited_tmp_files'($*)) dnl ') #################################### ## ## Read dovecot configuration file. ## ## ## ## Domain allowed access. ## ## # define(`dovecot_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_read_config'($*)) dnl gen_require(` type dovecot_etc_t; ') files_search_etc($1) list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t) read_files_pattern($1, dovecot_etc_t, dovecot_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_read_config'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an dovecot environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the dovecot domain. ## ## ## # define(`dovecot_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dovecot_admin'($*)) dnl gen_require(` type dovecot_t, dovecot_etc_t, dovecot_var_log_t; type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t; type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t; type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t; type dovecot_keytab_t; ') allow $1 dovecot_t:process signal_perms; ps_process_pattern($1, dovecot_t) tunable_policy(`deny_ptrace',`',` allow $1 dovecot_t:process ptrace; ') init_labeled_script_domtrans($1, dovecot_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 dovecot_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { dovecot_keytab_t dovecot_etc_t }) files_list_tmp($1) admin_pattern($1, dovecot_auth_tmp_t) admin_pattern($1, dovecot_tmp_t) admin_pattern($1, dovecot_keytab_t) files_list_spool($1) admin_pattern($1, dovecot_spool_t) files_list_var_lib($1) admin_pattern($1, dovecot_var_lib_t) logging_search_logs($1) admin_pattern($1, dovecot_var_log_t) files_list_pids($1) admin_pattern($1, dovecot_var_run_t) admin_pattern($1, dovecot_cert_t) admin_pattern($1, dovecot_passwd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dovecot_admin'($*)) dnl ') ## Debian package manager. ######################################## ## ## Execute dpkg programs in the dpkg domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dpkg_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_domtrans'($*)) dnl gen_require(` type dpkg_t, dpkg_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dpkg_exec_t, dpkg_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_domtrans'($*)) dnl ') ######################################## ## ## Execute the dkpg in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_exec'($*)) dnl gen_require(` type dpkg_exec_t; ') corecmd_search_bin($1) can_exec($1, dpkg_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_exec'($*)) dnl ') ######################################## ## ## Execute dpkg_script programs in ## the dpkg_script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`dpkg_domtrans_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_domtrans_script'($*)) dnl gen_require(` type dpkg_script_t; ') corecmd_shell_domtrans($1, dpkg_script_t) allow dpkg_script_t $1:fd use; allow dpkg_script_t $1:fifo_file rw_file_perms; allow dpkg_script_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_domtrans_script'($*)) dnl ') ######################################## ## ## Execute dpkg programs in the dpkg domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`dpkg_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_run'($*)) dnl gen_require(` attribute_role dpkg_roles; ') dpkg_domtrans($1) roleattribute $2 dpkg_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_run'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from dpkg. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_use_fds'($*)) dnl gen_require(` type dpkg_t; ') allow $1 dpkg_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_use_fds'($*)) dnl ') ######################################## ## ## Read from unnamed dpkg pipes. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_read_pipes'($*)) dnl gen_require(` type dpkg_t; ') allow $1 dpkg_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_read_pipes'($*)) dnl ') ######################################## ## ## Read and write unnamed dpkg pipes. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_rw_pipes'($*)) dnl gen_require(` type dpkg_t; ') allow $1 dpkg_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_rw_pipes'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors ## from dpkg scripts. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_use_script_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_use_script_fds'($*)) dnl gen_require(` type dpkg_script_t; ') allow $1 dpkg_script_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_use_script_fds'($*)) dnl ') ######################################## ## ## Read dpkg package database content. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_read_db'($*)) dnl gen_require(` type dpkg_var_lib_t; ') files_search_var_lib($1) allow $1 dpkg_var_lib_t:dir list_dir_perms; read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_read_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## dpkg package database content. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_manage_db'($*)) dnl gen_require(` type dpkg_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_manage_db'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete dpkg ## package database content. ## ## ## ## Domain to not audit. ## ## # define(`dpkg_dontaudit_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_dontaudit_manage_db'($*)) dnl gen_require(` type dpkg_var_lib_t; ') dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; dontaudit $1 dpkg_var_lib_t:file manage_file_perms; dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_dontaudit_manage_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## dpkg lock files. ## ## ## ## Domain allowed access. ## ## # define(`dpkg_lock_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dpkg_lock_db'($*)) dnl gen_require(` type dpkg_lock_t, dpkg_var_lib_t; ') files_search_var_lib($1) allow $1 dpkg_var_lib_t:dir list_dir_perms; allow $1 dpkg_lock_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dpkg_lock_db'($*)) dnl ') ## Mirrors a block device over the network to another machine. ######################################## ## ## Execute a domain transition to run drbd. ## ## ## ## Domain allowed access. ## ## # define(`drbd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_domtrans'($*)) dnl gen_require(` type drbd_t, drbd_exec_t; ') domtrans_pattern($1, drbd_exec_t, drbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_domtrans'($*)) dnl ') ######################################## ## ## Search drbd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`drbd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_search_lib'($*)) dnl gen_require(` type drbd_var_lib_t; ') allow $1 drbd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_search_lib'($*)) dnl ') ######################################## ## ## Read drbd lib files. ## ## ## ## Domain allowed access. ## ## # define(`drbd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_read_lib_files'($*)) dnl gen_require(` type drbd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## drbd lib files. ## ## ## ## Domain allowed access. ## ## # define(`drbd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_manage_lib_files'($*)) dnl gen_require(` type drbd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage drbd lib dirs files. ## ## ## ## Domain allowed access. ## ## # define(`drbd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_manage_lib_dirs'($*)) dnl gen_require(` type drbd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an drbd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`drbd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `drbd_admin'($*)) dnl gen_require(` type drbd_t, drbd_initrc_exec_t, drbd_lock_t; type drbd_var_lib_t; ') allow $1 drbd_t:process signal_perms; ps_process_pattern($1, drbd_t) tunable_policy(`deny_ptrace',`',` allow $1 drbd_t:process ptrace; ') init_labeled_script_domtrans($1, drbd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 drbd_initrc_exec_t system_r; allow $2 system_r; files_search_locks($1) admin_pattern($1, drbd_lock_t) files_search_var_lib($1) admin_pattern($1, drbd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `drbd_admin'($*)) dnl ') ## policy for dspam ######################################## ## ## Execute a domain transition to run dspam. ## ## ## ## Domain allowed access. ## ## # define(`dspam_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_domtrans'($*)) dnl gen_require(` type dspam_t, dspam_exec_t; ') domtrans_pattern($1, dspam_exec_t, dspam_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_domtrans'($*)) dnl ') ######################################## ## ## Execute dspam server in the dspam domain. ## ## ## ## The type of the process performing this action. ## ## # define(`dspam_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_initrc_domtrans'($*)) dnl gen_require(` type dspam_initrc_exec_t; ') init_labeled_script_domtrans($1, dspam_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_initrc_domtrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to read dspam's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`dspam_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_read_log'($*)) dnl gen_require(` type dspam_log_t; ') logging_search_logs($1) read_files_pattern($1, dspam_log_t, dspam_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## dspam log files. ## ## ## ## Domain allowed to transition. ## ## # define(`dspam_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_append_log'($*)) dnl gen_require(` type dspam_log_t; ') logging_search_logs($1) append_files_pattern($1, dspam_log_t, dspam_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_append_log'($*)) dnl ') ######################################## ## ## Allow domain to manage dspam log files ## ## ## ## Domain to not audit. ## ## # define(`dspam_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_manage_log'($*)) dnl gen_require(` type dspam_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, dspam_log_t, dspam_log_t) manage_files_pattern($1, dspam_log_t, dspam_log_t) manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_manage_log'($*)) dnl ') ######################################## ## ## Search dspam lib directories. ## ## ## ## Domain allowed access. ## ## # define(`dspam_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_search_lib'($*)) dnl gen_require(` type dspam_var_lib_t; ') allow $1 dspam_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_search_lib'($*)) dnl ') ######################################## ## ## Read dspam lib files. ## ## ## ## Domain allowed access. ## ## # define(`dspam_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_read_lib_files'($*)) dnl gen_require(` type dspam_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## dspam lib files. ## ## ## ## Domain allowed access. ## ## # define(`dspam_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_manage_lib_files'($*)) dnl gen_require(` type dspam_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage dspam lib dirs files. ## ## ## ## Domain allowed access. ## ## # define(`dspam_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_manage_lib_dirs'($*)) dnl gen_require(` type dspam_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read dspam PID files. ## ## ## ## Domain allowed access. ## ## # define(`dspam_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_read_pid_files'($*)) dnl gen_require(` type dspam_var_run_t; ') files_search_pids($1) allow $1 dspam_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_read_pid_files'($*)) dnl ') ####################################### ## ## Connect to DSPAM using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`dspam_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_stream_connect'($*)) dnl gen_require(` type dspam_t, dspam_var_run_t, dspam_tmp_t; ') files_search_pids($1) files_search_tmp($1) stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t) stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an dspam environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`dspam_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dspam_admin'($*)) dnl gen_require(` type dspam_t; type dspam_initrc_exec_t; type dspam_log_t; type dspam_var_lib_t; type dspam_var_run_t; ') allow $1 dspam_t:process signal_perms; ps_process_pattern($1, dspam_t) tunable_policy(`deny_ptrace',`',` allow $1 dspam_t:process ptrace; ') dspam_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 dspam_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, dspam_log_t) files_search_var_lib($1) admin_pattern($1, dspam_var_lib_t) files_search_pids($1) admin_pattern($1, dspam_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dspam_admin'($*)) dnl ') ## Generate entropy from audio input. ######################################## ## ## All of the rules required to ## administrate an entropyd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`entropyd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `entropyd_admin'($*)) dnl gen_require(` type entropyd_t, entropyd_initrc_exec_t, entropyd_var_run_t; ') allow $1 entropyd_t:process { ptrace signal_perms }; ps_process_pattern($1, entropyd_t) init_labeled_script_domtrans($1, entropyd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 entropyd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, entropyd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `entropyd_admin'($*)) dnl ') ## Evolution email client. ######################################## ## ## Role access for evolution. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`evolution_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `evolution_role'($*)) dnl gen_require(` attribute_role evolution_roles; type evolution_t, evolution_exec_t, evolution_home_t; type evolution_alarm_t, evolution_alarm_exec_t, evolution_alarm_orbit_tmp_t; type evolution_exchange_t, evolution_exchange_exec_t, evolution_exchange_tmp_t; type evolution_exchange_orbit_tmp_t, evolution_orbit_tmp_t, evolution_server_orbit_tmp_t; type evolution_server_t, evolution_server_exec_t, evolution_webcal_t; type evolution_webcal_exec_t, evolution_alarm_tmpfs_t, evolution_exchange_tmpfs_t; type evolution_tmpfs_t, evolution_webcal_tmpfs_t; ') roleattribute $1 evolution_roles; domtrans_pattern($2, evolution_exec_t, evolution_t) domtrans_pattern($2, evolution_alarm_exec_t, evolution_alarm_t) domtrans_pattern($2, evolution_exchange_exec_t, evolution_exchange_t) domtrans_pattern($2, evolution_server_exec_t, evolution_server_t) domtrans_pattern($2, evolution_webcal_exec_t, evolution_webcal_t) allow $2 { evolution_t evolution_alarm_t evolution_exchange_t evolution_server_t evolution_webcal_t }:process { noatsecure ptrace signal_perms }; ps_process_pattern($2, { evolution_t evolution_alarm_t evolution_exchange_t }) ps_process_pattern($2, { evolution_server_t evolution_webcal_t }) allow evolution_t $2:dir search_dir_perms; allow evolution_t $2:file read_file_perms; allow evolution_t $2:lnk_file read_lnk_file_perms; allow $2 evolution_home_t:dir { relabel_dir_perms manage_dir_perms }; allow $2 evolution_home_t:file { relabel_file_perms manage_file_perms }; allow $2 evolution_home_t:lnk_file { relabel_lnk_file_perms manage_lnk_file_perms }; userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".camel_certs") userdom_user_home_dir_filetrans($2, evolution_home_t, dir, ".evolution") allow $2 evolution_exchange_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 { evolution_alarm_orbit_tmp_t evolution_exchange_orbit_tmp_t evolution_orbit_tmp_t evolution_server_orbit_tmp_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 { evolution_alarm_tmpfs_t evolution_exchange_tmpfs_t evolution_tmpfs_t evolution_webcal_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow { evolution_t evolution_exchange_t } $2:unix_stream_socket connectto; stream_connect_pattern($2, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern($2, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) optional_policy(` evolution_dbus_chat($2) evolution_alarm_dbus_chat($2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `evolution_role'($*)) dnl ') ######################################## ## ## Create objects in the evolution home ## directories with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`evolution_home_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `evolution_home_filetrans'($*)) dnl gen_require(` type evolution_home_t; ') userdom_search_user_home_dirs($1) filetrans_pattern($1, evolution_home_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `evolution_home_filetrans'($*)) dnl ') ######################################## ## ## Connect to evolution using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`evolution_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `evolution_stream_connect'($*)) dnl gen_require(` type evolution_t, evolution_orbit_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `evolution_stream_connect'($*)) dnl ') ######################################## ## ## Send and receive messages from ## evolution over dbus. ## ## ## ## Domain allowed access. ## ## # define(`evolution_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `evolution_dbus_chat'($*)) dnl gen_require(` type evolution_t; class dbus send_msg; ') allow $1 evolution_t:dbus send_msg; allow evolution_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `evolution_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## evolution_alarm over dbus. ## ## ## ## Domain allowed access. ## ## # define(`evolution_alarm_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `evolution_alarm_dbus_chat'($*)) dnl gen_require(` type evolution_alarm_t; class dbus send_msg; ') allow $1 evolution_alarm_t:dbus send_msg; allow evolution_alarm_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `evolution_alarm_dbus_chat'($*)) dnl ') ## Mail transfer agent. ######################################## ## ## Execute a domain transition to run exim. ## ## ## ## Domain allowed to transition. ## ## # define(`exim_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_domtrans'($*)) dnl gen_require(` type exim_t, exim_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, exim_exec_t, exim_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_domtrans'($*)) dnl ') ######################################## ## ## Execute the mailman program in the mailman domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the mailman domain. ## ## ## # define(`exim_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_run'($*)) dnl gen_require(` type exim_t; ') exim_domtrans($1) role $2 types exim_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_run'($*)) dnl ') ######################################## ## ## Execute exim in the exim domain. ## ## ## ## Domain allowed to transition. ## ## # define(`exim_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_initrc_domtrans'($*)) dnl gen_require(` type exim_initrc_exec_t; ') init_labeled_script_domtrans($1, exim_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_initrc_domtrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to read, ## exim tmp files ## ## ## ## Domain to not audit. ## ## # define(`exim_dontaudit_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_dontaudit_read_tmp_files'($*)) dnl gen_require(` type exim_tmp_t; ') dontaudit $1 exim_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_dontaudit_read_tmp_files'($*)) dnl ') ######################################## ## ## Allow domain to read, exim tmp files ## ## ## ## Domain allowed access. ## ## # define(`exim_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_read_tmp_files'($*)) dnl gen_require(` type exim_tmp_t; ') allow $1 exim_tmp_t:file read_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_read_tmp_files'($*)) dnl ') ######################################## ## ## Read exim PID files. ## ## ## ## Domain allowed access. ## ## # define(`exim_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_read_pid_files'($*)) dnl gen_require(` type exim_var_run_t; ') allow $1 exim_var_run_t:file read_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_read_pid_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read exim's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`exim_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_read_log'($*)) dnl gen_require(` type exim_log_t; ') read_files_pattern($1, exim_log_t, exim_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## exim log files. ## ## ## ## Domain allowed access. ## ## # define(`exim_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_append_log'($*)) dnl gen_require(` type exim_log_t; ') append_files_pattern($1, exim_log_t, exim_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_append_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage exim's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`exim_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_manage_log'($*)) dnl gen_require(` type exim_log_t; ') manage_files_pattern($1, exim_log_t, exim_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_manage_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## exim spool dirs. ## ## ## ## Domain allowed access. ## ## # define(`exim_manage_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_manage_spool_dirs'($*)) dnl gen_require(` type exim_spool_t; ') manage_dirs_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_manage_spool_dirs'($*)) dnl ') ######################################## ## ## Read exim spool files. ## ## ## ## Domain allowed access. ## ## # define(`exim_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_read_spool_files'($*)) dnl gen_require(` type exim_spool_t; ') allow $1 exim_spool_t:file read_file_perms; allow $1 exim_spool_t:dir list_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_read_spool_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## exim spool files. ## ## ## ## Domain allowed access. ## ## # define(`exim_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_manage_spool_files'($*)) dnl gen_require(` type exim_spool_t; ') manage_files_pattern($1, exim_spool_t, exim_spool_t) files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_manage_spool_files'($*)) dnl ') ######################################## ## ## Read exim var lib files. ## ## ## ## Domain allowed access. ## ## # define(`exim_read_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_read_var_lib_files'($*)) dnl gen_require(` type exim_var_lib_t; ') read_files_pattern($1, exim_var_lib_t, exim_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_read_var_lib_files'($*)) dnl ') ######################################## ## ## Create, read, and write exim var lib files. ## ## ## ## Domain allowed access. ## ## # define(`exim_manage_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_manage_var_lib_files'($*)) dnl gen_require(` type exim_var_lib_t; ') manage_files_pattern($1, exim_var_lib_t, exim_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_manage_var_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an exim environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`exim_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `exim_admin'($*)) dnl gen_require(` type exim_t, exim_spool_t, exim_log_t; type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t; type exim_keytab_t; ') allow $1 exim_t:process signal_perms; ps_process_pattern($1, exim_t) tunable_policy(`deny_ptrace',`',` allow $1 exim_t:process ptrace; ') exim_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 exim_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, exim_keytab_t) files_search_spool($1) admin_pattern($1, exim_spool_t) logging_search_logs($1) admin_pattern($1, exim_log_t) files_search_pids($1) admin_pattern($1, exim_var_run_t) files_search_tmp($1) admin_pattern($1, exim_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `exim_admin'($*)) dnl ') ## Update firewall filtering to ban IP addresses with too many password failures. ######################################## ## ## Execute a domain transition to run fail2ban. ## ## ## ## Domain allowed to transition. ## ## # define(`fail2ban_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans'($*)) dnl gen_require(` type fail2ban_t, fail2ban_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_domtrans'($*)) dnl ') ####################################### ## ## Execute the fail2ban client in ## the fail2ban client domain. ## ## ## ## Domain allowed to transition. ## ## # define(`fail2ban_domtrans_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_domtrans_client'($*)) dnl gen_require(` type fail2ban_client_t, fail2ban_client_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_domtrans_client'($*)) dnl ') ####################################### ## ## Execute fail2ban client in the ## fail2ban client domain, and allow ## the specified role the fail2ban ## client domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`fail2ban_run_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_run_client'($*)) dnl gen_require(` attribute_role fail2ban_client_roles; ') fail2ban_domtrans_client($1) roleattribute $2 fail2ban_client_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_run_client'($*)) dnl ') ##################################### ## ## Connect to fail2ban over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_stream_connect'($*)) dnl gen_require(` type fail2ban_t, fail2ban_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_stream_connect'($*)) dnl ') ######################################## ## ## Read and write inherited temporary files. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_rw_inherited_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_rw_inherited_tmp_files'($*)) dnl gen_require(` type fail2ban_tmp_t; ') files_search_tmp($1) allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_rw_inherited_tmp_files'($*)) dnl ') ######################################## ## ## Read and write to an fail2ba unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_rw_stream_sockets'($*)) dnl gen_require(` type fail2ban_t; ') allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_rw_stream_sockets'($*)) dnl ') ####################################### ## ## Do not audit attempts to use ## fail2ban file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`fail2ban_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_use_fds'($*)) dnl gen_require(` type fail2ban_t; ') dontaudit $1 fail2ban_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_use_fds'($*)) dnl ') ####################################### ## ## Do not audit attempts to read and ## write fail2ban unix stream sockets ## ## ## ## Domain to not audit. ## ## # define(`fail2ban_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type fail2ban_t; ') dontaudit $1 fail2ban_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Read fail2ban lib files. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_read_lib_files'($*)) dnl gen_require(` type fail2ban_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_read_lib_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read fail2ban's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`fail2ban_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_read_log'($*)) dnl gen_require(` type fail2ban_log_t; ') logging_search_logs($1) allow $1 fail2ban_log_t:dir list_dir_perms; allow $1 fail2ban_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## fail2ban log files. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_append_log'($*)) dnl gen_require(` type fail2ban_log_t; ') logging_search_logs($1) allow $1 fail2ban_log_t:dir list_dir_perms; allow $1 fail2ban_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_append_log'($*)) dnl ') ######################################## ## ## Read fail2ban PID files. ## ## ## ## Domain allowed access. ## ## # define(`fail2ban_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_read_pid_files'($*)) dnl gen_require(` type fail2ban_var_run_t; ') files_search_pids($1) allow $1 fail2ban_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_read_pid_files'($*)) dnl ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`fail2ban_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_dontaudit_leaks'($*)) dnl gen_require(` type fail2ban_t; ') dontaudit $1 fail2ban_t:tcp_socket { read write }; dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; dontaudit $1 fail2ban_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_dontaudit_leaks'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an fail2ban environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the fail2ban domain. ## ## ## # define(`fail2ban_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fail2ban_admin'($*)) dnl gen_require(` type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; type fail2ban_client_t; ') allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) tunable_policy(`deny_ptrace',`',` allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; ') init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 fail2ban_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, fail2ban_log_t) files_list_pids($1) admin_pattern($1, fail2ban_var_run_t) files_list_var_lib($1) admin_pattern($1, fail2ban_var_lib_t) files_list_tmp($1) admin_pattern($1, fail2ban_tmp_t) fail2ban_run_client($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fail2ban_admin'($*)) dnl ') ## Fibre Channel over Ethernet utilities. ####################################### ## ## Send to fcoemon with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`fcoe_dgram_send_fcoemon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fcoe_dgram_send_fcoemon'($*)) dnl gen_require(` type fcoemon_t, fcoemon_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fcoe_dgram_send_fcoemon'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an fcoemon environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`fcoe_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fcoe_admin'($*)) dnl gen_require(` type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t; ') allow $1 fcoemon_t:process { ptrace signal_perms }; ps_process_pattern($1, fcoemon_t) init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 fcoemon_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, fcoemon_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fcoe_admin'($*)) dnl ') ## Remote-mail retrieval and forwarding utility. ######################################## ## ## All of the rules required to ## administrate an fetchmail environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`fetchmail_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fetchmail_admin'($*)) dnl gen_require(` type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t; type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t; ') ps_process_pattern($1, fetchmail_t) tunable_policy(`deny_ptrace',`',` allow $1 fetchmail_t:process ptrace; ') init_labeled_script_domtrans($1, fetchmail_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 fetchmail_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, fetchmail_etc_t) files_search_var_lib($1) admin_pattern($1, fetchmail_uidl_cache_t) files_list_pids($1) admin_pattern($1, fetchmail_var_run_t) logging_search_logs($1) admin_pattern($1, fetchmail_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fetchmail_admin'($*)) dnl ') ## Finger user information service. ######################################## ## ## Execute fingerd in the fingerd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`finger_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `finger_domtrans'($*)) dnl gen_require(` type fingerd_t, fingerd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fingerd_exec_t, fingerd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `finger_domtrans'($*)) dnl ') ######################################## ## ## Connect to fingerd with a tcp socket. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`finger_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `finger_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `finger_tcp_connect'($*)) dnl ') ## Service daemon with a D-BUS interface that provides a dynamic managed firewall. ######################################## ## ## Read firewalld config ## ## ## ## Domain allowed access. ## ## # define(`firewalld_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_read_config'($*)) dnl gen_require(` type firewalld_etc_rw_t; ') files_search_etc($1) read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_read_config'($*)) dnl ') ######################################## ## ## Execute firewalld server in the firewalld domain. ## ## ## ## The type of the process performing this action. ## ## # define(`firewalld_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_initrc_domtrans'($*)) dnl gen_require(` type firewalld_initrc_exec_t; ') init_labeled_script_domtrans($1, firewalld_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute firewalld server in the firewalld domain. ## ## ## ## Domain allowed to transition. ## ## # define(`firewalld_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_systemctl'($*)) dnl gen_require(` type firewalld_t; type firewalld_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 firewalld_unit_file_t:file read_file_perms; allow $1 firewalld_unit_file_t:service manage_service_perms; ps_process_pattern($1, firewalld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_systemctl'($*)) dnl ') ######################################## ## ## Send and receive messages from ## firewalld over dbus. ## ## ## ## Domain allowed access. ## ## # define(`firewalld_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_dbus_chat'($*)) dnl gen_require(` type firewalld_t; class dbus send_msg; ') allow $1 firewalld_t:dbus send_msg; allow firewalld_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_dbus_chat'($*)) dnl ') ######################################## ## ## Dontaudit attempts to write ## firewalld tmp files. ## ## ## ## Domain to not audit. ## ## # define(`firewalld_dontaudit_write_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_dontaudit_write_tmp_files'($*)) dnl gen_require(` type firewalld_tmp_t; ') dontaudit $1 firewalld_tmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_dontaudit_write_tmp_files'($*)) dnl ') ######################################## ## ## Read firewalld PID files. ## ## ## ## Domain allowed access. ## ## # define(`firewalld_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_read_pid_files'($*)) dnl gen_require(` type firewalld_var_run_t; ') files_search_pids($1) allow $1 firewalld_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_read_pid_files'($*)) dnl ') ######################################## ## ## Dontaudit read and write leaked firewalld file descriptors ## ## ## ## Domain to not audit. ## ## # define(`firewalld_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_dontaudit_leaks'($*)) dnl gen_require(` type firewalld_tmpfs_t; ') dontaudit $1 firewalld_tmpfs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_dontaudit_leaks'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an firewalld environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`firewalld_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewalld_admin'($*)) dnl gen_require(` type firewalld_t, firewalld_initrc_exec_t; type firewalld_etc_rw_t, firewalld_var_run_t; type firewalld_var_log_t; ') allow $1 firewalld_t:process signal_perms; ps_process_pattern($1, firewalld_t) tunable_policy(`deny_ptrace',`',` allow $1 firewalld_t:process ptrace; ') firewalld_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 firewalld_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, firewalld_var_run_t) logging_search_logs($1) admin_pattern($1, firewalld_var_log_t) admin_pattern($1, firewalld_etc_rw_t) admin_pattern($1, firewalld_unit_file_t) firewalld_systemctl($1) allow $1 firewalld_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewalld_admin'($*)) dnl ') ## system-config-firewall dbus system service. ######################################## ## ## Send and receive messages from ## firewallgui over dbus. ## ## ## ## Domain allowed access. ## ## # define(`firewallgui_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewallgui_dbus_chat'($*)) dnl gen_require(` type firewallgui_t; class dbus send_msg; ') allow $1 firewallgui_t:dbus send_msg; allow firewallgui_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewallgui_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write firewallgui unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`firewallgui_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firewallgui_dontaudit_rw_pipes'($*)) dnl gen_require(` type firewallgui_t; ') dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firewallgui_dontaudit_rw_pipes'($*)) dnl ') ## ## Final system configuration run during the first boot ## after installation of Red Hat/Fedora systems. ## ######################################## ## ## Execute firstboot in the firstboot domain. ## ## ## ## Domain allowed to transition. ## ## # define(`firstboot_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_domtrans'($*)) dnl gen_require(` type firstboot_t, firstboot_exec_t; ') domtrans_pattern($1, firstboot_exec_t, firstboot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_domtrans'($*)) dnl ') ######################################## ## ## Execute firstboot in the firstboot domain, and ## allow the specified role the firstboot domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`firstboot_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_run'($*)) dnl gen_require(` type firstboot_t; ') firstboot_domtrans($1) role $2 types firstboot_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_run'($*)) dnl ') ######################################## ## ## Inherit and use a file descriptor from firstboot. ## ## ## ## Domain allowed access. ## ## # define(`firstboot_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_use_fds'($*)) dnl gen_require(` type firstboot_t; ') allow $1 firstboot_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit a ## file descriptor from firstboot. ## ## ## ## Domain to not audit. ## ## # define(`firstboot_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_use_fds'($*)) dnl gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`firstboot_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_leaks'($*)) dnl gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:socket_class_set { read write }; dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Write to a firstboot unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`firstboot_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_write_pipes'($*)) dnl gen_require(` type firstboot_t; ') allow $1 firstboot_t:fd use; allow $1 firstboot_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_write_pipes'($*)) dnl ') ######################################## ## ## Read and Write to a firstboot unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`firstboot_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_rw_pipes'($*)) dnl gen_require(` type firstboot_t; ') allow $1 firstboot_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attemps to read and write to a firstboot unnamed pipe. ## ## ## ## Domain to not audit. ## ## # define(`firstboot_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_pipes'($*)) dnl gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attemps to read and write to a firstboot ## unix domain stream socket. ## ## ## ## Domain to not audit. ## ## # define(`firstboot_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `firstboot_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type firstboot_t; ') dontaudit $1 firstboot_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `firstboot_dontaudit_rw_stream_sockets'($*)) dnl ') ## ## DBus fingerprint reader service. ######################################## ## ## Execute a domain transition to run fprintd. ## ## ## ## Domain allowed to transition. ## ## # define(`fprintd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_domtrans'($*)) dnl gen_require(` type fprintd_t, fprintd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fprintd_exec_t, fprintd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_domtrans'($*)) dnl ') ###################################### ## ## Execute fprintd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`fprintd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_exec'($*)) dnl gen_require(` type fprintd_exec_t; ') corecmd_search_bin($1) can_exec($1, fprintd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_exec'($*)) dnl ') ######################################## ## ## Send and receive messages from ## fprintd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`fprintd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_dbus_chat'($*)) dnl gen_require(` type fprintd_t; class dbus send_msg; ') allow $1 fprintd_t:dbus send_msg; allow fprintd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_dbus_chat'($*)) dnl ') ######################################## ## ## Mounton fprintd lib directory. ## ## ## ## Domain allowed access. ## ## # define(`fprintd_mounton_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_mounton_var_lib'($*)) dnl gen_require(` type fprintd_var_lib_t; ') allow $1 fprintd_var_lib_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_mounton_var_lib'($*)) dnl ') ######################################## ## ## Read fprintd lib directory. ## ## ## ## Domain allowed access. ## ## # define(`fprintd_read_var_lib_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_read_var_lib_dir'($*)) dnl gen_require(` type fprintd_var_lib_t; ') allow $1 fprintd_var_lib_t:dir { list_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_read_var_lib_dir'($*)) dnl ') ######################################## ## ## Setattr fprintd lib directory. ## ## ## ## Domain allowed access. ## ## # define(`fprintd_setattr_var_lib_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fprintd_setattr_var_lib_dir'($*)) dnl gen_require(` type fprintd_var_lib_t; ') allow $1 fprintd_var_lib_t:dir { setattr_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fprintd_setattr_var_lib_dir'($*)) dnl ') ## Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification ##################################### ## ## Creates types and rules for a basic ## freeipmi init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`freeipmi_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `freeipmi_domain_template'($*)) dnl gen_require(` attribute freeipmi_domain, freeipmi_pid; ') ############################# # # Declarations # type freeipmi_$1_t, freeipmi_domain; type freeipmi_$1_exec_t; init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t) role system_r types freeipmi_$1_t; type freeipmi_$1_unit_file_t; systemd_unit_file(freeipmi_$1_unit_file_t) type freeipmi_$1_var_run_t, freeipmi_pid; files_pid_file(freeipmi_$1_var_run_t) ############################# # # Local policy # manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t) kernel_read_system_state(freeipmi_$1_t) corenet_all_recvfrom_netlabel(freeipmi_$1_t) corenet_all_recvfrom_unlabeled(freeipmi_$1_t) auth_use_nsswitch(freeipmi_$1_t) logging_send_syslog_msg(freeipmi_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `freeipmi_domain_template'($*)) dnl ') #################################### ## ## Connect to cluster domains over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`freeipmi_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `freeipmi_stream_connect'($*)) dnl gen_require(` attribute freeipmi_domain, freeipmi_pid; ') files_search_pids($1) stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `freeipmi_stream_connect'($*)) dnl ') ## policy for freqset ######################################## ## ## Execute TEMPLATE in the freqset domin. ## ## ## ## Domain allowed to transition. ## ## # define(`freqset_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `freqset_domtrans'($*)) dnl gen_require(` type freqset_t, freqset_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, freqset_exec_t, freqset_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `freqset_domtrans'($*)) dnl ') ######################################## ## ## Execute freqset in the freqset domain, and ## allow the specified role the freqset domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the freqset domain. ## ## # define(`freqset_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `freqset_run'($*)) dnl gen_require(` type freqset_t; attribute_role freqset_roles; ') freqset_domtrans($1) roleattribute $2 freqset_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `freqset_run'($*)) dnl ') ######################################## ## ## Role access for freqset ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`freqset_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `freqset_role'($*)) dnl gen_require(` type freqset_t; attribute_role freqset_roles; ') roleattribute $1 freqset_roles; freqset_domtrans($2) ps_process_pattern($2, freqset_t) allow $2 freqset_t:process { signull signal sigkill }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `freqset_role'($*)) dnl ') ## File transfer protocol service. ###################################### ## ## Execute a domain transition to run ftpd. ## ## ## ## Domain allowed to transition. ## ## # define(`ftp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_domtrans'($*)) dnl gen_require(` type ftpd_t, ftpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1,ftpd_exec_t, ftpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_domtrans'($*)) dnl ') ####################################### ## ## Execute ftpd server in the ftpd domain. ## ## ## ## The type of the process performing this action. ## ## # define(`ftp_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_initrc_domtrans'($*)) dnl gen_require(` type ftpd_initrc_exec_t; ') init_labeled_script_domtrans($1, ftpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute ftpd server in the ftpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ftp_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_systemctl'($*)) dnl gen_require(` type ftpd_unit_file_t; type ftpd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 ftpd_unit_file_t:file read_file_perms; allow $1 ftpd_unit_file_t:service manage_service_perms; ps_process_pattern($1, ftpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_systemctl'($*)) dnl ') ####################################### ## ## Execute a dyntransition to run anon sftpd. ## ## ## ## Domain allowed to transition. ## ## # define(`ftp_dyntrans_anon_sftpd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_anon_sftpd'($*)) dnl gen_require(` type anon_sftpd_t; ') dyntrans_pattern($1, anon_sftpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_dyntrans_anon_sftpd'($*)) dnl ') ######################################## ## ## Connect to over ftpd over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`ftp_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_tcp_connect'($*)) dnl ') ######################################## ## ## Read ftpd configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ftp_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_read_config'($*)) dnl gen_require(` type ftpd_etc_t; ') files_search_etc($1) allow $1 ftpd_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_read_config'($*)) dnl ') ######################################## ## ## Execute FTP daemon entry point programs. ## ## ## ## Domain allowed access. ## ## # define(`ftp_check_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_check_exec'($*)) dnl gen_require(` type ftpd_exec_t; ') corecmd_search_bin($1) allow $1 ftpd_exec_t:file mmap_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_check_exec'($*)) dnl ') ######################################## ## ## Read ftpd log files. ## ## ## ## Domain allowed access. ## ## # define(`ftp_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_read_log'($*)) dnl gen_require(` type xferlog_t; ') logging_search_logs($1) allow $1 xferlog_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_read_log'($*)) dnl ') ######################################## ## ## Execute the ftpdctl in the ftpdctl domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ftp_domtrans_ftpdctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_domtrans_ftpdctl'($*)) dnl gen_require(` type ftpdctl_t, ftpdctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ftpdctl_exec_t, ftpdctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_domtrans_ftpdctl'($*)) dnl ') ######################################## ## ## Execute the ftpdctl in the ftpdctl ## domain, and allow the specified ## role the ftpctl domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ftp_run_ftpdctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_run_ftpdctl'($*)) dnl gen_require(` attribute_role ftpdctl_roles; ') ftp_domtrans_ftpdctl($1) roleattribute $2 ftpdctl_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_run_ftpdctl'($*)) dnl ') ####################################### ## ## Execute a dyntransition to run sftpd. ## ## ## ## Domain allowed to transition. ## ## # define(`ftp_dyntrans_sftpd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_dyntrans_sftpd'($*)) dnl gen_require(` type sftpd_t; ') dyntrans_pattern($1, sftpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_dyntrans_sftpd'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ftp environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ftp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ftp_admin'($*)) dnl gen_require(` type ftpd_t, ftpdctl_t, ftpd_tmp_t; type ftpd_etc_t, ftpd_lock_t, sftpd_t; type ftpd_var_run_t, xferlog_t, anon_sftpd_t; type ftpd_initrc_exec_t, ftpdctl_tmp_t; type ftpd_keytab_t; ') allow $1 ftpd_t:process signal_perms; ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }) tunable_policy(`deny_ptrace',`',` allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace; ') init_labeled_script_domtrans($1, ftpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ftpd_initrc_exec_t system_r; allow $2 system_r; miscfiles_manage_public_files($1) files_list_tmp($1) admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t }) files_list_etc($1) admin_pattern($1, { ftpd_etc_t ftpd_keytab_t }) files_list_var($1) admin_pattern($1, ftpd_lock_t) files_list_pids($1) admin_pattern($1, ftpd_var_run_t) logging_list_logs($1) admin_pattern($1, xferlog_t) ftp_systemctl($1) admin_pattern($1, ftpd_unit_file_t) allow $1 ftpd_unit_file_t:service all_service_perms; ftp_run_ftpdctl($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ftp_admin'($*)) dnl ') ## fwupd is a daemon to allow session software to update device firmware ######################################## ## ## Execute fwupd_exec_t in the fwupd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`fwupd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_domtrans'($*)) dnl gen_require(` type fwupd_t, fwupd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fwupd_exec_t, fwupd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_domtrans'($*)) dnl ') ###################################### ## ## Execute fwupd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_exec'($*)) dnl gen_require(` type fwupd_exec_t; ') corecmd_search_bin($1) can_exec($1, fwupd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_exec'($*)) dnl ') ######################################## ## ## Read fwupd process state files. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_read_state'($*)) dnl gen_require(` type fwupd_t; ') ps_process_pattern($1, fwupd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_read_state'($*)) dnl ') ######################################## ## ## Search fwupd cache directories. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_search_cache'($*)) dnl gen_require(` type fwupd_cache_t; ') allow $1 fwupd_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_search_cache'($*)) dnl ') ######################################## ## ## Allow the specified domain to delete ## fwupd cache. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_delete_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_delete_cache_files'($*)) dnl gen_require(` type fwupd_cache_t; ') allow $1 fwupd_cache_t:dir rmdir; delete_files_pattern($1, fwupd_cache_t, fwupd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_delete_cache_files'($*)) dnl ') ######################################## ## ## Read fwupd cache files. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_read_cache_files'($*)) dnl gen_require(` type fwupd_cache_t; ') files_search_var($1) read_files_pattern($1, fwupd_cache_t, fwupd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## fwupd cache files. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_manage_cache_files'($*)) dnl gen_require(` type fwupd_cache_t; ') files_search_var($1) manage_files_pattern($1, fwupd_cache_t, fwupd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage fwupd cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_manage_cache_dirs'($*)) dnl gen_require(` type fwupd_cache_t; ') files_search_var($1) manage_dirs_pattern($1, fwupd_cache_t, fwupd_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Search fwupd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_search_lib'($*)) dnl gen_require(` type fwupd_var_lib_t; ') allow $1 fwupd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_search_lib'($*)) dnl ') ######################################## ## ## Read fwupd lib files. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_read_lib_files'($*)) dnl gen_require(` type fwupd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage fwupd lib files. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_manage_lib_files'($*)) dnl gen_require(` type fwupd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage fwupd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_manage_lib_dirs'($*)) dnl gen_require(` type fwupd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, fwupd_var_lib_t, fwupd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute fwupd server in the fwupd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`fwupd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_systemctl'($*)) dnl gen_require(` type fwupd_t; type fwupd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 fwupd_unit_file_t:file read_file_perms; allow $1 fwupd_unit_file_t:service manage_service_perms; ps_process_pattern($1, fwupd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an fwupd environment ## ## ## ## Domain allowed access. ## ## # define(`fwupd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_admin'($*)) dnl gen_require(` type fwupd_t; type fwupd_cache_t; type fwupd_var_lib_t; type fwupd_unit_file_t; ') allow $1 fwupd_t:process { signal_perms }; ps_process_pattern($1, fwupd_t) tunable_policy(`deny_ptrace',`',` allow $1 fwupd_t:process ptrace; ') files_search_var($1) admin_pattern($1, fwupd_cache_t) files_search_var_lib($1) admin_pattern($1, fwupd_var_lib_t) fwupd_systemctl($1) admin_pattern($1, fwupd_unit_file_t) allow $1 fwupd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_admin'($*)) dnl ') ######################################## ## ## Send and receive messages from ## fwupd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`fwupd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fwupd_dbus_chat'($*)) dnl gen_require(` type fwupd_t; class dbus send_msg; ') allow $1 fwupd_t:dbus send_msg; allow fwupd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fwupd_dbus_chat'($*)) dnl ') ## Various games. ######################################## ## ## Role access for games. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`games_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `games_role'($*)) dnl gen_require(` attribute_role games_roles; type games_t, games_exec_t, games_tmp_t; type games_tmpfs_t; ') roleattribute $1 games_roles; domtrans_pattern($2, games_exec_t, games_t) allow $2 games_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 { games_tmp_t games_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 games_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 games_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 games_t:process { ptrace signal_perms }; ps_process_pattern($2, games_t) stream_connect_pattern($2, games_tmpfs_t, games_tmpfs_t, games_t) allow games_t $2:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `games_role'($*)) dnl ') ######################################## ## ## Read and write games data files. ## games data. ## ## ## ## Domain allowed access. ## ## # define(`games_rw_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `games_rw_data'($*)) dnl gen_require(` type games_data_t; ') files_search_var_lib($1) rw_files_pattern($1, games_data_t, games_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `games_rw_data'($*)) dnl ') ######################################## ## ## Manage games data files. ## games data. ## ## ## ## Domain allowed access. ## ## # define(`games_manage_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `games_manage_data_files'($*)) dnl gen_require(` type games_data_t; ') files_search_var_lib($1) manage_files_pattern($1, games_data_t, games_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `games_manage_data_files'($*)) dnl ') ## OpenH.323 Voice-Over-IP Gatekeeper. ######################################## ## ## All of the rules required to ## administrate an gatekeeper environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`gatekeeper_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gatekeeper_admin'($*)) dnl gen_require(` type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t; type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t; ') allow $1 gatekeeper_t:process { ptrace signal_perms }; ps_process_pattern($1, gatekeeper_t) init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 gatekeeper_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, gatekeeper_etc_t) logging_search_logs($1) admin_pattern($1, gatekeeper_log_t) files_search_tmp($1) admin_pattern($1, gatekeeper_tmp_t) files_search_var_lib($1) admin_pattern($1, gatekeeper_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gatekeeper_admin'($*)) dnl ') ## GNUstep distributed object mapper. ######################################## ## ## Read gdomap configuration files. ## ## ## ## Domain allowed access. ## ## # define(`gdomap_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gdomap_read_config'($*)) dnl gen_require(` type gdomap_conf_t; ') files_search_etc($1) allow $1 gdomap_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gdomap_read_config'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an gdomap environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`gdomap_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gdomap_admin'($*)) dnl gen_require(` type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; type gdomap_var_run_t; ') allow $1 gdomap_t:process { ptrace signal_perms }; ps_process_pattern($1, gdomap_t) init_labeled_script_domtrans($1, gdomap_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 gdomap_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, gdomap_conf_t) files_search_pids($1) admin_pattern($1, gdomap_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gdomap_admin'($*)) dnl ') ## Geoclue is a D-Bus service that provides location information ######################################## ## ## Execute geoclue in the geoclue domin. ## ## ## ## Domain allowed to transition. ## ## # define(`geoclue_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_domtrans'($*)) dnl gen_require(` type geoclue_t, geoclue_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, geoclue_exec_t, geoclue_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_domtrans'($*)) dnl ') ######################################## ## ## Search geoclue lib directories. ## ## ## ## Domain allowed access. ## ## # define(`geoclue_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_search_lib'($*)) dnl gen_require(` type geoclue_var_lib_t; ') allow $1 geoclue_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_search_lib'($*)) dnl ') ######################################## ## ## Read geoclue lib files. ## ## ## ## Domain allowed access. ## ## # define(`geoclue_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_read_lib_files'($*)) dnl gen_require(` type geoclue_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_read_lib_files'($*)) dnl ') ######################################## ## ## Manage geoclue lib files. ## ## ## ## Domain allowed access. ## ## # define(`geoclue_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_manage_lib_files'($*)) dnl gen_require(` type geoclue_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage geoclue lib directories. ## ## ## ## Domain allowed access. ## ## # define(`geoclue_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_manage_lib_dirs'($*)) dnl gen_require(` type geoclue_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, geoclue_var_lib_t, geoclue_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Send and receive messages from ## geoclue over dbus. ## ## ## ## Domain allowed access. ## ## # define(`geoclue_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_dbus_chat'($*)) dnl gen_require(` type geoclue_t; class dbus send_msg; ') allow $1 geoclue_t:dbus send_msg; allow geoclue_t $1:dbus send_msg; ps_process_pattern(geoclue_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an geoclue environment ## ## ## ## Domain allowed access. ## ## ## # define(`geoclue_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `geoclue_admin'($*)) dnl gen_require(` type geoclue_t; type geoclue_var_lib_t; ') allow $1 geoclue_t:process { signal_perms }; ps_process_pattern($1, geoclue_t) tunable_policy(`deny_ptrace',`',` allow $1 geoclue_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, geoclue_var_lib_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `geoclue_admin'($*)) dnl ') ## GIT revision control system. ######################################## ## ## Role access for Git session. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`git_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `git_role'($*)) dnl gen_require(` attribute_role git_session_roles; type git_session_t, gitd_exec_t, git_user_content_t; ') ######################################## # # Declarations # roleattribute $1 git_session_roles; ######################################## # # Policy # allow $2 git_user_content_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms }; userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git") allow $2 git_session_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 git_session_t:process ptrace; ') ps_process_pattern($2, git_session_t) tunable_policy(`git_session_users',` domtrans_pattern($2, gitd_exec_t, git_session_t) ',` can_exec($2, gitd_exec_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `git_role'($*)) dnl ') ######################################## ## ## Read generic system content files. ## ## ## ## Domain allowed access. ## ## # define(`git_read_generic_sys_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `git_read_generic_sys_content_files'($*)) dnl gen_require(` type git_sys_content_t; ') list_dirs_pattern($1, git_sys_content_t, git_sys_content_t) read_files_pattern($1, git_sys_content_t, git_sys_content_t) read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t) allow $1 git_sys_content_t:file map; files_search_var_lib($1) tunable_policy(`git_system_use_cifs',` fs_getattr_cifs($1) fs_list_cifs($1) fs_read_cifs_files($1) ') tunable_policy(`git_system_use_nfs',` fs_getattr_nfs($1) fs_list_nfs($1) fs_read_nfs_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `git_read_generic_sys_content_files'($*)) dnl ') ####################################### ## ## Create Git user content with a ## named file transition. ## ## ## ## Domain allowed access. ## ## # define(`git_filetrans_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `git_filetrans_user_content'($*)) dnl gen_require(` type git_user_content_t; ') userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `git_filetrans_user_content'($*)) dnl ') ## Tools for managing and hosting git repositories. ####################################### ## ## Execute a domain transition to run gitosis. ## ## ## ## Domain allowed to transition. ## ## # define(`gitosis_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gitosis_domtrans'($*)) dnl gen_require(` type gitosis_t, gitosis_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gitosis_exec_t, gitosis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gitosis_domtrans'($*)) dnl ') ####################################### ## ## Execute gitosis-serve in the ## gitosis domain, and allow the ## specified role the gitosis domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`gitosis_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gitosis_run'($*)) dnl gen_require(` attribute_role gitosis_roles; ') gitosis_domtrans($1) roleattribute $2 gitosis_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gitosis_run'($*)) dnl ') ####################################### ## ## Read gitosis lib files. ## ## ## ## Domain allowed access. ## ## # define(`gitosis_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gitosis_read_lib_files'($*)) dnl gen_require(` type gitosis_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) read_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) list_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gitosis_read_lib_files'($*)) dnl ') ####################################### ## ## Mmap gitosis lib files. ## ## ## ## Domain allowed access. ## ## # define(`gitosis_mmap_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gitosis_mmap_lib_files'($*)) dnl gen_require(` type gitosis_var_lib_t; ') allow $1 gitosis_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gitosis_mmap_lib_files'($*)) dnl ') ###################################### ## ## Create, read, write, and delete ## gitosis lib files. ## ## ## ## Domain allowed access. ## ## # define(`gitosis_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gitosis_manage_lib_files'($*)) dnl gen_require(` type gitosis_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gitosis_manage_lib_files'($*)) dnl ') ## OpenStack image registry and delivery service. ####################################### ## ## Creates types and rules for a basic ## glance daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`glance_basic_types_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_basic_types_template'($*)) dnl gen_require(` attribute glance_domain; ') type $1_t, glance_domain; type $1_exec_t; type $1_unit_file_t; systemd_unit_file($1_unit_file_t) kernel_read_system_state($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) logging_send_syslog_msg($1_t) auth_use_nsswitch($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_basic_types_template'($*)) dnl ') ######################################## ## ## Execute a domain transition to ## run glance registry. ## ## ## ## Domain allowed to transition. ## ## # define(`glance_domtrans_registry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_domtrans_registry'($*)) dnl gen_require(` type glance_registry_t, glance_registry_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, glance_registry_exec_t, glance_registry_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_domtrans_registry'($*)) dnl ') ######################################## ## ## Execute a domain transition to ## run glance api. ## ## ## ## Domain allowed to transition. ## ## # define(`glance_domtrans_api',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_domtrans_api'($*)) dnl gen_require(` type glance_api_t, glance_api_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, glance_api_exec_t, glance_api_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_domtrans_api'($*)) dnl ') ######################################## ## ## Read glance log files. ## ## ## ## Domain allowed access. ## ## ## # define(`glance_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_read_log'($*)) dnl gen_require(` type glance_log_t; ') logging_search_logs($1) read_files_pattern($1, glance_log_t, glance_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_read_log'($*)) dnl ') ######################################## ## ## Append glance log files. ## ## ## ## Domain allowed access. ## ## # define(`glance_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_append_log'($*)) dnl gen_require(` type glance_log_t; ') logging_search_logs($1) append_files_pattern($1, glance_log_t, glance_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## glance log files. ## ## ## ## Domain allowed access. ## ## # define(`glance_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_manage_log'($*)) dnl gen_require(` type glance_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, glance_log_t, glance_log_t) manage_files_pattern($1, glance_log_t, glance_log_t) manage_lnk_files_pattern($1, glance_log_t, glance_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_manage_log'($*)) dnl ') ######################################## ## ## Search glance lib directories. ## ## ## ## Domain allowed access. ## ## # define(`glance_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_search_lib'($*)) dnl gen_require(` type glance_var_lib_t; ') allow $1 glance_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_search_lib'($*)) dnl ') ######################################## ## ## Read glance lib files. ## ## ## ## Domain allowed access. ## ## # define(`glance_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_read_lib_files'($*)) dnl gen_require(` type glance_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, glance_var_lib_t, glance_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## glance lib files. ## ## ## ## Domain allowed access. ## ## # define(`glance_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_manage_lib_files'($*)) dnl gen_require(` type glance_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, glance_var_lib_t, glance_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_manage_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## glance lib directories. ## ## ## ## Domain allowed access. ## ## # define(`glance_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_manage_lib_dirs'($*)) dnl gen_require(` type glance_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, glance_var_lib_t, glance_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read glance pid files. ## ## ## ## Domain allowed access. ## ## # define(`glance_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_read_pid_files'($*)) dnl gen_require(` type glance_var_run_t; ') files_search_pids($1) read_files_pattern($1, glance_var_run_t, glance_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## glance pid files. ## ## ## ## Domain allowed access. ## ## # define(`glance_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_manage_pid_files'($*)) dnl gen_require(` type glance_var_run_t; ') files_search_pids($1) manage_files_pattern($1, glance_var_run_t, glance_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_manage_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an glance environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`glance_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glance_admin'($*)) dnl gen_require(` type glance_registry_t, glance_api_t, glance_log_t; type glance_var_lib_t, glance_var_run_t; type glance_registry_initrc_exec_t, glance_api_initrc_exec_t; ') allow $1 glance_registry_t:process signal_perms; ps_process_pattern($1, glance_registry_t) tunable_policy(`deny_ptrace',`',` allow $1 glance_registry_t:process ptrace; allow $1 glance_api_t:process ptrace; ') init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t }) domain_system_change_exemption($1) role_transition $2 { glance_api_initrc_exec_t glance_registry_initrc_exec_t } system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, glance_log_t) files_search_var_lib($1) admin_pattern($1, glance_var_lib_t) files_search_pids($1) admin_pattern($1, glance_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glance_admin'($*)) dnl ') ## policy for glusterd ######################################## ## ## Transition to glusterd. ## ## ## ## Domain allowed to transition. ## ## # define(`glusterd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_domtrans'($*)) dnl gen_require(` type glusterd_t, glusterd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, glusterd_exec_t, glusterd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_domtrans'($*)) dnl ') ######################################## ## ## Execute glusterd server in the glusterd domain. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_initrc_domtrans'($*)) dnl gen_require(` type glusterd_initrc_exec_t; ') init_labeled_script_domtrans($1, glusterd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_initrc_domtrans'($*)) dnl ') ####################################### ## ## Connect to glusterd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_stream_connect'($*)) dnl gen_require(` type glusterd_t; ') allow $1 glusterd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_stream_connect'($*)) dnl ') ######################################## ## ## Read glusterd's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`glusterd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_read_log'($*)) dnl gen_require(` type glusterd_log_t; ') logging_search_logs($1) read_files_pattern($1, glusterd_log_t, glusterd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_read_log'($*)) dnl ') ######################################## ## ## Append to glusterd log files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_append_log'($*)) dnl gen_require(` type glusterd_log_t; ') logging_search_logs($1) append_files_pattern($1, glusterd_log_t, glusterd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_append_log'($*)) dnl ') ####################################### ## ## Transition content labels to glusterd named content ## ## ## ## Domain allowed access. ## ## # define(`glusterd_filetrans_named_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_filetrans_named_pid'($*)) dnl gen_require(` type glusterd_var_run_t; ') files_pid_filetrans($1, glusterd_var_run_t , sock_file, "glusterd.socket") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_filetrans_named_pid'($*)) dnl ') ######################################## ## ## Manage glusterd PID files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_manage_pid'($*)) dnl gen_require(` type glusterd_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, glusterd_var_run_t, glusterd_var_run_t) manage_files_pattern($1, glusterd_var_run_t, glusterd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_manage_pid'($*)) dnl ') ######################################## ## ## Manage glusterd log files ## ## ## ## Domain allowed access. ## ## # define(`glusterd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_manage_log'($*)) dnl gen_require(` type glusterd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t) manage_files_pattern($1, glusterd_log_t, glusterd_log_t) manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_manage_log'($*)) dnl ') ###################################### ## ## Allow the specified domain to execute gluster's lib files. ## ## ## ## Domain allowed access. ## ## # define(`gluster_execute_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gluster_execute_lib'($*)) dnl gen_require(` type glusterd_var_lib_t; ') files_list_var_lib($1) allow $1 glusterd_var_lib_t:dir search_dir_perms; can_exec($1, glusterd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gluster_execute_lib'($*)) dnl ') ###################################### ## ## Read glusterd's config files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_read_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_read_conf'($*)) dnl gen_require(` type glusterd_conf_t; ') files_search_etc($1) read_files_pattern($1, glusterd_conf_t, glusterd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_read_conf'($*)) dnl ') ###################################### ## ## Dontaudit Read /var/lib/glusterd files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_dontaudit_read_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_dontaudit_read_lib_dirs'($*)) dnl gen_require(` type glusterd_var_lib_t; ') dontaudit $1 glusterd_var_lib_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_dontaudit_read_lib_dirs'($*)) dnl ') ###################################### ## ## Read and write /var/lib/glusterd files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_rw_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_rw_lib'($*)) dnl gen_require(` type glusterd_var_lib_t; ') files_search_var_lib($1) rw_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_rw_lib'($*)) dnl ') ###################################### ## ## Read /var/lib/glusterd files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_read_lib_files'($*)) dnl gen_require(` type glusterd_var_lib_t; ') files_search_var_lib($1) allow $1 glusterd_var_lib_t:dir search_dir_perms; read_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_read_lib_files'($*)) dnl ') ###################################### ## ## Read and write /var/lib/glusterd files. ## ## ## ## Domain allowed access. ## ## # define(`glusterd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_manage_lib_files'($*)) dnl gen_require(` type glusterd_var_lib_t; ') files_search_var_lib($1) allow $1 glusterd_var_lib_t:dir search_dir_perms; manage_files_pattern($1, glusterd_var_lib_t, glusterd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_manage_lib_files'($*)) dnl ') ###################################### ## ## All of the rules required to administrate ## an glusterd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`glusterd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `glusterd_admin'($*)) dnl gen_require(` type glusterd_t; type glusterd_initrc_exec_t; type glusterd_log_t; type glusterd_tmp_t; type glusterd_conf_t; ') allow $1 glusterd_t:process { signal_perms }; ps_process_pattern($1, glusterd_t) tunable_policy(`deny_ptrace',`',` allow $1 glusterd_t:process ptrace; ') glusterd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 glusterd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, glusterd_log_t) admin_pattern($1, glusterd_tmp_t) admin_pattern($1, glusterd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `glusterd_admin'($*)) dnl ') ## GNU network object model environment (GNOME) ####################################### ## ## Role access for gnome. (Deprecated) ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`gnome_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_role'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_role'($*)) dnl ') ###################################### ## ## The role template for the gnome-keyring-daemon. ## ## ## ## The user prefix. ## ## ## ## ## The user role. ## ## ## ## ## The user domain associated with the role. ## ## # define(`gnome_role_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_role_gkeyringd'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_role_gkeyringd'($*)) dnl ') ###################################### ## ## The role template for gnome. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`gnome_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_role_template'($*)) dnl gen_require(` attribute gnomedomain, gkeyringd_domain, gnome_home_type; attribute_role gconfd_roles; type gkeyringd_exec_t, gkeyringd_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; class dbus send_msg; ') ######################################## # # Gconf declarations # roleattribute $2 gconfd_roles; ######################################## # # Gkeyringd declarations # type $1_gkeyringd_t, gnomedomain, gkeyringd_domain; userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t) domain_user_exemption_target($1_gkeyringd_t) role $2 types $1_gkeyringd_t; ######################################## # # Gconf policy # domtrans_pattern($3, gconfd_exec_t, gconfd_t) allow $3 gconfd_t:process { signal_perms }; allow $3 gconfd_t:unix_stream_socket connectto; ps_process_pattern($3, gconfd_t) ######################################## # # Gkeyringd policy # allow $1_gkeyringd_t $3:unix_stream_socket { connectto create_stream_socket_perms }; allow $1_gkeyringd_t self:process setsched; domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:dir { relabel_dir_perms manage_dir_perms }; allow $3 { gnome_home_type gkeyringd_tmp_t gconf_tmp_t }:file { relabel_file_perms manage_file_perms }; userdom_home_manager($1_gkeyringd_t) allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms }; ps_process_pattern($3, $1_gkeyringd_t) allow $3 $1_gkeyringd_t:process signal_perms; dontaudit $3 gkeyringd_exec_t:file entrypoint; allow $1_gkeyringd_t $3:process sigkill; allow $3 $1_gkeyringd_t:fd use; allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms; allow $3 $1_gkeyringd_t:dbus { acquire_svc }; stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t) kernel_read_system_state($1_gkeyringd_t) corecmd_bin_domtrans($1_gkeyringd_t, $3) corecmd_shell_domtrans($1_gkeyringd_t, $3) gnome_stream_connect_gkeyringd($3) ps_process_pattern($1_gkeyringd_t, $3) auth_use_nsswitch($1_gkeyringd_t) logging_send_syslog_msg($1_gkeyringd_t) userdom_rw_user_tmp_sock_files($1_gkeyringd_t) allow $1_gkeyringd_t $3:dbus { acquire_svc send_msg }; allow $3 $1_gkeyringd_t:dbus send_msg; optional_policy(` dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) dbus_stream_connect_system_dbusd($1_gkeyringd_t) dbus_send_system_bus($1_gkeyringd_t) gnome_manage_generic_home_dirs($1_gkeyringd_t) gnome_read_generic_data_home_files($1_gkeyringd_t) gnome_read_generic_data_home_dirs($1_gkeyringd_t) optional_policy(` telepathy_mission_control_read_state($1_gkeyringd_t) telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t) ') optional_policy(` systemd_dbus_chat_logind($1_gkeyringd_t) ') ') optional_policy(` ssh_agent_exec($1_gkeyringd_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_role_template'($*)) dnl ') ####################################### ## ## Allow domain to run gkeyring in the $1_gkeyringd_t domain. ## ## ## ## The user prefix. ## ## ## ## ## The user role. ## ## ## ## ## Domain allowed access. ## ## # define(`gnome_run_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_run_gkeyringd'($*)) dnl gen_require(` type $1_gkeyringd_t; type gkeyringd_exec_t; ') role $2 types $1_gkeyringd_t; domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_run_gkeyringd'($*)) dnl ') ######################################## ## ## gconf connection template. ## ## ## ## Domain allowed access. ## ## # define(`gnome_stream_connect_gconf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gconf'($*)) dnl gen_require(` type gconfd_t, gconf_tmp_t; ') read_files_pattern($1, gconf_tmp_t, gconf_tmp_t) allow $1 gconfd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gconf'($*)) dnl ') ######################################## ## ## Connect to gkeyringd with a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`gnome_stream_connect_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_stream_connect_gkeyringd'($*)) dnl gen_require(` attribute gkeyringd_domain; type gkeyringd_tmp_t; type gconf_tmp_t; type cache_home_t; ') allow $1 gconf_tmp_t:dir search_dir_perms; userdom_search_user_tmp_dirs($1) stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain) stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_stream_connect_gkeyringd'($*)) dnl ') ######################################## ## ## Run gconfd in gconfd domain. ## ## ## ## Domain allowed access. ## ## # define(`gnome_domtrans_gconfd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_domtrans_gconfd'($*)) dnl gen_require(` type gconfd_t, gconfd_exec_t; ') domtrans_pattern($1, gconfd_exec_t, gconfd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_domtrans_gconfd'($*)) dnl ') ######################################## ## ## Dontaudit read gnome homedir content (.config) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_read_config'($*)) dnl gen_require(` attribute gnome_home_type; ') dontaudit $1 gnome_home_type:dir list_dir_perms; dontaudit $1 gnome_home_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_read_config'($*)) dnl ') ######################################## ## ## Dontaudit search gnome homedir content (.config) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_search_config'($*)) dnl gen_require(` attribute gnome_home_type; ') dontaudit $1 gnome_home_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_search_config'($*)) dnl ') ######################################## ## ## Dontaudit write gnome homedir content (.config) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_append_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_append_config_files'($*)) dnl gen_require(` attribute gnome_home_type; ') dontaudit $1 gnome_home_type:file append; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_append_config_files'($*)) dnl ') ######################################## ## ## Dontaudit write gnome homedir content (.config) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_write_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_write_config_files'($*)) dnl gen_require(` attribute gnome_home_type; ') dontaudit $1 gnome_home_type:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_write_config_files'($*)) dnl ') ######################################## ## ## manage gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_config'($*)) dnl gen_require(` attribute gnome_home_type; ') allow $1 gnome_home_type:dir manage_dir_perms; allow $1 gnome_home_type:file { manage_file_perms map }; allow $1 gnome_home_type:lnk_file manage_lnk_file_perms; allow $1 gnome_home_type:sock_file manage_sock_file_perms; userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_config'($*)) dnl ') ######################################## ## ## Send general signals to all gconf domains. ## ## ## ## Domain allowed access. ## ## # define(`gnome_signal_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_signal_all'($*)) dnl gen_require(` attribute gnomedomain; ') allow $1 gnomedomain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_signal_all'($*)) dnl ') ######################################## ## ## Create objects in a Gnome cache home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`gnome_cache_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_cache_filetrans'($*)) dnl gen_require(` type cache_home_t; ') filetrans_pattern($1, cache_home_t, $2, $3, $4) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_cache_filetrans'($*)) dnl ') ######################################## ## ## Create objects in a Gnome cache home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`gnome_config_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_config_filetrans'($*)) dnl gen_require(` type config_home_t; ') filetrans_pattern($1, config_home_t, $2, $3, $4) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_config_filetrans'($*)) dnl ') ######################################## ## ## Read generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') read_files_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_generic_cache_files'($*)) dnl ') ######################################## ## ## Create generic cache home dir (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_create_generic_cache_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_create_generic_cache_dir'($*)) dnl gen_require(` type cache_home_t; ') allow $1 cache_home_t:dir create_dir_perms; userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_create_generic_cache_dir'($*)) dnl ') ######################################## ## ## Set attributes of cache home dir (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_setattr_cache_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_setattr_cache_home_dir'($*)) dnl gen_require(` type cache_home_t; ') setattr_dirs_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_setattr_cache_home_dir'($*)) dnl ') ######################################## ## ## Manage cache home dir (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_cache_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_cache_home_dir'($*)) dnl gen_require(` type cache_home_t; ') manage_dirs_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_cache_home_dir'($*)) dnl ') ######################################## ## ## Dontaudit Manage cache home dir (.cache) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_manage_cache_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_manage_cache_home_dir'($*)) dnl gen_require(` type cache_home_t; ') dontaudit $1 cache_home_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_manage_cache_home_dir'($*)) dnl ') ######################################## ## ## append to generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_append_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_append_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') append_files_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_append_generic_cache_files'($*)) dnl ') ######################################## ## ## write to generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_write_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_write_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') write_files_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_write_generic_cache_files'($*)) dnl ') ######################################## ## ## write to generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') manage_files_pattern($1, cache_home_t, cache_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_generic_cache_files'($*)) dnl ') ######################################## ## ## Delete to generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_delete_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_delete_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') files_search_tmp($1) allow $1 cache_home_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_delete_generic_cache_files'($*)) dnl ') ######################################## ## ## Manage a sock_file in the generic cache home files (.cache) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_generic_cache_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_cache_sockets'($*)) dnl gen_require(` type cache_home_t; ') userdom_search_user_home_dirs($1) manage_sock_files_pattern($1, cache_home_t, cache_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_generic_cache_sockets'($*)) dnl ') ######################################## ## ## Dontaudit read/write to generic cache home files (.cache) ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_rw_generic_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_rw_generic_cache_files'($*)) dnl gen_require(` type cache_home_t; ') dontaudit $1 cache_home_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_rw_generic_cache_files'($*)) dnl ') ######################################## ## ## read gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_config'($*)) dnl gen_require(` attribute gnome_home_type; ') list_dirs_pattern($1, gnome_home_type, gnome_home_type) read_files_pattern($1, gnome_home_type, gnome_home_type) read_lnk_files_pattern($1, gnome_home_type, gnome_home_type) gnome_read_usr_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_config'($*)) dnl ') ######################################## ## ## Create objects in a Gnome gconf home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`gnome_data_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_data_filetrans'($*)) dnl gen_require(` type data_home_t; ') filetrans_pattern($1, data_home_t, $2, $3, $4) gnome_search_gconf($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_data_filetrans'($*)) dnl ') ####################################### ## ## Read generic data home files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_generic_data_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_generic_data_home_files'($*)) dnl gen_require(` type data_home_t, gconf_home_t; ') read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_generic_data_home_files'($*)) dnl ') ######################################## ## ## Read generic data home files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_map_generic_data_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_map_generic_data_home_files'($*)) dnl gen_require(` type data_home_t, gconf_home_t; ') allow $1 data_home_t:file map; allow $1 gconf_home_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_map_generic_data_home_files'($*)) dnl ') ###################################### ## ## Read generic data home dirs. ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_generic_data_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_generic_data_home_dirs'($*)) dnl gen_require(` type data_home_t, gconf_home_t; ') list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_generic_data_home_dirs'($*)) dnl ') ###################################### ## ## Watch generic data home dirs. ## ## ## ## Domain allowed access. ## ## # define(`gnome_watch_generic_data_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_watch_generic_data_home_dirs'($*)) dnl gen_require(` type data_home_t; ') watch_dirs_pattern($1, data_home_t, data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_watch_generic_data_home_dirs'($*)) dnl ') ####################################### ## ## Manage gconf data home files ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_data'($*)) dnl gen_require(` type data_home_t; type gconf_home_t; ') allow $1 gconf_home_t:dir search_dir_perms; manage_dirs_pattern($1, data_home_t, data_home_t) manage_files_pattern($1, data_home_t, data_home_t) manage_lnk_files_pattern($1, data_home_t, data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_data'($*)) dnl ') ######################################## ## ## Read icc data home content. ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_home_icc_data_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_home_icc_data_content'($*)) dnl gen_require(` type icc_data_home_t, gconf_home_t, data_home_t; ') userdom_search_user_home_dirs($1) allow $1 { gconf_home_t data_home_t }:dir search_dir_perms; allow $1 icc_data_home_t:file map; list_dirs_pattern($1, icc_data_home_t, icc_data_home_t) read_files_pattern($1, icc_data_home_t, icc_data_home_t) read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_home_icc_data_content'($*)) dnl ') ######################################## ## ## Read inherited icc data home files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_inherited_home_icc_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_inherited_home_icc_data_files'($*)) dnl gen_require(` type icc_data_home_t; ') allow $1 icc_data_home_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_inherited_home_icc_data_files'($*)) dnl ') ######################################## ## ## Create gconf_home_t objects in the /root directory ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`gnome_admin_home_gconf_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_admin_home_gconf_filetrans'($*)) dnl gen_require(` type gconf_home_t; ') userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_admin_home_gconf_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## inherited gconf config files. ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_read_inherited_gconf_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl gen_require(` type gconf_etc_t; ') dontaudit $1 gconf_etc_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_read_inherited_gconf_config_files'($*)) dnl ') ######################################## ## ## read gconf config files ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_gconf_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_gconf_config'($*)) dnl gen_require(` type gconf_etc_t; ') allow $1 gconf_etc_t:dir list_dir_perms; read_files_pattern($1, gconf_etc_t, gconf_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_gconf_config'($*)) dnl ') ####################################### ## ## Manage gconf config files ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_gconf_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_gconf_config'($*)) dnl gen_require(` type gconf_etc_t; ') allow $1 gconf_etc_t:dir list_dir_perms; manage_files_pattern($1, gconf_etc_t, gconf_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_gconf_config'($*)) dnl ') ######################################## ## ## Execute gconf programs in ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`gnome_exec_gconf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_exec_gconf'($*)) dnl gen_require(` type gconfd_exec_t; ') can_exec($1, gconfd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_exec_gconf'($*)) dnl ') ######################################## ## ## Execute gnome keyringd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`gnome_exec_keyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_exec_keyringd'($*)) dnl gen_require(` type gkeyringd_exec_t; ') can_exec($1, gkeyringd_exec_t) corecmd_search_bin($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_exec_keyringd'($*)) dnl ') ######################################## ## ## Search gconf home data dirs ## ## ## ## Domain allowed access. ## ## # define(`gnome_search_gconf_data_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_search_gconf_data_dir'($*)) dnl gen_require(` type gconf_home_t; type data_home_t; ') userdom_search_user_home_dirs($1) allow $1 gconf_home_t:dir list_dir_perms; allow $1 data_home_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_search_gconf_data_dir'($*)) dnl ') ######################################## ## ## Read gconf home files ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_gconf_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_gconf_home_files'($*)) dnl gen_require(` type gconf_home_t; type data_home_t; ') userdom_search_user_home_dirs($1) allow $1 gconf_home_t:dir list_dir_perms; allow $1 data_home_t:dir list_dir_perms; read_files_pattern($1, gconf_home_t, gconf_home_t) read_files_pattern($1, data_home_t, data_home_t) read_lnk_files_pattern($1, gconf_home_t, gconf_home_t) read_lnk_files_pattern($1, data_home_t, data_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_gconf_home_files'($*)) dnl ') ######################################## ## ## Search gkeyringd temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`gnome_search_gkeyringd_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_search_gkeyringd_tmp_dirs'($*)) dnl gen_require(` type gkeyringd_tmp_t; ') files_search_tmp($1) allow $1 gkeyringd_tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_search_gkeyringd_tmp_dirs'($*)) dnl ') ######################################## ## ## List gkeyringd temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`gnome_list_gkeyringd_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_list_gkeyringd_tmp_dirs'($*)) dnl gen_require(` type gkeyringd_tmp_t; ') files_search_tmp($1) allow $1 gkeyringd_tmp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_list_gkeyringd_tmp_dirs'($*)) dnl ') ####################################### ## ## Delete gkeyringd temporary ## ## ## ## Domain allowed access. ## ## # define(`gnome_delete_gkeyringd_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_delete_gkeyringd_tmp_content'($*)) dnl gen_require(` type gkeyringd_tmp_t; ') files_search_tmp($1) delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_delete_gkeyringd_tmp_content'($*)) dnl ') ####################################### ## ## Manage gkeyringd temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_gkeyringd_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_gkeyringd_tmp_dirs'($*)) dnl gen_require(` type gkeyringd_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_gkeyringd_tmp_dirs'($*)) dnl ') ######################################## ## ## search gconf homedir (.local) ## ## ## ## Domain allowed access. ## ## # define(`gnome_search_gconf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_search_gconf'($*)) dnl gen_require(` type gconf_home_t; ') allow $1 gconf_home_t:dir search_dir_perms; userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_search_gconf'($*)) dnl ') ######################################## ## ## Set attributes of Gnome config dirs. ## ## ## ## Domain allowed access. ## ## # define(`gnome_setattr_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_setattr_config_dirs'($*)) dnl gen_require(` type gnome_home_t; ') setattr_dirs_pattern($1, gnome_home_t, gnome_home_t) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_setattr_config_dirs'($*)) dnl ') ######################################## ## ## Manage generic gnome home files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_generic_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_home_files'($*)) dnl gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, gnome_home_t, gnome_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_generic_home_files'($*)) dnl ') ######################################## ## ## Manage generic gnome home directories. ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_generic_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_generic_home_dirs'($*)) dnl gen_require(` type gnome_home_t; ') userdom_search_user_home_dirs($1) allow $1 gnome_home_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_generic_home_dirs'($*)) dnl ') ######################################## ## ## Append gconf home files ## ## ## ## Domain allowed access. ## ## # define(`gnome_append_gconf_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_append_gconf_home_files'($*)) dnl gen_require(` type gconf_home_t; ') append_files_pattern($1, gconf_home_t, gconf_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_append_gconf_home_files'($*)) dnl ') ######################################## ## ## manage gconf home files ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_gconf_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_gconf_home_files'($*)) dnl gen_require(` type gconf_home_t; ') allow $1 gconf_home_t:dir list_dir_perms; manage_files_pattern($1, gconf_home_t, gconf_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_gconf_home_files'($*)) dnl ') ######################################## ## ## Connect to gnome over a unix stream socket. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the user domain. ## ## # define(`gnome_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_stream_connect'($*)) dnl gen_require(` attribute gnome_home_type; ') # Connect to pulseaudit server stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_stream_connect'($*)) dnl ') ######################################## ## ## list gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_list_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_list_home_config'($*)) dnl gen_require(` type config_home_t; ') allow $1 config_home_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_list_home_config'($*)) dnl ') ######################################## ## ## Set attributes of gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_setattr_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_setattr_home_config'($*)) dnl gen_require(` type config_home_t; ') setattr_dirs_pattern($1, config_home_t, config_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_setattr_home_config'($*)) dnl ') ######################################## ## ## read gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_home_config'($*)) dnl gen_require(` type config_home_t; ') list_dirs_pattern($1, config_home_t, config_home_t) read_files_pattern($1, config_home_t, config_home_t) read_lnk_files_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_home_config'($*)) dnl ') ####################################### ## ## append gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_append_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_append_home_config'($*)) dnl gen_require(` type config_home_t; ') append_files_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_append_home_config'($*)) dnl ') ####################################### ## ## delete gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_delete_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_delete_home_config'($*)) dnl gen_require(` type config_home_t; ') delete_files_pattern($1, config_home_t, config_home_t) delete_lnk_files_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_delete_home_config'($*)) dnl ') ######################################## ## ## Create gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_create_home_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_create_home_config_dirs'($*)) dnl gen_require(` type config_home_t; ') allow $1 config_home_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_create_home_config_dirs'($*)) dnl ') ####################################### ## ## setattr gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_setattr_home_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_setattr_home_config_dirs'($*)) dnl gen_require(` type config_home_t; ') setattr_dirs_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_setattr_home_config_dirs'($*)) dnl ') ######################################## ## ## manage gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_home_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_home_config'($*)) dnl gen_require(` type config_home_t; ') manage_files_pattern($1, config_home_t, config_home_t) allow $1 config_home_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_home_config'($*)) dnl ') ####################################### ## ## delete gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_delete_home_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_delete_home_config_dirs'($*)) dnl gen_require(` type config_home_t; ') delete_dirs_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_delete_home_config_dirs'($*)) dnl ') ######################################## ## ## manage gnome homedir content (.config) ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_home_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_home_config_dirs'($*)) dnl gen_require(` type config_home_t; ') manage_dirs_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_home_config_dirs'($*)) dnl ') ######################################## ## ## Watch gnome homedir content directories. ## ## ## ## Domain allowed access. ## ## # define(`gnome_watch_home_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_watch_home_config_dirs'($*)) dnl gen_require(` type config_home_t; ') watch_dirs_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_watch_home_config_dirs'($*)) dnl ') ######################################## ## ## Watch gnome homedir content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_watch_home_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_watch_home_config_files'($*)) dnl gen_require(` type config_home_t; ') watch_files_pattern($1, config_home_t, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_watch_home_config_files'($*)) dnl ') ######################################## ## ## manage gstreamer home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_gstreamer_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_gstreamer_home_files'($*)) dnl gen_require(` type gstreamer_home_t; ') manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t) gnome_filetrans_gstreamer_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_gstreamer_home_files'($*)) dnl ') ###################################### ## ## Allow to execute gstreamer home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_exec_gstreamer_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_exec_gstreamer_home_files'($*)) dnl gen_require(` type gstreamer_home_t; ') can_exec($1, gstreamer_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_exec_gstreamer_home_files'($*)) dnl ') ###################################### ## ## Allow to execute config home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_exec_config_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_exec_config_home_files'($*)) dnl gen_require(` type config_home_t; ') can_exec($1, config_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_exec_config_home_files'($*)) dnl ') ####################################### ## ## file name transition gstreamer home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_gstreamer_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_gstreamer_home_content'($*)) dnl gen_require(` type gstreamer_home_t; ') userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks") userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store") userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12") userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc") userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12") gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10") gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_gstreamer_home_content'($*)) dnl ') ####################################### ## ## manage gstreamer home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_gstreamer_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_gstreamer_home_dirs'($*)) dnl gen_require(` type gstreamer_home_t; ') manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_gstreamer_home_dirs'($*)) dnl ') ######################################## ## ## Read/Write all inherited gnome home config ## ## ## ## Domain allowed access. ## ## # define(`gnome_rw_inherited_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_rw_inherited_config'($*)) dnl gen_require(` attribute gnome_home_type; ') allow $1 gnome_home_type:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_rw_inherited_config'($*)) dnl ') ######################################## ## ## Dontaudit Read/Write all inherited gnome home config ## ## ## ## Domain to not audit. ## ## # define(`gnome_dontaudit_rw_inherited_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dontaudit_rw_inherited_config'($*)) dnl gen_require(` attribute gnome_home_type; ') dontaudit $1 gnome_home_type:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dontaudit_rw_inherited_config'($*)) dnl ') ######################################## ## ## Send and receive messages from ## gconf system service over dbus. ## ## ## ## Domain allowed access. ## ## # define(`gnome_dbus_chat_gconfdefault',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gconfdefault'($*)) dnl gen_require(` type gconfdefaultsm_t; class dbus send_msg; ') allow $1 gconfdefaultsm_t:dbus send_msg; allow gconfdefaultsm_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gconfdefault'($*)) dnl ') ######################################## ## ## Send and receive messages from ## gkeyringd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`gnome_dbus_chat_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_dbus_chat_gkeyringd'($*)) dnl gen_require(` attribute gkeyringd_domain; class dbus send_msg; ') allow $1 gkeyringd_domain:dbus send_msg; allow gkeyringd_domain $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_dbus_chat_gkeyringd'($*)) dnl ') ######################################## ## ## Send signull signal to gkeyringd processes. ## ## ## ## Domain allowed access. ## ## # define(`gnome_signull_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_signull_gkeyringd'($*)) dnl gen_require(` attribute gkeyringd_domain; ') allow $1 gkeyringd_domain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_signull_gkeyringd'($*)) dnl ') ######################################## ## ## Allow the domain to read gkeyringd state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_gkeyringd_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_gkeyringd_state'($*)) dnl gen_require(` attribute gkeyringd_domain; ') ps_process_pattern($1, gkeyringd_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_gkeyringd_state'($*)) dnl ') ######################################## ## ## Create directories in user home directories ## with the gnome home file type. ## ## ## ## Domain allowed access. ## ## # define(`gnome_home_dir_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_home_dir_filetrans'($*)) dnl gen_require(` type gnome_home_t; ') userdom_user_home_dir_filetrans($1, gnome_home_t, dir) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_home_dir_filetrans'($*)) dnl ') ######################################## ## ## Check whether sendmail executable ## files are executable. ## ## ## ## Domain allowed access. ## ## # define(`gnome_access_check_usr_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_access_check_usr_config'($*)) dnl gen_require(` type config_usr_t; ') allow $1 config_usr_t:dir_file_class_set audit_access;; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_access_check_usr_config'($*)) dnl ') ###################################### ## ## Allow read kde config content ## ## ## ## Domain allowed access. ## ## # define(`gnome_read_usr_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_read_usr_config'($*)) dnl gen_require(` type config_usr_t; ') files_search_usr($1) list_dirs_pattern($1, config_usr_t, config_usr_t) read_files_pattern($1, config_usr_t, config_usr_t) read_lnk_files_pattern($1, config_usr_t, config_usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_read_usr_config'($*)) dnl ') ####################################### ## ## Allow manage kde config content ## ## ## ## Domain allowed access. ## ## # define(`gnome_manage_usr_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_manage_usr_config'($*)) dnl gen_require(` type config_usr_t; ') files_search_usr($1) manage_dirs_pattern($1, config_usr_t, config_usr_t) manage_files_pattern($1, config_usr_t, config_usr_t) manage_lnk_files_pattern($1, config_usr_t, config_usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_manage_usr_config'($*)) dnl ') ######################################## ## ## Execute gnome-keyring in the user gkeyring domain ## ## ## ## Domain allowed access ## ## # define(`gnome_transition_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_transition_gkeyringd'($*)) dnl gen_require(` attribute gkeyringd_domain; ') allow $1 gkeyringd_domain:process transition; dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh }; allow gkeyringd_domain $1:process { sigchld signull }; allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_transition_gkeyringd'($*)) dnl ') ######################################## ## ## Create gnome content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_home_content'($*)) dnl gen_require(` type config_home_t; type cache_home_t; type dbus_home_t; type gconf_home_t; type gnome_home_t; type data_home_t, icc_data_home_t; type gkeyringd_gnome_home_t; ') userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config") userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine") userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache") userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv") userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde") userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local") userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") # ~/.color/icc: legacy userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc") filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings") filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings") filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share") filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc") userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf") gnome_cache_filetrans($1, config_home_t, dir, "dconf") gnome_filetrans_gstreamer_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_home_content'($*)) dnl ') ######################################## ## ## Create gnome dconf dir in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_config_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_config_home_content'($*)) dnl gen_require(` type config_home_t; ') gnome_cache_filetrans($1, config_home_t, dir, "dconf") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_config_home_content'($*)) dnl ') ###################################### ## ## File name transition for generic home content files. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_cert_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_cert_home_content'($*)) dnl gen_require(` type home_cert_t; ') gnome_data_filetrans($1, home_cert_t, dir, "certificates") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_cert_home_content'($*)) dnl ') ###################################### ## ## Create fontconfig directories in the .config and .cache subdirectories ## of the user home directory with correct label. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_fontconfig_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_fontconfig_home_content'($*)) dnl gen_require(` type user_fonts_config_t, user_fonts_cache_t; ') gnome_config_filetrans($1, user_fonts_config_t, dir, "fontconfig") gnome_cache_filetrans($1, user_fonts_cache_t, dir, "fontconfig") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_fontconfig_home_content'($*)) dnl ') ######################################## ## ## Create gnome directory in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`gnome_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_filetrans_admin_home_content'($*)) dnl gen_require(` type config_home_t; type cache_home_t; type dbus_home_t; type gstreamer_home_t; type gconf_home_t; type gnome_home_t; type icc_data_home_t; ') userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config") userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults") userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine") userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache") userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus") userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde") userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf") userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd") userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local") userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2") gnome_filetrans_gstreamer_home_content($1) # /root/.color/icc: legacy userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_filetrans_admin_home_content'($*)) dnl ') ##################################### ## ## Execute gnome-keyring executable ## in the specified domain. ## ## ##

## Execute a gnome-keyring executable ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`gnome_command_domtrans_gkeyringd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_command_domtrans_gkeyringd'($*)) dnl gen_require(` type gkeyringd_exec_t; ') allow $2 gkeyringd_exec_t:file entrypoint; domain_transition_pattern($1, gkeyringd_exec_t, $2) type_transition $1 gkeyringd_exec_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_command_domtrans_gkeyringd'($*)) dnl ') ######################################## ## ## Execute gnome-atspi services in the caller domain ## ## ## ## Domain allowed to transition. ## ## # define(`gnome_exec_atspi',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_exec_atspi'($*)) dnl gen_require(` type gnome_atspi_exec_t; ') can_exec($1, gnome_atspi_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_exec_atspi'($*)) dnl ') ######################################## ## ## Execute gnome-atspi services in the gnome-atspi domain. ## ## ## ## Domain allowed to transition. ## ## # define(`gnome_atspi_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnome_atspi_domtrans'($*)) dnl gen_require(` type gnome_atspi_t, gnome_atspi_exec_t; ') domtrans_pattern($1, gnome_atspi_exec_t, gnome_atspi_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnome_atspi_domtrans'($*)) dnl ') ## Gnome clock handler for setting the time. ######################################## ## ## Execute a domain transition to run gnomeclock. ## ## ## ## Domain allowed to transition. ## ## # define(`gnomeclock_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnomeclock_domtrans'($*)) dnl gen_require(` type gnomeclock_t, gnomeclock_exec_t; ') domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnomeclock_domtrans'($*)) dnl ') ######################################## ## ## Execute gnomeclock in the gnomeclock domain, and ## allow the specified role the gnomeclock domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`gnomeclock_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnomeclock_run'($*)) dnl gen_require(` type gnomeclock_t; ') gnomeclock_domtrans($1) role $2 types gnomeclock_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnomeclock_run'($*)) dnl ') ######################################## ## ## Send and receive messages from ## gnomeclock over dbus. ## ## ## ## Domain allowed access. ## ## # define(`gnomeclock_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnomeclock_dbus_chat'($*)) dnl gen_require(` type gnomeclock_t; class dbus send_msg; ') allow $1 gnomeclock_t:dbus send_msg; allow gnomeclock_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnomeclock_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit send and receive messages from ## gnomeclock over dbus. ## ## ## ## Domain to not audit. ## ## # define(`gnomeclock_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gnomeclock_dontaudit_dbus_chat'($*)) dnl gen_require(` type gnomeclock_t; class dbus send_msg; ') dontaudit $1 gnomeclock_t:dbus send_msg; dontaudit gnomeclock_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gnomeclock_dontaudit_dbus_chat'($*)) dnl ') ## Policy for GNU Privacy Guard and related programs. ############################################################ ## ## Role access for gpg ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`gpg_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_role'($*)) dnl gen_require(` attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles; type gpg_t, gpg_exec_t; type gpg_agent_t, gpg_agent_exec_t; type gpg_agent_tmp_t; type gpg_helper_t, gpg_pinentry_t; type gpg_pinentry_tmp_t; ') roleattribute $1 gpg_roles; roleattribute $1 gpg_agent_roles; roleattribute $1 gpg_helper_roles; roleattribute $1 gpg_pinentry_roles; # transition from the userdomain to the derived domain domtrans_pattern($2, gpg_exec_t, gpg_t) # allow ps to show gpg ps_process_pattern($2, gpg_t) allow $2 gpg_t:process { signull sigstop signal sigkill }; # communicate with the user allow gpg_helper_t $2:fd use; allow gpg_helper_t $2:fifo_file write; # allow ps to show gpg-agent ps_process_pattern($2, gpg_agent_t) # Allow the user shell to signal the gpg-agent program. allow $2 gpg_agent_t:process { signal sigkill }; manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t) files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir }) # Transition from the user domain to the agent domain. domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t) manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t) allow gpg_pinentry_t $2:fifo_file { read write }; optional_policy(` gpg_pinentry_dbus_chat($2) ') allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto }; ifdef(`hide_broken_symptoms',` #Leaked File Descriptors dontaudit gpg_t $2:fifo_file rw_fifo_file_perms; dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_role'($*)) dnl ') ######################################## ## ## Transition to a user gpg domain. ## ## ## ## Domain allowed to transition. ## ## # define(`gpg_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_domtrans'($*)) dnl gen_require(` type gpg_t, gpg_exec_t; ') domtrans_pattern($1, gpg_exec_t, gpg_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_domtrans'($*)) dnl ') ###################################### ## ## Execute gpg in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`gpg_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_exec'($*)) dnl gen_require(` type gpg_exec_t; ') corecmd_search_bin($1) can_exec($1, gpg_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_exec'($*)) dnl ') ###################################### ## ## Transition to a gpg web domain. ## ## ## ## Domain allowed access. ## ## # define(`gpg_domtrans_web',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_domtrans_web'($*)) dnl gen_require(` type gpg_web_t, gpg_exec_t; ') domtrans_pattern($1, gpg_exec_t, gpg_web_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_domtrans_web'($*)) dnl ') ###################################### ## ## Make gpg an entrypoint for ## the specified domain. ## ## ## ## The domain for which cifs_t is an entrypoint. ## ## # define(`gpg_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_entry_type'($*)) dnl gen_require(` type gpg_exec_t; ') domain_entry_file($1, gpg_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_entry_type'($*)) dnl ') ######################################## ## ## Send generic signals to user gpg processes. ## ## ## ## Domain allowed access. ## ## # define(`gpg_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_signal'($*)) dnl gen_require(` type gpg_t; ') allow $1 gpg_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_signal'($*)) dnl ') ######################################## ## ## Read and write GPG agent pipes. ## ## ## ## Domain allowed access. ## ## # define(`gpg_rw_agent_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_rw_agent_pipes'($*)) dnl # Just wants read/write could this be a leak? gen_require(` type gpg_agent_t; ') allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_rw_agent_pipes'($*)) dnl ') ######################################## ## ## Send messages to and from GPG ## Pinentry over DBUS. ## ## ## ## Domain allowed access. ## ## # define(`gpg_pinentry_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_pinentry_dbus_chat'($*)) dnl gen_require(` type gpg_pinentry_t; class dbus send_msg; ') allow $1 gpg_pinentry_t:dbus send_msg; allow gpg_pinentry_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_pinentry_dbus_chat'($*)) dnl ') ######################################## ## ## List Gnu Privacy Guard user secrets. ## ## ## ## Domain allowed access. ## ## # define(`gpg_list_user_secrets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_list_user_secrets'($*)) dnl gen_require(` type gpg_secret_t; ') list_dirs_pattern($1, gpg_secret_t, gpg_secret_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_list_user_secrets'($*)) dnl ') ########################### ## ## Allow to manage gpg named home content ## ## ## ## Domain allowed access. ## ## # define(`gpg_manage_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_manage_home_content'($*)) dnl gen_require(` type gpg_secret_t; ') manage_files_pattern($1, gpg_secret_t, gpg_secret_t) manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t) userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_manage_home_content'($*)) dnl ') ######################################## ## ## Transition to gpg named home content ## ## ## ## Domain allowed access. ## ## # define(`gpg_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_filetrans_home_content'($*)) dnl gen_require(` type gpg_secret_t; ') userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_filetrans_home_content'($*)) dnl ') ######################################## ## ## Connected to gpg_agent_t unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`gpg_agent_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_agent_stream_connect'($*)) dnl gen_require(` type gpg_agent_t; ') allow $1 gpg_agent_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_agent_stream_connect'($*)) dnl ') ######################################## ## ## Connected to gpg_agent_t unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`gpg_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpg_noatsecure'($*)) dnl gen_require(` type gpg_t; ') allow $1 gpg_t:process { noatsecure rlimitinh siginh }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpg_noatsecure'($*)) dnl ') ## General Purpose Mouse driver. ######################################## ## ## Connect to GPM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`gpm_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpm_stream_connect'($*)) dnl gen_require(` type gpmctl_t, gpm_t; ') dev_list_all_dev_nodes($1) stream_connect_pattern($1, gpmctl_t, gpmctl_t, gpm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpm_stream_connect'($*)) dnl ') ######################################## ## ## Get attributes of gpm control ## channel named sock files. ## ## ## ## Domain allowed access. ## ## # define(`gpm_getattr_gpmctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpm_getattr_gpmctl'($*)) dnl gen_require(` type gpmctl_t; ') dev_list_all_dev_nodes($1) allow $1 gpmctl_t:sock_file getattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpm_getattr_gpmctl'($*)) dnl ') ######################################## ## ## Do not audit attempts to get ## attributes of gpm control channel ## named sock files. ## ## ## ## Domain to not audit. ## ## # define(`gpm_dontaudit_getattr_gpmctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpm_dontaudit_getattr_gpmctl'($*)) dnl gen_require(` type gpmctl_t; ') dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpm_dontaudit_getattr_gpmctl'($*)) dnl ') ######################################## ## ## Set attributes of gpm control ## channel named sock files. ## ## ## ## Domain allowed access. ## ## # define(`gpm_setattr_gpmctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpm_setattr_gpmctl'($*)) dnl gen_require(` type gpmctl_t; ') dev_list_all_dev_nodes($1) allow $1 gpmctl_t:sock_file setattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpm_setattr_gpmctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an gpm environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`gpm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpm_admin'($*)) dnl gen_require(` type gpm_t, gpm_conf_t, gpm_initrc_exec_t; type gpm_var_run_t, gpmctl_t; ') allow $1 gpm_t:process { ptrace signal_perms }; ps_process_pattern($1, gpm_t) init_labeled_script_domtrans($1, gpm_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 gpm_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, gpm_conf_t) dev_list_all_dev_nodes($1) admin_pattern($1, gpmctl_t) files_search_pids($1) admin_pattern($1, gpm_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpm_admin'($*)) dnl ') ## gpsd monitor daemon. ######################################## ## ## Execute a domain transition to run gpsd. ## ## ## ## Domain allowed to transition. ## ## # define(`gpsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpsd_domtrans'($*)) dnl gen_require(` type gpsd_t, gpsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gpsd_exec_t, gpsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpsd_domtrans'($*)) dnl ') ######################################## ## ## Execute gpsd in the gpsd domain, and ## allow the specified role the gpsd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`gpsd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpsd_run'($*)) dnl gen_require(` attribute_role gpsd_roles; ') gpsd_domtrans($1) roleattribute $2 gpsd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpsd_run'($*)) dnl ') ######################################## ## ## Read and write gpsd shared memory. ## ## ## ## Domain allowed access. ## ## # define(`gpsd_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpsd_rw_shm'($*)) dnl gen_require(` type gpsd_t, gpsd_tmpfs_t; ') allow $1 gpsd_t:shm rw_shm_perms; allow $1 gpsd_tmpfs_t:dir list_dir_perms; rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) allow $1 gpsd_tmpfs_t:file map; fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpsd_rw_shm'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an gpsd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`gpsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gpsd_admin'($*)) dnl gen_require(` type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t; ') allow $1 gpsd_t:process { ptrace signal_perms }; ps_process_pattern($1, gpsd_t) init_labeled_script_domtrans($1, gpsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 gpsd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, gpsd_var_run_t) gpsd_run($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gpsd_admin'($*)) dnl ') ## policy for gssproxy ######################################## ## ## Execute TEMPLATE in the gssproxy domin. ## ## ## ## Domain allowed to transition. ## ## # define(`gssproxy_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_domtrans'($*)) dnl gen_require(` type gssproxy_t, gssproxy_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_domtrans'($*)) dnl ') ######################################## ## ## Search gssproxy lib directories. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_search_lib'($*)) dnl gen_require(` type gssproxy_var_lib_t; ') allow $1 gssproxy_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_search_lib'($*)) dnl ') ######################################## ## ## Read gssproxy lib files. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_read_lib_files'($*)) dnl gen_require(` type gssproxy_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_read_lib_files'($*)) dnl ') ######################################## ## ## Manage gssproxy lib files. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_files'($*)) dnl gen_require(` type gssproxy_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage gssproxy lib directories. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_manage_lib_dirs'($*)) dnl gen_require(` type gssproxy_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read gssproxy PID files. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_read_pid_files'($*)) dnl gen_require(` type gssproxy_var_run_t; ') files_search_pids($1) read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_read_pid_files'($*)) dnl ') ######################################## ## ## Execute gssproxy server in the gssproxy domain. ## ## ## ## Domain allowed to transition. ## ## # define(`gssproxy_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_systemctl'($*)) dnl gen_require(` type gssproxy_t; type gssproxy_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 gssproxy_unit_file_t:file read_file_perms; allow $1 gssproxy_unit_file_t:service manage_service_perms; ps_process_pattern($1, gssproxy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_systemctl'($*)) dnl ') ######################################## ## ## Connect to gssproxy over an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_stream_connect'($*)) dnl gen_require(` type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t) stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an gssproxy environment ## ## ## ## Domain allowed access. ## ## ## # define(`gssproxy_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_admin'($*)) dnl gen_require(` type gssproxy_t; type gssproxy_var_lib_t; type gssproxy_var_run_t; type gssproxy_unit_file_t; ') allow $1 gssproxy_t:process { ptrace signal_perms }; ps_process_pattern($1, gssproxy_t) files_search_var_lib($1) admin_pattern($1, gssproxy_var_lib_t) files_search_pids($1) admin_pattern($1, gssproxy_var_run_t) gssproxy_systemctl($1) admin_pattern($1, gssproxy_unit_file_t) allow $1 gssproxy_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_admin'($*)) dnl ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # define(`gssproxy_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `gssproxy_noatsecure'($*)) dnl gen_require(` type gssproxy_t; ') allow $1 gssproxy_t:process { noatsecure rlimitinh }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `gssproxy_noatsecure'($*)) dnl ') ## Least privileged terminal user role. ######################################## ## ## Change to the guest role. ## ## ## ## Role allowed access. ## ## ## # define(`guest_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `guest_role_change'($*)) dnl gen_require(` role guest_r; ') allow $1 guest_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `guest_role_change'($*)) dnl ') ######################################## ## ## Change from the guest role. ## ## ##

## Change from the guest role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`guest_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `guest_role_change_to'($*)) dnl gen_require(` role guest_r; ') allow guest_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `guest_role_change_to'($*)) dnl ') ## Software for reliable, scalable, distributed computing. ####################################### ## ## The template to define a hadoop domain. ## ## ## ## Domain prefix to be used. ## ## # define(`hadoop_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_domain_template'($*)) dnl gen_require(` attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; attribute hadoop_tmp_file, hadoop_var_lib_file; type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; type hadoop_exec_t, hadoop_hsperfdata_t; ') ######################################## # # Declarations # type hadoop_$1_t, hadoop_domain; domain_type(hadoop_$1_t) domain_entry_file(hadoop_$1_t, hadoop_exec_t) role system_r types hadoop_$1_t; type hadoop_$1_initrc_t, hadoop_initrc_domain; type hadoop_$1_initrc_exec_t, hadoop_init_script_file; init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) role system_r types hadoop_$1_initrc_t; type hadoop_$1_initrc_var_run_t, hadoop_pid_file; files_pid_file(hadoop_$1_initrc_var_run_t) type hadoop_$1_lock_t, hadoop_lock_file; files_lock_file(hadoop_$1_lock_t) type hadoop_$1_log_t, hadoop_log_file; logging_log_file(hadoop_$1_log_t) type hadoop_$1_tmp_t, hadoop_tmp_file; files_tmp_file(hadoop_$1_tmp_t) type hadoop_$1_var_lib_t, hadoop_var_lib_file; files_type(hadoop_$1_var_lib_t) #################################### # # hadoop_domain policy # manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) auth_use_nsswitch(hadoop_$1_t) #################################### # # hadoop_initrc_domain policy # allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_domain_template'($*)) dnl ') ######################################## ## ## Role access for hadoop. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # define(`hadoop_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_role'($*)) dnl gen_require(` attribute_role hadoop_roles, zookeeper_roles; type hadoop_t, zookeeper_t, hadoop_home_t; type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t; ') hadoop_domtrans($2) roleattribute $1 hadoop_roles; hadoop_domtrans_zookeeper_client($2) roleattribute $1 zookeeper_roles; allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms }; ps_process_pattern($2, { hadoop_t zookeeper_t }) allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms }; allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_role'($*)) dnl ') ######################################## ## ## Execute hadoop in the ## hadoop domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hadoop_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_domtrans'($*)) dnl gen_require(` type hadoop_t, hadoop_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hadoop_exec_t, hadoop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_domtrans'($*)) dnl ') ######################################## ## ## Receive from hadoop peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom'($*)) dnl gen_require(` type hadoop_t; ') allow $1 hadoop_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom'($*)) dnl ') ######################################## ## ## Execute zookeeper client in the ## zookeeper client domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hadoop_domtrans_zookeeper_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_client'($*)) dnl gen_require(` type zookeeper_t, zookeeper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_client'($*)) dnl ') ######################################## ## ## Receive from zookeeper peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_zookeeper_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_client'($*)) dnl gen_require(` type zookeeper_t; ') allow $1 zookeeper_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_client'($*)) dnl ') ######################################## ## ## Execute zookeeper server in the ## zookeeper server domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hadoop_domtrans_zookeeper_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_domtrans_zookeeper_server'($*)) dnl gen_require(` type zookeeper_server_t, zookeeper_server_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_domtrans_zookeeper_server'($*)) dnl ') ######################################## ## ## Receive from zookeeper server peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_zookeeper_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_zookeeper_server'($*)) dnl gen_require(` type zookeeper_server_t; ') allow $1 zookeeper_server_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_zookeeper_server'($*)) dnl ') ######################################## ## ## Execute zookeeper server in the ## zookeeper domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hadoop_initrc_domtrans_zookeeper_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl gen_require(` type zookeeper_server_initrc_exec_t; ') init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_initrc_domtrans_zookeeper_server'($*)) dnl ') ######################################## ## ## Receive from datanode peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_datanode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_datanode'($*)) dnl gen_require(` type hadoop_datanode_t; ') allow $1 hadoop_datanode_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_datanode'($*)) dnl ') ######################################## ## ## Read hadoop configuration files. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_read_config'($*)) dnl gen_require(` type hadoop_etc_t; ') read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_read_config'($*)) dnl ') ######################################## ## ## Execute hadoop configuration files. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_exec_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_exec_config'($*)) dnl gen_require(` type hadoop_etc_t; ') hadoop_read_config($1) allow $1 hadoop_etc_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_exec_config'($*)) dnl ') ######################################## ## ## Receive from jobtracker peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_jobtracker',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_jobtracker'($*)) dnl gen_require(` type hadoop_jobtracker_t; ') allow $1 hadoop_jobtracker_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_jobtracker'($*)) dnl ') ######################################## ## ## Match hadoop lan association. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_match_lan_spd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_match_lan_spd'($*)) dnl gen_require(` type hadoop_lan_t; ') allow $1 hadoop_lan_t:association polmatch; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_match_lan_spd'($*)) dnl ') ######################################## ## ## Receive from namenode peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_namenode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_namenode'($*)) dnl gen_require(` type hadoop_namenode_t; ') allow $1 hadoop_namenode_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_namenode'($*)) dnl ') ######################################## ## ## Receive from secondary namenode peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_secondarynamenode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_secondarynamenode'($*)) dnl gen_require(` type hadoop_secondarynamenode_t; ') allow $1 hadoop_secondarynamenode_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_secondarynamenode'($*)) dnl ') ######################################## ## ## Receive from tasktracker peer. ## ## ## ## Domain allowed access. ## ## # define(`hadoop_recvfrom_tasktracker',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_recvfrom_tasktracker'($*)) dnl gen_require(` type hadoop_tasktracker_t; ') allow $1 hadoop_tasktracker_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_recvfrom_tasktracker'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an hadoop environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`hadoop_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hadoop_admin'($*)) dnl gen_require(` attribute hadoop_domain; attribute hadoop_initrc_domain; attribute hadoop_init_script_file; attribute hadoop_pid_file; attribute hadoop_lock_file; attribute hadoop_log_file; attribute hadoop_tmp_file; attribute hadoop_var_lib_file; type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; type zookeeper_server_var_t; ') allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) init_labeled_script_domtrans($1, hadoop_init_script_file) domain_system_change_exemption($1) role_transition $2 hadoop_init_script_file system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) logging_search_logs($1) admin_pattern($1, hadoop_log_file) files_search_locks($1) admin_pattern($1, hadoop_lock_file) files_search_pids($1) admin_pattern($1, hadoop_pid_file) files_search_tmp($1) admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t }) files_search_var_lib($1) admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t }) hadoop_role($2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hadoop_admin'($*)) dnl ') ## Hard disk temperature tool running as a daemon. ####################################### ## ## Execute a domain transition to run hddtemp. ## ## ## ## Domain allowed to transition. ## ## # define(`hddtemp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hddtemp_domtrans'($*)) dnl gen_require(` type hddtemp_t, hddtemp_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hddtemp_exec_t, hddtemp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hddtemp_domtrans'($*)) dnl ') ######################################## ## ## Execute hddtemp in the hddtemp domain, and ## allow the specified role the hddtemp domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`hddtemp_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hddtemp_run'($*)) dnl gen_require(` type hddtemp_t; attribute_role hddtemp_roles; ') hddtemp_domtrans($1) roleattribute $2 hddtemp_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hddtemp_run'($*)) dnl ') ###################################### ## ## Execute hddtemp in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`hddtemp_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hddtemp_exec'($*)) dnl gen_require(` type hddtemp_exec_t; ') corecmd_search_bin($1) can_exec($1, hddtemp_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hddtemp_exec'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an hddtemp environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`hddtemp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hddtemp_admin'($*)) dnl gen_require(` type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t; ') allow $1 hddtemp_t:process signal_perms; ps_process_pattern($1, hddtemp_t) tunable_policy(`deny_ptrace',`',` allow $1 hddtemp_t:process ptrace; ') init_labeled_script_domtrans($1, hddtemp_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 hddtemp_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, hddtemp_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hddtemp_admin'($*)) dnl ') ## policy for hostapd ######################################## ## ## Execute TEMPLATE in the hostapd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`hostapd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostapd_domtrans'($*)) dnl gen_require(` type hostapd_t, hostapd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hostapd_exec_t, hostapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostapd_domtrans'($*)) dnl ') ######################################## ## ## Execute hostapd server in the hostapd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hostapd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostapd_systemctl'($*)) dnl gen_require(` type hostapd_t; type hostapd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 hostapd_unit_file_t:file read_file_perms; allow $1 hostapd_unit_file_t:service manage_service_perms; ps_process_pattern($1, hostapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostapd_systemctl'($*)) dnl ') ######################################## ## ## Read hostapd PID files. ## ## ## ## Domain allowed access. ## ## # define(`hostapd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostapd_read_pid_files'($*)) dnl gen_require(` type hostapd_var_run_t; ') files_search_pids($1) read_files_pattern($1, hostapd_var_run_t, hostapd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostapd_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an hostapd environment ## ## ## ## Domain allowed access. ## ## ## # define(`hostapd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostapd_admin'($*)) dnl gen_require(` type hostapd_t; type hostapd_unit_file_t; type hostapd_var_run_t; ') allow $1 hostapd_t:process { signal_perms }; ps_process_pattern($1, hostapd_t) tunable_policy(`deny_ptrace',`',` allow $1 hostapd_t:process ptrace; ') hostapd_systemctl($1) admin_pattern($1, hostapd_unit_file_t) allow $1 hostapd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') admin_pattern($1, hostapd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostapd_admin'($*)) dnl ') ## Port of Apple Rendezvous multicast DNS. ######################################## ## ## Send generic signals to howl. ## ## ## ## Domain allowed access. ## ## # define(`howl_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `howl_signal'($*)) dnl gen_require(` type howl_t; ') allow $1 howl_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `howl_signal'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an howl environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`howl_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `howl_admin'($*)) dnl gen_require(` type howl_t, howl_initrc_exec_t, howl_var_run_t; ') allow $1 howl_t:process { ptrace signal_perms }; ps_process_pattern($1, howl_t) init_labeled_script_domtrans($1, howl_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 howl_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, howl_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `howl_admin'($*)) dnl ') ## Hsqldb is transactional database engine with in-memory and disk-based tables, supporting embedded and server modes. ######################################## ## ## Execute hsqldb_exec_t in the hsqldb domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hsqldb_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_domtrans'($*)) dnl gen_require(` type hsqldb_t, hsqldb_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hsqldb_exec_t, hsqldb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_domtrans'($*)) dnl ') ###################################### ## ## Execute hsqldb in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_exec'($*)) dnl gen_require(` type hsqldb_exec_t; ') corecmd_search_bin($1) can_exec($1, hsqldb_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_exec'($*)) dnl ') ######################################## ## ## Do not audit attempts to read, ## hsqldb tmp files ## ## ## ## Domain to not audit. ## ## # define(`hsqldb_dontaudit_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_dontaudit_read_tmp_files'($*)) dnl gen_require(` type hsqldb_tmp_t; ') dontaudit $1 hsqldb_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_dontaudit_read_tmp_files'($*)) dnl ') ######################################## ## ## Read hsqldb tmp files ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_read_tmp_files'($*)) dnl gen_require(` type hsqldb_tmp_t; ') files_search_tmp($1) read_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_read_tmp_files'($*)) dnl ') ######################################## ## ## Manage hsqldb tmp files ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_manage_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_manage_tmp'($*)) dnl gen_require(` type hsqldb_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t) manage_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t) manage_lnk_files_pattern($1, hsqldb_tmp_t, hsqldb_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_manage_tmp'($*)) dnl ') ######################################## ## ## Search hsqldb lib directories. ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_search_lib'($*)) dnl gen_require(` type hsqldb_var_lib_t; ') allow $1 hsqldb_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_search_lib'($*)) dnl ') ######################################## ## ## Read hsqldb lib files. ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_read_lib_files'($*)) dnl gen_require(` type hsqldb_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_read_lib_files'($*)) dnl ') ######################################## ## ## Manage hsqldb lib files. ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_manage_lib_files'($*)) dnl gen_require(` type hsqldb_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage hsqldb lib directories. ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_manage_lib_dirs'($*)) dnl gen_require(` type hsqldb_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, hsqldb_var_lib_t, hsqldb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute hsqldb server in the hsqldb domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hsqldb_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_systemctl'($*)) dnl gen_require(` type hsqldb_t; type hsqldb_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 hsqldb_unit_file_t:file read_file_perms; allow $1 hsqldb_unit_file_t:service manage_service_perms; ps_process_pattern($1, hsqldb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an hsqldb environment ## ## ## ## Domain allowed access. ## ## # define(`hsqldb_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hsqldb_admin'($*)) dnl gen_require(` type hsqldb_t; type hsqldb_tmp_t; type hsqldb_var_lib_t; type hsqldb_unit_file_t; ') allow $1 hsqldb_t:process { signal_perms }; ps_process_pattern($1, hsqldb_t) tunable_policy(`deny_ptrace',`',` allow $1 hsqldb_t:process ptrace; ') files_search_tmp($1) admin_pattern($1, hsqldb_tmp_t) files_search_var_lib($1) admin_pattern($1, hsqldb_var_lib_t) hsqldb_systemctl($1) admin_pattern($1, hsqldb_unit_file_t) allow $1 hsqldb_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hsqldb_admin'($*)) dnl ') ## Dump topology and locality information from hardware tables. ######################################## ## ## Execute hwloc dhwd in the hwloc dhwd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hwloc_domtrans_dhwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hwloc_domtrans_dhwd'($*)) dnl gen_require(` type hwloc_dhwd_t, hwloc_dhwd_exec_t; ') domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hwloc_domtrans_dhwd'($*)) dnl ') ######################################## ## ## Execute hwloc dhwd in the hwloc dhwd domain, and ## allow the specified role the hwloc dhwd domain, ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`hwloc_run_dhwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hwloc_run_dhwd'($*)) dnl gen_require(` attribute_role hwloc_dhwd_roles; ') hwloc_domtrans_dhwd($1) roleattribute $2 hwloc_dhwd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hwloc_run_dhwd'($*)) dnl ') ######################################## ## ## Execute hwloc dhwd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`hwloc_exec_dhwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hwloc_exec_dhwd'($*)) dnl gen_require(` type hwloc_dhwd_exec_t; ') can_exec($1, hwloc_dhwd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hwloc_exec_dhwd'($*)) dnl ') ######################################## ## ## Read hwloc runtime files. ## ## ## ## Domain allowed access. ## ## # define(`hwloc_read_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hwloc_read_runtime_files'($*)) dnl gen_require(` type hwloc_var_run_t; ') files_search_pids($1) read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hwloc_read_runtime_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an hwloc environment. ## ## ## ## Domain allowed access. ## ## ## # define(`hwloc_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hwloc_admin'($*)) dnl gen_require(` type hwloc_dhwd_t, hwloc_var_run_t; ') allow $1 hwloc_dhwd_t:process { signal_perms }; ps_process_pattern($1, hwloc_dhwd_t) tunable_policy(`deny_ptrace',`',` allow $1 hwloc_dhwd_t:process ptrace; ') admin_pattern($1, hwloc_var_run_t) files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hwloc_admin'($*)) dnl ') ## policy for hypervkvp ######################################## ## ## Execute TEMPLATE in the hypervkvp domin. ## ## ## ## Domain allowed to transition. ## ## # define(`hypervkvp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_domtrans'($*)) dnl gen_require(` type hypervkvp_t, hypervkvp_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_domtrans'($*)) dnl ') ######################################## ## ## Search hypervkvp lib directories. ## ## ## ## Domain allowed access. ## ## # define(`hypervkvp_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_search_lib'($*)) dnl gen_require(` type hypervkvp_var_lib_t; ') allow $1 hypervkvp_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_search_lib'($*)) dnl ') ######################################## ## ## Read hypervkvp lib files. ## ## ## ## Domain allowed access. ## ## # define(`hypervkvp_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_read_lib_files'($*)) dnl gen_require(` type hypervkvp_var_lib_t; ') files_search_var_lib($1) allow $1 hypervkvp_var_lib_t:dir list_dir_perms; read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## hypervkvp lib files. ## ## ## ## Domain allowed access. ## ## # define(`hypervkvp_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_manage_lib_files'($*)) dnl gen_require(` type hypervkvp_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_manage_lib_files'($*)) dnl ') ####################################### ## ## Execute hypervkvp server in the hypervkvp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hypervkvp_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_systemctl'($*)) dnl gen_require(` type hypervkvp_t; type hypervkvp_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 hypervkvp_unit_file_t:file read_file_perms; allow $1 hypervkvp_unit_file_t:service manage_service_perms; ps_process_pattern($1, hypervkvp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an hypervkvp environment ## ## ## ## Domain allowed access. ## ## # define(`hypervkvp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hypervkvp_admin'($*)) dnl gen_require(` type hypervkvp_t; type hypervkvp_unit_file_t; ') allow $1 hypervkvp_t:process signal_perms; ps_process_pattern($1, hypervkvp_t) tunable_policy(`deny_ptrace',`',` allow $1 hypervkvp_t:process ptrace; ') hypervkvp_manage_lib_files($1) hypervkvp_systemctl($1) admin_pattern($1, hypervkvp_unit_file_t) allow $1 hypervkvp_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hypervkvp_admin'($*)) dnl ') ## IIIMF htt server. ######################################## ## ## Use i18n_input over a TCP connection. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`i18n_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `i18n_use'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `i18n_use'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an i18n input environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`i18n_input_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `i18n_input_admin'($*)) dnl gen_require(` type i18n_input_t, i18n_input_initrc_exec_t, i18n_input_var_run_t; type i18n_input_log_t; ') allow $1 i18n_input_t:process { ptrace signal_perms }; ps_process_pattern($1, i18n_input_t) init_labeled_script_domtrans($1, i18n_input_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 i18n_input_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, i18n_input_var_run_t) logging_search_logs($1) admin_pattern($1, i18n_input_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `i18n_input_admin'($*)) dnl ') ## policy for ibacm ######################################## ## ## Execute ibacm_exec_t in the ibacm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ibacm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_domtrans'($*)) dnl gen_require(` type ibacm_t, ibacm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ibacm_exec_t, ibacm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_domtrans'($*)) dnl ') ###################################### ## ## Execute ibacm in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ibacm_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_exec'($*)) dnl gen_require(` type ibacm_exec_t; ') corecmd_search_bin($1) can_exec($1, ibacm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_exec'($*)) dnl ') ######################################## ## ## Read ibacm's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`ibacm_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_read_log'($*)) dnl gen_require(` type ibacm_log_t; ') logging_search_logs($1) read_files_pattern($1, ibacm_log_t, ibacm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_read_log'($*)) dnl ') ######################################## ## ## Append to ibacm log files. ## ## ## ## Domain allowed access. ## ## # define(`ibacm_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_append_log'($*)) dnl gen_require(` type ibacm_log_t; ') logging_search_logs($1) append_files_pattern($1, ibacm_log_t, ibacm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_append_log'($*)) dnl ') ######################################## ## ## Manage ibacm log files ## ## ## ## Domain allowed access. ## ## # define(`ibacm_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_manage_log'($*)) dnl gen_require(` type ibacm_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, ibacm_log_t, ibacm_log_t) manage_files_pattern($1, ibacm_log_t, ibacm_log_t) manage_lnk_files_pattern($1, ibacm_log_t, ibacm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_manage_log'($*)) dnl ') ######################################## ## ## Read ibacm PID files. ## ## ## ## Domain allowed access. ## ## # define(`ibacm_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_read_pid_files'($*)) dnl gen_require(` type ibacm_var_run_t; ') files_search_pids($1) read_files_pattern($1, ibacm_var_run_t, ibacm_var_run_t) read_lnk_files_pattern($1, ibacm_var_run_t, ibacm_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ibacm environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ibacm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_admin'($*)) dnl gen_require(` type ibacm_t; type ibacm_log_t; type ibacm_var_run_t; ') allow $1 ibacm_t:process { signal_perms }; ps_process_pattern($1, ibacm_t) tunable_policy(`deny_ptrace',`',` allow $1 ibacm_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, ibacm_log_t) files_search_pids($1) admin_pattern($1, ibacm_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_admin'($*)) dnl ') ####################################### ## ## Allow caller to create netlink rdma socket for ibacm ## ## ## ## Domain allowed access. ## ## # define(`ibacm_create_netlink_rdma_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ibacm_create_netlink_rdma_socket'($*)) dnl gen_require(` type ibacm_t; ') allow $1 ibacm_t:netlink_rdma_socket create_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ibacm_create_netlink_rdma_socket'($*)) dnl ') ## policy for ica ######################################## ## ## Read and map ica tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`ica_read_map_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ica_read_map_tmpfs_files'($*)) dnl gen_require(` type ica_tmpfs_t; ') fs_search_tmpfs($1) mmap_read_files_pattern($1, ica_tmpfs_t, ica_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ica_read_map_tmpfs_files'($*)) dnl ') ######################################## ## ## Read, write, and map ica tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`ica_rw_map_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ica_rw_map_tmpfs_files'($*)) dnl gen_require(` type ica_tmpfs_t; ') fs_search_tmpfs($1) mmap_rw_files_pattern($1, ica_tmpfs_t, ica_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ica_rw_map_tmpfs_files'($*)) dnl ') ######################################## ## ## Transition to ica named content ## ## ## ## Domain allowed access. ## ## # define(`ica_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ica_filetrans_named_content'($*)) dnl gen_require(` type ica_tmpfs_t; ') allow $1 ica_tmpfs_t:file create_file_perms; fs_tmpfs_filetrans($1, ica_tmpfs_t, file, "icastats_0") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ica_filetrans_named_content'($*)) dnl ') ## ShoutCast compatible streaming media server. ######################################## ## ## Execute a domain transition to run icecast. ## ## ## ## Domain allowed to transition. ## ## # define(`icecast_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_domtrans'($*)) dnl gen_require(` type icecast_t, icecast_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, icecast_exec_t, icecast_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to icecast. ## ## ## ## Domain allowed access. ## ## # define(`icecast_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_signal'($*)) dnl gen_require(` type icecast_t; ') allow $1 icecast_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_signal'($*)) dnl ') ######################################## ## ## Execute icecast server in the icecast domain. ## ## ## ## Domain allowed to transition. ## ## # define(`icecast_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_initrc_domtrans'($*)) dnl gen_require(` type icecast_initrc_exec_t; ') init_labeled_script_domtrans($1, icecast_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read icecast pid files. ## ## ## ## Domain allowed access. ## ## # define(`icecast_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_read_pid_files'($*)) dnl gen_require(` type icecast_var_run_t; ') files_search_pids($1) allow $1 icecast_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## icecast pid files. ## ## ## ## Domain allowed access. ## ## # define(`icecast_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_manage_pid_files'($*)) dnl gen_require(` type icecast_var_run_t; ') files_search_pids($1) manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_manage_pid_files'($*)) dnl ') ######################################## ## ## Read icecast log files. ## ## ## ## Domain allowed access. ## ## ## # define(`icecast_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_read_log'($*)) dnl gen_require(` type icecast_log_t; ') logging_search_logs($1) read_files_pattern($1, icecast_log_t, icecast_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_read_log'($*)) dnl ') ######################################## ## ## Append icecast log files. ## ## ## ## Domain allowed access. ## ## # define(`icecast_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_append_log'($*)) dnl gen_require(` type icecast_log_t; ') logging_search_logs($1) append_files_pattern($1, icecast_log_t, icecast_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## icecast log files. ## ## ## ## Domain allow access. ## ## # define(`icecast_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_manage_log'($*)) dnl gen_require(` type icecast_log_t; ') logging_search_logs($1) manage_files_pattern($1, icecast_log_t, icecast_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_manage_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an icecast environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`icecast_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `icecast_admin'($*)) dnl gen_require(` type icecast_t, icecast_initrc_exec_t, icecast_log_t; type icecast_var_run_t; ') allow $1 icecast_t:process signal_perms; ps_process_pattern($1, icecast_t) tunable_policy(`deny_ptrace',`',` allow $1 icecast_t:process ptrace; ') # Allow icecast_t to restart the apache service icecast_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 icecast_initrc_exec_t system_r; allow $2 system_r; allow $1 icecast_t:process { ptrace signal_perms }; ps_process_pattern($1, icecast_t) logging_search_logs($1) admin_pattern($1, icecast_log_t) files_search_pids($1) admin_pattern($1, icecast_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `icecast_admin'($*)) dnl ') ## Bring up/down ethernet interfaces based on cable detection. ######################################## ## ## Execute a domain transition to run ifplugd. ## ## ## ## Domain allowed to transition. ## ## # define(`ifplugd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_domtrans'($*)) dnl gen_require(` type ifplugd_t, ifplugd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ifplugd_exec_t, ifplugd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to ifplugd. ## ## ## ## Domain allowed access. ## ## # define(`ifplugd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_signal'($*)) dnl gen_require(` type ifplugd_t; ') allow $1 ifplugd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_signal'($*)) dnl ') ######################################## ## ## Read ifplugd configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ifplugd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_read_config'($*)) dnl gen_require(` type ifplugd_etc_t; ') files_search_etc($1) read_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_read_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## ifplugd configuration content. ## ## ## ## Domain allowed access. ## ## # define(`ifplugd_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_manage_config'($*)) dnl gen_require(` type ifplugd_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, ifplugd_etc_t, ifplugd_etc_t) manage_files_pattern($1, ifplugd_etc_t, ifplugd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_manage_config'($*)) dnl ') ######################################## ## ## Read ifplugd pid files. ## ## ## ## Domain allowed access. ## ## # define(`ifplugd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_read_pid_files'($*)) dnl gen_require(` type ifplugd_var_run_t; ') files_search_pids($1) allow $1 ifplugd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ifplugd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ifplugd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ifplugd_admin'($*)) dnl gen_require(` type ifplugd_t, ifplugd_etc_t, ifplugd_var_run_t; type ifplugd_initrc_exec_t; ') allow $1 ifplugd_t:process signal_perms; ps_process_pattern($1, ifplugd_t) init_labeled_script_domtrans($1, ifplugd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ifplugd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, ifplugd_etc_t) files_list_pids($1) admin_pattern($1, ifplugd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ifplugd_admin'($*)) dnl ') ## iMaze game server. ## Internet services daemon. ######################################## ## ## Define the specified domain as a inetd service. ## ## ##

## Define the specified domain as a inetd service. The ## inetd_service_domain(), inetd_tcp_service_domain(), ## or inetd_udp_service_domain() interfaces should be used ## instead of this interface, as this interface only provides ## the common rules to these three interfaces. ##

##
## ## ## The type associated with the inetd service process. ## ## ## ## ## The type associated with the process program. ## ## # define(`inetd_core_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_core_service_domain'($*)) dnl gen_require(` type inetd_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(inetd_t, $2, $1) allow inetd_t $1:process { siginh sigkill }; init_domain($1, $2) optional_policy(` abrt_stream_connect($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_core_service_domain'($*)) dnl ') ######################################## ## ## Define the specified domain as a TCP inetd service. ## ## ## ## The type associated with the inetd service process. ## ## ## ## ## The type associated with the process program. ## ## # define(`inetd_tcp_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_tcp_service_domain'($*)) dnl gen_require(` type inetd_t; ') inetd_core_service_domain($1, $2) allow $1 inetd_t:tcp_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_tcp_service_domain'($*)) dnl ') ######################################## ## ## Define the specified domain as a UDP inetd service. ## ## ## ## The type associated with the inetd service process. ## ## ## ## ## The type associated with the process program. ## ## # define(`inetd_udp_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_udp_service_domain'($*)) dnl gen_require(` type inetd_t; ') inetd_core_service_domain($1, $2) allow $1 inetd_t:udp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_udp_service_domain'($*)) dnl ') ######################################## ## ## Define the specified domain as a TCP and UDP inetd service. ## ## ## ## The type associated with the inetd service process. ## ## ## ## ## The type associated with the process program. ## ## # define(`inetd_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_service_domain'($*)) dnl gen_require(` type inetd_t; ') inetd_core_service_domain($1, $2) allow $1 inetd_t:tcp_socket rw_stream_socket_perms; allow $1 inetd_t:udp_socket rw_socket_perms; optional_policy(` stunnel_service_domain($1, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_service_domain'($*)) dnl ') ######################################## ## ## Inherit and use inetd file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`inetd_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_use_fds'($*)) dnl gen_require(` type inetd_t; ') allow $1 inetd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_use_fds'($*)) dnl ') ######################################## ## ## Connect to the inetd service using a TCP connection. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`inetd_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_tcp_connect'($*)) dnl ') ######################################## ## ## Run inetd child process in the ## inet child domain. ## ## ## ## Domain allowed to transition. ## ## # define(`inetd_domtrans_child',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_domtrans_child'($*)) dnl gen_require(` type inetd_child_t, inetd_child_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, inetd_child_exec_t, inetd_child_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_domtrans_child'($*)) dnl ') ######################################## ## ## Send UDP network traffic to inetd. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`inetd_udp_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_udp_send'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_udp_send'($*)) dnl ') ######################################## ## ## Read and write inetd TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`inetd_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inetd_rw_tcp_sockets'($*)) dnl gen_require(` type inetd_t; ') allow $1 inetd_t:tcp_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inetd_rw_tcp_sockets'($*)) dnl ') ## Internet News NNTP server. ######################################## ## ## Execute innd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`inn_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_exec'($*)) dnl gen_require(` type innd_exec_t; ') corecmd_search_bin($1) can_exec($1, innd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_exec'($*)) dnl ') ######################################## ## ## Execute inn configuration files. ## ## ## ## Domain allowed access. ## ## # define(`inn_exec_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_exec_config'($*)) dnl gen_require(` type innd_etc_t; ') files_search_etc($1) exec_files_pattern($1, innd_etc_t, innd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_exec_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## innd log files. ## ## ## ## Domain allowed access. ## ## # define(`inn_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_manage_log'($*)) dnl gen_require(` type innd_log_t; ') manage_files_pattern($1, innd_log_t, innd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_manage_log'($*)) dnl ') ######################################## ## ## Create specified objects in generic ## log directories with the innd log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`inn_generic_log_filetrans_innd_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_generic_log_filetrans_innd_log'($*)) dnl gen_require(` type innd_log_t; ') logging_log_filetrans($1, innd_log_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_generic_log_filetrans_innd_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## innd pid content. ## ## ## ## Domain allowed access. ## ## # define(`inn_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_manage_pid'($*)) dnl gen_require(` type innd_var_run_t; ') files_search_pids($1) allow $1 innd_var_run_t:dir manage_dir_perms; allow $1 innd_var_run_t:file manage_file_perms; allow $1 innd_var_run_t:sock_file manage_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_manage_pid'($*)) dnl ') ######################################## ## ## Read innd configuration content. ## ## ## ## Domain allowed access. ## ## # define(`inn_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_read_config'($*)) dnl gen_require(` type innd_etc_t; ') files_search_etc($1) allow $1 innd_etc_t:dir list_dir_perms; allow $1 innd_etc_t:file read_file_perms; allow $1 innd_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_read_config'($*)) dnl ') ######################################## ## ## Read innd news library content. ## ## ## ## Domain allowed access. ## ## # define(`inn_read_news_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_read_news_lib'($*)) dnl gen_require(` type innd_var_lib_t; ') files_search_var_lib($1) allow $1 innd_var_lib_t:dir list_dir_perms; allow $1 innd_var_lib_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_read_news_lib'($*)) dnl ') ######################################## ## ## Write innd inherited news library content. ## ## ## ## Domain allowed access. ## ## # define(`inn_write_inherited_news_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_write_inherited_news_lib'($*)) dnl gen_require(` type innd_var_lib_t; ') allow $1 innd_var_lib_t:file write_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_write_inherited_news_lib'($*)) dnl ') ######################################## ## ## Read innd news spool content. ## ## ## ## Domain allowed access. ## ## # define(`inn_read_news_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_read_news_spool'($*)) dnl gen_require(` type news_spool_t; ') files_search_spool($1) allow $1 news_spool_t:dir list_dir_perms; allow $1 news_spool_t:file read_file_perms; allow $1 news_spool_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_read_news_spool'($*)) dnl ') ######################################## ## ## Send to a innd unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`inn_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_dgram_send'($*)) dnl gen_require(` type innd_t, innd_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, innd_var_run_t, innd_var_run_t, innd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_dgram_send'($*)) dnl ') ######################################## ## ## Execute innd in the innd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`inn_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_domtrans'($*)) dnl gen_require(` type innd_t, innd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, innd_exec_t, innd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an inn environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`inn_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `inn_admin'($*)) dnl gen_require(` type innd_t, innd_etc_t, innd_log_t; type news_spool_t, innd_var_lib_t, innd_var_run_t; type innd_initrc_exec_t; ') allow $1 innd_t:process signal_perms; ps_process_pattern($1, innd_t) tunable_policy(`deny_ptrace',`',` allow $1 innd_t:process ptrace; ') init_labeled_script_domtrans($1, innd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 innd_initrc_exec_t system_r; allow $2 system_r; allow $1 innd_t:process { ptrace signal_perms }; ps_process_pattern($1, innd_t) files_list_etc($1) admin_pattern($1, innd_etc_t) logging_list_logs($1) admin_pattern($1, innd_log_t) files_list_var_lib($1) admin_pattern($1, innd_var_lib_t) files_list_pids($1) admin_pattern($1, innd_var_run_t) files_list_spool($1) admin_pattern($1, news_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `inn_admin'($*)) dnl ') ## IP over DNS tunneling daemon. ######################################## ## ## Execute NetworkManager with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`iodined_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iodined_domtrans'($*)) dnl gen_require(` type iodined_t, iodined_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, iodined_exec_t, iodined_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iodined_domtrans'($*)) dnl ') ######################################## ## ## Execute iodined server in the iodined domain. ## ## ## ## Domain allowed to transition. ## ## # define(`iodined_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iodined_systemctl'($*)) dnl gen_require(` type iodined_t; type iodined_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 iodined_unit_file_t:file read_file_perms; allow $1 iodined_unit_file_t:service manage_service_perms; ps_process_pattern($1, iodined_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iodined_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an iodined environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`iodined_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iodined_admin'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use iodine_admin() instead.') iodine_admin($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iodined_admin'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an iodined environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`iodine_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iodine_admin'($*)) dnl gen_require(` type iodined_t, iodined_initrc_exec_t; ') allow $1 iodined_t:process { ptrace signal_perms }; ps_process_pattern($1, iodined_t) init_labeled_script_domtrans($1, iodined_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 iodined_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iodine_admin'($*)) dnl ') ## Simple top-like I/O monitor ######################################## ## ## Allow execution of iotop in the iotop domain from the target domain. ## ## ## ## Domain allowed to transition to iotop. ## ## # define(`iotop_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iotop_domtrans'($*)) dnl gen_require(` type iotop_t, iotop_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, iotop_exec_t, iotop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iotop_domtrans'($*)) dnl ') ######################################## ## ## Execute iotop in the iotop domain, and ## allow the specified role to access the iotop domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed into the iotop domain. ## ## # define(`iotop_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iotop_run'($*)) dnl gen_require(` type iotop_t; attribute_role iotop_roles; ') iotop_domtrans($1) roleattribute $2 iotop_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iotop_run'($*)) dnl ') ## Policy for IPA services. ######################################## ## ## Execute rtas_errd in the rtas_errd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`ipa_domtrans_otpd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_domtrans_otpd'($*)) dnl gen_require(` type ipa_otpd_t, ipa_otpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_domtrans_otpd'($*)) dnl ') ######################################## ## ## Connect to ipa-otpd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ipa_stream_connect_otpd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_stream_connect_otpd'($*)) dnl gen_require(` type ipa_otpd_t; ') allow $1 ipa_otpd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_stream_connect_otpd'($*)) dnl ') ######################################## ## ## Connect to ipa-ods-exporter over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ipa_stream_connect_ods_exporter',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_stream_connect_ods_exporter'($*)) dnl gen_require(` type ipa_ods_exporter_t; ') allow $1 ipa_ods_exporter_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_stream_connect_ods_exporter'($*)) dnl ') ######################################## ## ## Execute ipa-helper in the ipa_helper domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipa_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_domtrans_helper'($*)) dnl gen_require(` type ipa_helper_t, ipa_helper_exec_t; ') domtrans_pattern($1, ipa_helper_exec_t, ipa_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute ipa-helper in the ipa_helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`ipa_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_run_helper'($*)) dnl gen_require(` type ipa_helper_t; attribute_role ipa_helper_roles; ') ipa_domtrans_helper($1) roleattribute $2 ipa_helper_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_run_helper'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa lib files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_search_lib'($*)) dnl gen_require(` type ipa_var_lib_t; ') search_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_search_lib'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa lib files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_manage_lib'($*)) dnl gen_require(` type ipa_var_lib_t; ') manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_manage_lib'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa log files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_manage_log'($*)) dnl gen_require(` type ipa_log_t; ') manage_files_pattern($1, ipa_log_t, ipa_log_t) manage_dirs_pattern($1, ipa_log_t, ipa_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_manage_log'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa lib files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_read_lib'($*)) dnl gen_require(` type ipa_var_lib_t; ') read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_read_lib'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa run files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_manage_pid_files'($*)) dnl gen_require(` type ipa_var_run_t; ') manage_files_pattern($1, ipa_var_run_t, ipa_var_run_t) manage_dirs_pattern($1, ipa_var_run_t, ipa_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_manage_pid_files'($*)) dnl ') ######################################## ## ## Create specified objects in generic ## pid directories with the ipa pid file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`ipa_filetrans_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_filetrans_pid'($*)) dnl gen_require(` type ipa_var_run_t; ') files_pid_filetrans($1, ipa_var_run_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_filetrans_pid'($*)) dnl ') ######################################## ## ## Allow domain to manage ipa tmp files ## ## ## ## Domain allowed access. ## ## # define(`ipa_delete_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_delete_tmp'($*)) dnl gen_require(` type ipa_tmp_t; ') files_search_tmp($1) allow $1 ipa_tmp_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_delete_tmp'($*)) dnl ') ######################################## ## ## Create log files with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`ipa_named_filetrans_log_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_named_filetrans_log_dir'($*)) dnl gen_require(` type ipa_log_t; ') logging_log_named_filetrans($1, ipa_log_t, dir, "ipa") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_named_filetrans_log_dir'($*)) dnl ') ####################################### ## ## Allow domain to create /tmp/ca.p12 ## ## ## ## Domain allowed access. ## ## # define(`ipa_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_filetrans_named_content'($*)) dnl gen_require(` type ipa_tmp_t; ') files_tmp_filetrans($1, ipa_tmp_t, file, "ca.p12") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_filetrans_named_content'($*)) dnl ') ######################################## ## ## Create file ipasession.key in cert_t dir ## with ipa_cert_t type ## ## ## ## Domain allowed access. ## ## # define(`ipa_cert_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_cert_filetrans_named_content'($*)) dnl gen_require(` type ipa_cert_t; type cert_t; ') filetrans_pattern($1, cert_t, ipa_cert_t, file ,"ipasession.key") manage_files_pattern($1, ipa_cert_t, ipa_cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_cert_filetrans_named_content'($*)) dnl ') ######################################## ## ## Allow domain to read ipa tmp files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`ipa_read_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_read_tmp'($*)) dnl gen_require(` type ipa_tmp_t; ') read_files_pattern($1, ipa_tmp_t, ipa_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_read_tmp'($*)) dnl ') ######################################## ## ## Execute ipa_custodia_exec_t in the ipa_custodia domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipa_custodia_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_custodia_domtrans'($*)) dnl gen_require(` type ipa_custodia_t, ipa_custodia_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_custodia_domtrans'($*)) dnl ') ###################################### ## ## Execute ipa_custodia in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ipa_custodia_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_custodia_exec'($*)) dnl gen_require(` type ipa_custodia_exec_t; ') corecmd_search_bin($1) can_exec($1, ipa_custodia_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_custodia_exec'($*)) dnl ') ##################################### ## ## Connect to ipa_custodia with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ipa_custodia_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_custodia_stream_connect'($*)) dnl gen_require(` type ipa_custodia_t; ') allow $1 ipa_custodia_t:unix_stream_socket { connectto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_custodia_stream_connect'($*)) dnl ') ######################################## ## ## Allow ipa_helper noatsecure ## ## ## ## Domain allowed access. ## ## # define(`ipa_helper_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipa_helper_noatsecure'($*)) dnl gen_require(` type ipa_helper_t; ') allow $1 ipa_helper_t:process { noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipa_helper_noatsecure'($*)) dnl ') ## IPMI event daemon for sending events to syslog. ######################################## ## ## Execute ipmievd_exec_t in the ipmievd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipmievd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipmievd_domtrans'($*)) dnl gen_require(` type ipmievd_t, ipmievd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ipmievd_exec_t, ipmievd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipmievd_domtrans'($*)) dnl ') ###################################### ## ## Execute ipmievd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ipmievd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipmievd_exec'($*)) dnl gen_require(` type ipmievd_exec_t; ') corecmd_search_bin($1) can_exec($1, ipmievd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipmievd_exec'($*)) dnl ') ######################################## ## ## Read ipmievd PID files. ## ## ## ## Domain allowed access. ## ## # define(`ipmievd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipmievd_read_pid_files'($*)) dnl gen_require(` type ipmievd_var_run_t; ') files_search_pids($1) read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipmievd_read_pid_files'($*)) dnl ') ######################################## ## ## Execute ipmievd server in the ipmievd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipmievd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipmievd_systemctl'($*)) dnl gen_require(` type ipmievd_t; type ipmievd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 ipmievd_unit_file_t:file read_file_perms; allow $1 ipmievd_unit_file_t:service manage_service_perms; ps_process_pattern($1, ipmievd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipmievd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ipmievd environment ## ## ## ## Domain allowed access. ## ## # define(`ipmievd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipmievd_admin'($*)) dnl gen_require(` type ipmievd_t; type ipmievd_var_run_t; type ipmievd_unit_file_t; ') allow $1 ipmievd_t:process { signal_perms }; ps_process_pattern($1, ipmievd_t) tunable_policy(`deny_ptrace',`',` allow $1 ipmievd_t:process ptrace; ') files_search_pids($1) admin_pattern($1, ipmievd_var_run_t) ipmievd_systemctl($1) admin_pattern($1, ipmievd_unit_file_t) allow $1 ipmievd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipmievd_admin'($*)) dnl ') ## IRC client policy. ######################################## ## ## Role access for IRC. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`irc_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `irc_role'($*)) dnl gen_require(` attribute_role irc_roles; type irc_t, irc_exec_t, irc_home_t; type irc_tmp_t, irc_log_home_t; type irssi_t, irssi_exec_t, irssi_home_t; ') ######################################## # # Declarations # roleattribute $1 irc_roles; ######################################## # # Policy # domtrans_pattern($2, irc_exec_t, irc_t) ps_process_pattern($2, irc_t) allow $2 irc_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 irc_t:process ptrace; ') domtrans_pattern($2, irssi_exec_t, irssi_t) allow $2 irssi_t:process signal_perms; ps_process_pattern($2, irssi_t) tunable_policy(`deny_ptrace',`',` allow $2 irssi_t:process ptrace; ') allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms }; allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; irc_filetrans_home_content($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `irc_role'($*)) dnl ') ####################################### ## ## Transition to alsa named content ## ## ## ## Domain allowed access. ## ## # define(`irc_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `irc_filetrans_home_content'($*)) dnl gen_require(` type irc_home_t; type irssi_home_t; ') userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd") userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi") userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `irc_filetrans_home_content'($*)) dnl ') ## IRC servers. ######################################## ## ## All of the rules required to ## administrate an ircd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ircd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ircd_admin'($*)) dnl gen_require(` type ircd_t, ircd_initrc_exec_t, ircd_etc_t; type ircd_log_t, ircd_var_lib_t, ircd_var_run_t; ') init_labeled_script_domtrans($1, ircd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ircd_initrc_exec_t system_r; allow $2 system_r; allow $1 ircd_t:process { ptrace signal_perms }; ps_process_pattern($1, ircd_t) files_search_etc($1) admin_pattern($1, ircd_etc_t) logging_search_logs($1) admin_pattern($1, ircd_log_t) files_search_var_lib($1) admin_pattern($1, ircd_var_lib_t) files_search_pids($1) admin_pattern($1, ircd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ircd_admin'($*)) dnl ') ## IRQ balancing daemon. ######################################## ## ## All of the rules required to ## administrate an irqbalance environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`irqbalance_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `irqbalance_admin'($*)) dnl gen_require(` type irqbalance_t, irqbalance_initrc_exec_t, irqbalance_var_run_t; ') allow $1 irqbalance_t:process { ptrace signal_perms }; ps_process_pattern($1, irqbalance_t) init_labeled_script_domtrans($1, irqbalance_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 irqbalance_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, irqbalance_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `irqbalance_admin'($*)) dnl ') ## Establish connections to iSCSI devices. ######################################## ## ## Execute a domain transition to run iscsid. ## ## ## ## Domain allowed to transition. ## ## # define(`iscsid_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsid_domtrans'($*)) dnl gen_require(` type iscsid_t, iscsid_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, iscsid_exec_t, iscsid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsid_domtrans'($*)) dnl ') ######################################## ## ## Execute iscsid programs in the iscsid domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the iscsid domain. ## ## ## # define(`iscsid_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsid_run'($*)) dnl gen_require(` attribute_role iscsid_roles; ') iscsid_domtrans($1) roleattribute $2 iscsid_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsid_run'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## iscsid lock files. ## ## ## ## Domain allowed access. ## ## # define(`iscsi_manage_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_manage_lock'($*)) dnl gen_require(` type iscsi_lock_t; ') files_search_locks($1) manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t) manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_manage_lock'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## iscsid sempaphores. ## ## ## ## Domain allowed access. ## ## # define(`iscsi_manage_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_manage_semaphores'($*)) dnl gen_require(` type iscsid_t; ') allow $1 iscsid_t:sem create_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_manage_semaphores'($*)) dnl ') ######################################## ## ## Connect to iscsid using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`iscsi_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_stream_connect'($*)) dnl gen_require(` type iscsid_t, iscsi_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t, iscsid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_stream_connect'($*)) dnl ') ######################################## ## ## Read iscsid lib files. ## ## ## ## Domain allowed access. ## ## # define(`iscsi_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_read_lib_files'($*)) dnl gen_require(` type iscsi_var_lib_t; ') read_files_pattern($1, iscsi_var_lib_t, iscsi_var_lib_t) allow $1 iscsi_var_lib_t:dir list_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_read_lib_files'($*)) dnl ') ######################################## ## ## Transition to iscsi named content ## ## ## ## Domain allowed access. ## ## # define(`iscsi_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_filetrans_named_content'($*)) dnl gen_require(` type iscsi_lock_t; ') files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_filetrans_named_content'($*)) dnl ') ######################################## ## ## Execute iscsi server in the iscsi domain. ## ## ## ## Domain allowed to transition. ## ## # define(`iscsi_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_systemctl'($*)) dnl gen_require(` type iscsid_t; type iscsi_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 iscsi_unit_file_t:file read_file_perms; allow $1 iscsi_unit_file_t:service manage_service_perms; ps_process_pattern($1, iscsid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an iscsi environment. ## ## ## ## Domain allowed access. ## ## ## # define(`iscsi_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_admin'($*)) dnl gen_require(` type iscsid_t, iscsi_lock_t, iscsi_log_t; type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t; type iscsi_unit_file_t; ') allow $1 iscsid_t:process { ptrace signal_perms }; ps_process_pattern($1, iscsid_t) systemd_exec_systemctl($1) init_reload_services($1) allow $1 iscsi_unit_file_t:file manage_file_perms; allow $1 iscsi_unit_file_t:service manage_service_perms; logging_search_logs($1) admin_pattern($1, iscsi_log_t) files_search_locks($1) admin_pattern($1, iscsi_lock_t) files_search_var_lib($1) admin_pattern($1, iscsi_var_lib_t) files_search_pids($1) admin_pattern($1, iscsi_var_run_t) files_search_tmp($1) admin_pattern($1, iscsi_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_admin'($*)) dnl ') ######################################## ## ## Read iscsi PID files. ## ## ## ## Domain allowed access. ## ## # define(`iscsi_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iscsi_read_pid_files'($*)) dnl gen_require(` type iscsi_var_run_t; ') allow $1 iscsi_var_run_t:file read_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iscsi_read_pid_files'($*)) dnl ') ## Internet Storage Name Service. ######################################## ## ## All of the rules required to ## administrate an isnsd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`isnsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `isnsd_admin'($*)) dnl gen_require(` type isnsd_t, isnsd_initrc_exec_t, isnsd_var_lib_t; type isnsd_var_run_t; ') allow $1 isnsd_t:process { ptrace signal_perms }; ps_process_pattern($1, isnsd_t) init_labeled_script_domtrans($1, isnsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 isnsd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, isnsd_var_lib_t) files_search_pids($1) admin_pattern($1, isnsd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `isnsd_admin'($*)) dnl ') ## Jabber instant messaging server ##################################### ## ## Creates types and rules for a basic ## jabber init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`jabber_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabber_domain_template'($*)) dnl gen_require(` attribute jabberd_domain; ') ############################## # # $1_t declarations # type $1_t, jabberd_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) kernel_read_system_state($1_t) corenet_all_recvfrom_netlabel($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabber_domain_template'($*)) dnl ') ####################################### ## ## Execute a domain transition to run jabberd services ## ## ## ## Domain allowed to transition. ## ## # define(`jabber_domtrans_jabberd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabber_domtrans_jabberd'($*)) dnl gen_require(` type jabberd_t, jabberd_exec_t; ') domtrans_pattern($1, jabberd_exec_t, jabberd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabber_domtrans_jabberd'($*)) dnl ') ###################################### ## ## Execute a domain transition to run jabberd router service ## ## ## ## Domain allowed to transition. ## ## # define(`jabber_domtrans_jabberd_router',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabber_domtrans_jabberd_router'($*)) dnl gen_require(` type jabberd_router_t, jabberd_router_exec_t; ') domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabber_domtrans_jabberd_router'($*)) dnl ') ####################################### ## ## Read jabberd lib files. ## ## ## ## Domain allowed access. ## ## # define(`jabberd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabberd_read_lib_files'($*)) dnl gen_require(` type jabberd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabberd_read_lib_files'($*)) dnl ') ####################################### ## ## Dontaudit inherited read jabberd lib files. ## ## ## ## Domain to not audit. ## ## # define(`jabberd_dontaudit_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabberd_dontaudit_read_lib_files'($*)) dnl gen_require(` type jabberd_var_lib_t; ') dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabberd_dontaudit_read_lib_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## jabberd lib files. ## ## ## ## Domain allowed access. ## ## # define(`jabberd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabberd_manage_lib_files'($*)) dnl gen_require(` type jabberd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabberd_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an jabber environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the jabber domain. ## ## ## # define(`jabber_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jabber_admin'($*)) dnl gen_require(` type jabberd_t, jabberd_var_lib_t; type jabberd_initrc_exec_t, jabberd_router_t; type jabberd_lock_t; type jabberd_var_spool_t; ') allow $1 jabberd_t:process signal_perms; ps_process_pattern($1, jabberd_t) tunable_policy(`deny_ptrace',`',` allow $1 jabberd_t:process ptrace; allow $1 jabberd_router_t:process ptrace; ') allow $1 jabberd_router_t:process signal_perms; ps_process_pattern($1, jabberd_router_t) init_labeled_script_domtrans($1, jabberd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 jabberd_initrc_exec_t system_r; allow $2 system_r; files_search_locks($1) admin_pattern($1, jabberd_lock_t) files_search_spool($1) admin_pattern($1, jabberd_var_spool_t) files_search_var_lib($1) admin_pattern($1, jabberd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jabber_admin'($*)) dnl ') ## Java virtual machine ######################################## ## ## Role access for java. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`java_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_role'($*)) dnl gen_require(` attribute_role java_roles; type java_t, java_exec_t, java_tmp_t; type java_tmpfs_t; ') ######################################## # # Declarations # roleattribute $1 java_roles; ######################################## # # Policy # domtrans_pattern($2, java_exec_t, java_t) allow $2 java_t:process { noatsecure siginh rlimitinh ptrace signal_perms }; ps_process_pattern($2, java_t) allow $2 java_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 { java_tmp_t java_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow java_t $2:process signull; allow java_t $2:unix_stream_socket connectto; allow java_t $2:unix_stream_socket { read write }; allow java_t $2:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_role'($*)) dnl ') ####################################### ## ## The role template for the java module. ## ## ##

## This template creates a derived domains which are used ## for java applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`java_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_role_template'($*)) dnl gen_require(` attribute java_domain; type java_exec_t, java_tmp_t, java_tmpfs_t; type java_home_t; ') ######################################## # # Declarations # type $1_java_t, java_domain; userdom_user_application_domain($1_java_t, java_exec_t) role $2 types $1_java_t; ######################################## # # Policy # domtrans_pattern($3, java_exec_t, $1_java_t) allow $3 $1_java_t:process { ptrace noatsecure siginh rlimitinh signal_perms }; ps_process_pattern($3, $1_java_t) allow $3 { java_home_t java_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { java_tmp_t java_tmpfs_t java_home_t }:file { manage_file_perms relabel_file_perms }; allow $3 java_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $3 java_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $3 java_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; userdom_user_home_dir_filetrans($3, java_home_t, dir, ".java") allow $1_java_t $3:process signull; allow $1_java_t $3:unix_stream_socket connectto; allow $1_java_t $3:unix_stream_socket { read write }; allow $1_java_t $3:tcp_socket { read write }; corecmd_bin_domtrans($1_java_t, $3) auth_use_nsswitch($1_java_t) optional_policy(` xserver_role($2, $1_java_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_role_template'($*)) dnl ') ######################################## ## ## Execute the java program in the java domain. ## ## ## ## Domain allowed to transition. ## ## # define(`java_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_domtrans'($*)) dnl gen_require(` type java_t, java_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, java_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_domtrans'($*)) dnl ') ######################################## ## ## Execute java in the java domain, and ## allow the specified role the java domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`java_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_run'($*)) dnl gen_require(` attribute_role java_roles; ') java_domtrans($1) roleattribute $2 java_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_run'($*)) dnl ') ######################################## ## ## Execute the java program in the ## unconfined java domain. ## ## ## ## Domain allowed to transition. ## ## # define(`java_domtrans_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_domtrans_unconfined'($*)) dnl gen_require(` type unconfined_java_t, java_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, java_exec_t, unconfined_java_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_domtrans_unconfined'($*)) dnl ') ######################################## ## ## Execute the java program in the ## unconfined java domain and allow the ## specified role the java domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`java_run_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_run_unconfined'($*)) dnl gen_require(` attribute_role unconfined_java_roles; ') java_domtrans_unconfined($1) roleattribute $2 unconfined_java_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_run_unconfined'($*)) dnl ') ######################################## ## ## Execute the java program in ## the callers domain. ## ## ## ## Domain allowed access. ## ## # define(`java_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_exec'($*)) dnl gen_require(` type java_exec_t; ') corecmd_search_bin($1) can_exec($1, java_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_exec'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## generic java home content. ## ## ## ## Domain allowed access. ## ## # define(`java_manage_generic_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_manage_generic_home_content'($*)) dnl gen_require(` type java_home_t; ') userdom_search_user_home_dirs($1) allow $1 java_home_t:dir manage_dir_perms; allow $1 java_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_manage_generic_home_content'($*)) dnl ') ######################################## ## ## Create specified objects in user home ## directories with the generic java ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`java_home_filetrans_java_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `java_home_filetrans_java_home'($*)) dnl gen_require(` type java_home_t; ') userdom_user_home_dir_filetrans($1, java_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `java_home_filetrans_java_home'($*)) dnl ') ## Jetty - HTTP server and Servlet container ######################################## ## ## Execute jetty_exec_t in the jetty domain. ## ## ## ## Domain allowed to transition. ## ## # define(`jetty_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_domtrans'($*)) dnl gen_require(` type jetty_t, jetty_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, jetty_exec_t, jetty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_domtrans'($*)) dnl ') ###################################### ## ## Execute jetty in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`jetty_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_exec'($*)) dnl gen_require(` type jetty_exec_t; ') corecmd_search_bin($1) can_exec($1, jetty_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_exec'($*)) dnl ') ######################################## ## ## Search jetty cache directories. ## ## ## ## Domain allowed access. ## ## # define(`jetty_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_search_cache'($*)) dnl gen_require(` type jetty_cache_t; ') allow $1 jetty_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_search_cache'($*)) dnl ') ######################################## ## ## Read jetty cache files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_read_cache_files'($*)) dnl gen_require(` type jetty_cache_t; ') files_search_var($1) read_files_pattern($1, jetty_cache_t, jetty_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## jetty cache files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_cache_files'($*)) dnl gen_require(` type jetty_cache_t; ') files_search_var($1) manage_files_pattern($1, jetty_cache_t, jetty_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage jetty cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_cache_dirs'($*)) dnl gen_require(` type jetty_cache_t; ') files_search_var($1) manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read jetty's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`jetty_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_read_log'($*)) dnl gen_require(` type jetty_log_t; ') logging_search_logs($1) read_files_pattern($1, jetty_log_t, jetty_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_read_log'($*)) dnl ') ######################################## ## ## Append to jetty log files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_append_log'($*)) dnl gen_require(` type jetty_log_t; ') logging_search_logs($1) append_files_pattern($1, jetty_log_t, jetty_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_append_log'($*)) dnl ') ######################################## ## ## Manage jetty log files ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_log'($*)) dnl gen_require(` type jetty_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, jetty_log_t, jetty_log_t) manage_files_pattern($1, jetty_log_t, jetty_log_t) manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to read, ## jetty tmp files ## ## ## ## Domain to not audit. ## ## # define(`jetty_dontaudit_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_dontaudit_read_tmp_files'($*)) dnl gen_require(` type jetty_tmp_t; ') dontaudit $1 jetty_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_dontaudit_read_tmp_files'($*)) dnl ') ######################################## ## ## Read jetty tmp files ## ## ## ## Domain allowed access. ## ## # define(`jetty_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_read_tmp_files'($*)) dnl gen_require(` type jetty_tmp_t; ') files_search_tmp($1) read_files_pattern($1, jetty_tmp_t, jetty_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_read_tmp_files'($*)) dnl ') ######################################## ## ## Manage jetty tmp files ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_tmp'($*)) dnl gen_require(` type jetty_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, jetty_tmp_t, jetty_tmp_t) manage_files_pattern($1, jetty_tmp_t, jetty_tmp_t) manage_lnk_files_pattern($1, jetty_tmp_t, jetty_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_tmp'($*)) dnl ') ######################################## ## ## Search jetty lib directories. ## ## ## ## Domain allowed access. ## ## # define(`jetty_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_search_lib'($*)) dnl gen_require(` type jetty_var_lib_t; ') allow $1 jetty_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_search_lib'($*)) dnl ') ######################################## ## ## Read jetty lib files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_read_lib_files'($*)) dnl gen_require(` type jetty_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_read_lib_files'($*)) dnl ') ######################################## ## ## Manage jetty lib files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_lib_files'($*)) dnl gen_require(` type jetty_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage jetty lib directories. ## ## ## ## Domain allowed access. ## ## # define(`jetty_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_manage_lib_dirs'($*)) dnl gen_require(` type jetty_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read jetty PID files. ## ## ## ## Domain allowed access. ## ## # define(`jetty_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_read_pid_files'($*)) dnl gen_require(` type jetty_var_run_t; ') files_search_pids($1) read_files_pattern($1, jetty_var_run_t, jetty_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_read_pid_files'($*)) dnl ') ######################################## ## ## Execute jetty server in the jetty domain. ## ## ## ## Domain allowed to transition. ## ## # define(`jetty_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_systemctl'($*)) dnl gen_require(` type jetty_t; type jetty_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 jetty_unit_file_t:file read_file_perms; allow $1 jetty_unit_file_t:service manage_service_perms; ps_process_pattern($1, jetty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an jetty environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`jetty_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jetty_admin'($*)) dnl gen_require(` type jetty_t; type jetty_cache_t; type jetty_log_t; type jetty_tmp_t; type jetty_var_lib_t; type jetty_var_run_t; type jetty_unit_file_t; ') allow $1 jetty_t:process { signal_perms }; ps_process_pattern($1, jetty_t) tunable_policy(`deny_ptrace',`',` allow $1 jetty_t:process ptrace; ') files_search_var($1) admin_pattern($1, jetty_cache_t) logging_search_logs($1) admin_pattern($1, jetty_log_t) files_search_tmp($1) admin_pattern($1, jetty_tmp_t) files_search_var_lib($1) admin_pattern($1, jetty_var_lib_t) files_search_pids($1) admin_pattern($1, jetty_var_run_t) jetty_systemctl($1) admin_pattern($1, jetty_unit_file_t) allow $1 jetty_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jetty_admin'($*)) dnl ') ## policy for jockey ######################################## ## ## Transition to jockey. ## ## ## ## Domain allowed to transition. ## ## # define(`jockey_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_domtrans'($*)) dnl gen_require(` type jockey_t, jockey_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, jockey_exec_t, jockey_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_domtrans'($*)) dnl ') ######################################## ## ## Search jockey cache directories. ## ## ## ## Domain allowed access. ## ## # define(`jockey_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_search_cache'($*)) dnl gen_require(` type jockey_cache_t; ') allow $1 jockey_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_search_cache'($*)) dnl ') ######################################## ## ## Read jockey cache files. ## ## ## ## Domain allowed access. ## ## # define(`jockey_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_read_cache_files'($*)) dnl gen_require(` type jockey_cache_t; ') files_search_var($1) read_files_pattern($1, jockey_cache_t, jockey_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## jockey cache files. ## ## ## ## Domain allowed access. ## ## # define(`jockey_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_manage_cache_files'($*)) dnl gen_require(` type jockey_cache_t; ') files_search_var($1) manage_files_pattern($1, jockey_cache_t, jockey_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage jockey cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`jockey_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_manage_cache_dirs'($*)) dnl gen_require(` type jockey_cache_t; ') files_search_var($1) manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_manage_cache_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an jockey environment ## ## ## ## Domain allowed access. ## ## # define(`jockey_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `jockey_admin'($*)) dnl gen_require(` type jockey_t; type jockey_cache_t; type jockey_var_log_t; ') allow $1 jockey_t:process { ptrace signal_perms }; ps_process_pattern($1, jockey_t) files_search_var($1) admin_pattern($1, jockey_cache_t) logging_search_logs($1) admin_pattern($1, jockey_var_log_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `jockey_admin'($*)) dnl ') ## policy for journalctl ######################################## ## ## Execute TEMPLATE in the journalctl domin. ## ## ## ## Domain allowed to transition. ## ## # define(`journalctl_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `journalctl_domtrans'($*)) dnl gen_require(` type journalctl_t, journalctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, journalctl_exec_t, journalctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `journalctl_domtrans'($*)) dnl ') ###################################### ## ## Execute journalctl in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`journalctl_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `journalctl_exec'($*)) dnl gen_require(` type journalctl_exec_t; ') corecmd_search_bin($1) can_exec($1, journalctl_exec_t) allow $1 journalctl_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `journalctl_exec'($*)) dnl ') ######################################## ## ## Execute journalctl in the journalctl domain, and ## allow the specified role the journalctl domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the journalctl domain. ## ## # define(`journalctl_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `journalctl_run'($*)) dnl gen_require(` type journalctl_t; attribute_role journalctl_roles; ') journalctl_domtrans($1) roleattribute $2 journalctl_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `journalctl_run'($*)) dnl ') ######################################## ## ## Role access for journalctl ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`journalctl_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `journalctl_role'($*)) dnl gen_require(` type journalctl_t; attribute_role journalctl_roles; ') roleattribute $1 journalctl_roles; journalctl_domtrans($2) ps_process_pattern($2, journalctl_t) allow $2 journalctl_t:process { signull signal sigkill }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `journalctl_role'($*)) dnl ') ## Kernel crash dumping mechanism ###################################### ## ## Execute kdump in the kdump domain. ## ## ## ## Domain allowed to transition. ## ## # define(`kdump_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_domtrans'($*)) dnl gen_require(` type kdump_t, kdump_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kdump_exec_t, kdump_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_domtrans'($*)) dnl ') ###################################### ## ## Execute kdumpctl in the kdumpctl domain. ## ## ## ## Domain allowed to transition. ## ## # define(`kdumpctl_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdumpctl_domtrans'($*)) dnl gen_require(` type kdumpctl_t, kdumpctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdumpctl_domtrans'($*)) dnl ') ####################################### ## ## Execute kdump in the kdump domain. ## ## ## ## Domain allowed to transition. ## ## # define(`kdump_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_initrc_domtrans'($*)) dnl gen_require(` type kdump_initrc_exec_t; ') init_labeled_script_domtrans($1, kdump_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute kdump server in the kdump domain. ## ## ## ## Domain allowed to transition. ## ## # define(`kdump_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_systemctl'($*)) dnl gen_require(` type kdump_unit_file_t; type kdump_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_search_unit_dirs($1) allow $1 kdump_unit_file_t:file read_file_perms; allow $1 kdump_unit_file_t:service all_service_perms; ps_process_pattern($1, kdump_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_systemctl'($*)) dnl ') ##################################### ## ## Read kdump configuration file. ## ## ## ## Domain allowed access. ## ## # define(`kdump_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_read_config'($*)) dnl gen_require(` type kdump_etc_t; ') files_search_etc($1) allow $1 kdump_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_read_config'($*)) dnl ') ##################################### ## ## Read kdump crash files. ## ## ## ## Domain allowed access. ## ## # define(`kdump_read_crash',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_read_crash'($*)) dnl gen_require(` type kdump_crash_t; ') files_search_var($1) read_files_pattern($1, kdump_crash_t, kdump_crash_t) list_dirs_pattern($1, kdump_crash_t, kdump_crash_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_read_crash'($*)) dnl ') ##################################### ## ## Read kdump crash files. ## ## ## ## Domain allowed access. ## ## # define(`kdump_manage_crash',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_manage_crash'($*)) dnl gen_require(` type kdump_crash_t; ') files_search_var($1) manage_files_pattern($1, kdump_crash_t, kdump_crash_t) manage_dirs_pattern($1, kdump_crash_t, kdump_crash_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_manage_crash'($*)) dnl ') ##################################### ## ## Dontaudit read kdump configuration file. ## ## ## ## Domain to not audit. ## ## # define(`kdump_dontaudit_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_dontaudit_read_config'($*)) dnl gen_require(` type kdump_etc_t; ') dontaudit $1 kdump_etc_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_dontaudit_read_config'($*)) dnl ') #################################### ## ## Manage kdump configuration file. ## ## ## ## Domain allowed access. ## ## # define(`kdump_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_manage_config'($*)) dnl gen_require(` type kdump_etc_t; ') files_search_etc($1) allow $1 kdump_etc_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_manage_config'($*)) dnl ') ##################################### ## ## Read and write kdump lock files. ## ## ## ## Domain allowed access. ## ## # define(`kdump_rw_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_rw_lock'($*)) dnl gen_require(` type kdump_lock_t; ') files_search_locks($1) rw_files_pattern($1, kdump_lock_t, kdump_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_rw_lock'($*)) dnl ') ################################### ## ## Read/write inherited kdump /var/tmp named pipes. ## ## ## ## Domain allowed access. ## ## # define(`kdump_rw_inherited_kdumpctl_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_rw_inherited_kdumpctl_tmp_pipes'($*)) dnl gen_require(` type kdumpctl_tmp_t; ') files_search_tmp($1) allow $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_rw_inherited_kdumpctl_tmp_pipes'($*)) dnl ') ################################### ## ## Manage kdump /var/tmp files. ## ## ## ## Domain allowed access. ## ## # define(`kdump_manage_kdumpctl_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_manage_kdumpctl_tmp_files'($*)) dnl gen_require(` type kdumpctl_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t) allow $1 kdumpctl_tmp_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_manage_kdumpctl_tmp_files'($*)) dnl ') ####################################### ## ## Transition content labels to kdump named content ## ## ## ## Domain allowed access. ## ## # define(`kdump_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_filetrans_named_content'($*)) dnl gen_require(` type kdump_lock_t; ') files_lock_filetrans($1, kdump_lock_t, file, "kdump") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_filetrans_named_content'($*)) dnl ') ###################################### ## ## All of the rules required to administrate ## an kdump environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the kdump domain. ## ## ## # define(`kdump_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_admin'($*)) dnl gen_require(` type kdump_t, kdump_etc_t; type kdump_initrc_exec_t; type kdump_unit_file_t; type kdump_crash_t; ') allow $1 kdump_t:process signal_perms; ps_process_pattern($1, kdump_t) tunable_policy(`deny_ptrace',`',` allow $1 kdump_t:process ptrace; ') init_labeled_script_domtrans($1, kdump_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kdump_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, kdump_etc_t) files_search_var($1) admin_pattern($1, kdump_crash_t) kdump_systemctl($1) admin_pattern($1, kdump_unit_file_t) allow $1 kdump_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_admin'($*)) dnl ') ################################### ## ## Dontaudit Read/write inherited kdump /var/tmp named pipes. ## ## ## ## Domain to not audit ## ## # define(`kdump_dontaudit_inherited_kdumpctl_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_dontaudit_inherited_kdumpctl_tmp_pipes'($*)) dnl gen_require(` type kdumpctl_tmp_t; ') dontaudit $1 kdumpctl_tmp_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_dontaudit_inherited_kdumpctl_tmp_pipes'($*)) dnl ') ################################### ## ## Manage kdump lib files ## ## ## ## Domain to allow access ## ## # define(`kdump_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_manage_lib_files'($*)) dnl gen_require(` type kdump_var_lib_t; ') manage_files_pattern($1, kdump_var_lib_t, kdump_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_manage_lib_files'($*)) dnl ') ####################################### ## ## Send to kdumpctl over a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`kdump_dgram_send_kdumpctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdump_dgram_send_kdumpctl'($*)) dnl gen_require(` type kdumpctl_t; ') allow $1 kdumpctl_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdump_dgram_send_kdumpctl'($*)) dnl ') ## system-config-kdump GUI ######################################## ## ## Send and receive messages from ## kdumpgui over dbus. ## ## ## ## Domain allowed access. ## ## # define(`kdumpgui_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kdumpgui_dbus_chat'($*)) dnl gen_require(` type kdumpgui_t; class dbus send_msg; ') allow $1 kdumpgui_t:dbus send_msg; allow kdumpgui_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kdumpgui_dbus_chat'($*)) dnl ') ## keepalived - load-balancing and high-availability service ######################################## ## ## Execute keepalived in the keepalived domin. ## ## ## ## Domain allowed to transition. ## ## # define(`keepalived_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keepalived_domtrans'($*)) dnl gen_require(` type keepalived_t, keepalived_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, keepalived_exec_t, keepalived_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keepalived_domtrans'($*)) dnl ') ######################################## ## ## Execute keepalived server in the keepalived domain. ## ## ## ## Domain allowed to transition. ## ## # define(`keepalived_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keepalived_systemctl'($*)) dnl gen_require(` type keepalived_t; type keepalived_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 keepalived_unit_file_t:file read_file_perms; allow $1 keepalived_unit_file_t:service manage_service_perms; ps_process_pattern($1, keepalived_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keepalived_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an keepalived environment ## ## ## ## Domain allowed access. ## ## ## # define(`keepalived_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keepalived_admin'($*)) dnl gen_require(` type keepalived_t; type keepalived_unit_file_t; ') allow $1 keepalived_t:process { signal_perms }; ps_process_pattern($1, keepalived_t) tunable_policy(`deny_ptrace',`',` allow $1 keepalived_t:process ptrace; ') keepalived_systemctl($1) admin_pattern($1, keepalived_unit_file_t) allow $1 keepalived_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keepalived_admin'($*)) dnl ') ## MIT Kerberos admin and KDC ## ##

## This policy supports: ##

##

## Servers: ##

    ##
  • kadmind
  • ##
  • krb5kdc
  • ##
##

##

## Clients: ##

    ##
  • kinit
  • ##
  • kdestroy
  • ##
  • klist
  • ##
  • ksu (incomplete)
  • ##
##

##
######################################## ## ## Execute kadmind in the current domain ## ## ## ## Domain allowed access. ## ## # define(`kerberos_exec_kadmind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_exec_kadmind'($*)) dnl gen_require(` type kadmind_exec_t; ') can_exec($1, kadmind_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_exec_kadmind'($*)) dnl ') ######################################## ## ## Execute a domain transition to run kpropd. ## ## ## ## Domain allowed to transition. ## ## # define(`kerberos_domtrans_kpropd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_domtrans_kpropd'($*)) dnl gen_require(` type kpropd_t, kpropd_exec_t; ') domtrans_pattern($1, kpropd_exec_t, kpropd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_domtrans_kpropd'($*)) dnl ') ######################################## ## ## Use kerberos services ## ## ## ## Domain allowed access. ## ## # define(`kerberos_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_use'($*)) dnl gen_require(` type krb5_conf_t, krb5kdc_conf_t; type krb5_host_rcache_t; ') files_search_etc($1) read_files_pattern($1, krb5_conf_t, krb5_conf_t) list_dirs_pattern($1, krb5_conf_t, krb5_conf_t) dontaudit $1 krb5_conf_t:file write; dontaudit $1 krb5kdc_conf_t:dir list_dir_perms; dontaudit $1 krb5kdc_conf_t:file rw_file_perms; #kerberos libraries are attempting to set the correct file context dontaudit $1 self:process setfscreate; selinux_dontaudit_validate_context($1) seutil_read_file_contexts($1) tunable_policy(`kerberos_enabled',` allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_kerberos_port($1) corenet_udp_sendrecv_kerberos_port($1) corenet_tcp_bind_generic_node($1) corenet_udp_bind_generic_node($1) corenet_tcp_connect_kerberos_port($1) corenet_tcp_connect_ocsp_port($1) corenet_sendrecv_kerberos_client_packets($1) corenet_sendrecv_ocsp_client_packets($1) allow $1 krb5_host_rcache_t:dir search_dir_perms; allow $1 krb5_host_rcache_t:file getattr_file_perms; ') optional_policy(` tunable_policy(`kerberos_enabled',` pcscd_stream_connect($1) ') ') optional_policy(` sssd_read_public_files($1) ') # Allow to use kerberos KCM daemon (sssd-kcm) optional_policy(` sssd_run_stream_connect($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_use'($*)) dnl ') ######################################## ## ## Read the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_read_config'($*)) dnl gen_require(` type krb5_conf_t, krb5_home_t; ') files_search_etc($1) allow $1 krb5_conf_t:file read_file_perms; allow $1 krb5_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_read_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to write the kerberos ## configuration file (/etc/krb5.conf). ## ## ## ## Domain to not audit. ## ## # define(`kerberos_dontaudit_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_dontaudit_write_config'($*)) dnl gen_require(` type krb5_conf_t; ') dontaudit $1 krb5_conf_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_dontaudit_write_config'($*)) dnl ') ######################################## ## ## Read and write the kerberos configuration file (/etc/krb5.conf). ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_rw_config'($*)) dnl gen_require(` type krb5_conf_t; ') files_search_etc($1) allow $1 krb5_conf_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_rw_config'($*)) dnl ') ######################################## ## ## Read the kerberos key table. ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_read_keytab',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_read_keytab'($*)) dnl gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_read_keytab'($*)) dnl ') ######################################## ## ## Read/Write the kerberos key table. ## ## ## ## Domain allowed access. ## ## # define(`kerberos_rw_keytab',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_rw_keytab'($*)) dnl gen_require(` type krb5_keytab_t; ') files_search_etc($1) allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_rw_keytab'($*)) dnl ') ######################################## ## ## Create keytab file in /etc ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`kerberos_etc_filetrans_keytab',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_etc_filetrans_keytab'($*)) dnl gen_require(` type krb5_keytab_t; ') allow $1 krb5_keytab_t:dir search_dir_perms; allow $1 krb5_keytab_t:file manage_file_perms; files_etc_filetrans($1, krb5_keytab_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_etc_filetrans_keytab'($*)) dnl ') ######################################## ## ## Create a derived type for kerberos keytab ## ## ## ## The prefix to be used for deriving type names. ## ## ## ## ## Domain allowed access. ## ## # define(`kerberos_keytab_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_keytab_template'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') kerberos_read_keytab($2) kerberos_use($2) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_keytab_template'($*)) dnl ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_read_kdc_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_read_kdc_config'($*)) dnl gen_require(` type krb5kdc_conf_t; ') files_search_etc($1) read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_read_kdc_config'($*)) dnl ') ######################################## ## ## Manage the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_manage_kdc_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_manage_kdc_config'($*)) dnl gen_require(` type krb5kdc_conf_t; ') files_search_etc($1) manage_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) manage_dirs_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_manage_kdc_config'($*)) dnl ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## # define(`kerberos_read_host_rcache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_read_host_rcache'($*)) dnl gen_require(` type krb5_host_rcache_t; ') read_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_read_host_rcache'($*)) dnl ') ######################################## ## ## Read/Write the kerberos host rcache files. ## ## ## ## Domain allowed access. ## ## # define(`kerberos_rw_host_rcache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_rw_host_rcache'($*)) dnl gen_require(` type krb5_host_rcache_t; ') allow $1 krb5_host_rcache_t:dir search_dir_perms; allow $1 krb5_host_rcache_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_rw_host_rcache'($*)) dnl ') ######################################## ## ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf). ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_manage_host_rcache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_manage_host_rcache'($*)) dnl gen_require(` type krb5_host_rcache_t; ') # creates files as system_u no matter what the selinux user # cjp: should be in the below tunable but typeattribute # does not work in conditionals domain_obj_id_change_exemption($1) tunable_policy(`kerberos_enabled',` allow $1 self:process setfscreate; selinux_validate_context($1) seutil_read_file_contexts($1) files_rw_generic_tmp_dir($1) manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_search_tmp($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_manage_host_rcache'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an kerberos environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the kerberos domain. ## ## ## # define(`kerberos_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_admin'($*)) dnl gen_require(` type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t; type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t; type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t; type krb5kdc_var_run_t, krb5_host_rcache_t; ') allow $1 kadmind_t:process signal_perms; ps_process_pattern($1, kadmind_t) tunable_policy(`deny_ptrace',`',` allow $1 kadmind_t:process ptrace; allow $1 krb5kdc_t:process ptrace; allow $1 kpropd_t:process ptrace; ') allow $1 krb5kdc_t:process signal_perms; ps_process_pattern($1, krb5kdc_t) allow $1 kpropd_t:process signal_perms; ps_process_pattern($1, kpropd_t) init_labeled_script_domtrans($1, kerberos_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kerberos_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, kadmind_log_t) files_list_tmp($1) admin_pattern($1, kadmind_tmp_t) files_list_pids($1) admin_pattern($1, kadmind_var_run_t) admin_pattern($1, krb5_conf_t) admin_pattern($1, krb5_host_rcache_t) admin_pattern($1, krb5_keytab_t) admin_pattern($1, krb5kdc_principal_t) admin_pattern($1, krb5kdc_tmp_t) admin_pattern($1, krb5kdc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_admin'($*)) dnl ') ######################################## ## ## Type transition files created in /tmp ## to the krb5_host_rcache type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`kerberos_tmp_filetrans_host_rcache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_tmp_filetrans_host_rcache'($*)) dnl gen_require(` type krb5_host_rcache_t; ') manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t) files_tmp_filetrans($1, krb5_host_rcache_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_tmp_filetrans_host_rcache'($*)) dnl ') ######################################## ## ## Type transition files created in /tmp ## to the kadmind_tmp type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`kerberos_tmp_filetrans_kadmin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_tmp_filetrans_kadmin'($*)) dnl gen_require(` type kadmind_tmp_t; ') manage_files_pattern($1, kadmind_tmp_t, kadmind_tmp_t) files_tmp_filetrans($1, kadmind_tmp_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_tmp_filetrans_kadmin'($*)) dnl ') ######################################## ## ## read kerberos homedir content (.k5login) ## ## ## ## Domain allowed access. ## ## # define(`kerberos_read_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_read_home_content'($*)) dnl gen_require(` type krb5_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, krb5_home_t, krb5_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_read_home_content'($*)) dnl ') ######################################## ## ## Manage the kerberos kdc /var/lib files ## and directories. ## ## ## ## Domain allowed access. ## ## ## # define(`kerberos_manage_kdc_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_manage_kdc_var_lib'($*)) dnl gen_require(` type krb5kdc_var_lib_t; ') files_search_etc($1) manage_files_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) manage_dirs_pattern($1, krb5kdc_var_lib_t, krb5kdc_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_manage_kdc_var_lib'($*)) dnl ') ######################################## ## ## create kerberos content in the in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`kerberos_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_admin_home_content'($*)) dnl gen_require(` type krb5_home_t; ') userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5identity") userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login") userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5users") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Transition to kerberos named content ## ## ## ## Domain allowed access. ## ## # define(`kerberos_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_home_content'($*)) dnl gen_require(` type krb5_home_t; ') userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5identity") userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login") userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5users") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_filetrans_home_content'($*)) dnl ') ######################################## ## ## Transition to kerberos named content ## ## ## ## Domain allowed access. ## ## # define(`kerberos_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_filetrans_named_content'($*)) dnl gen_require(` type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; type krb5kdc_principal_t; ') files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") kerberos_etc_filetrans_keytab($1, "krb5.keytab") kerberos_filetrans_admin_home_content($1) kerberos_tmp_filetrans_host_rcache($1, "DNS_25") kerberos_tmp_filetrans_host_rcache($1, "host_0") kerberos_tmp_filetrans_host_rcache($1, "HTTP_23") kerberos_tmp_filetrans_host_rcache($1, "HTTP_48") kerberos_tmp_filetrans_host_rcache($1, "imap_0") kerberos_tmp_filetrans_host_rcache($1, "krb5_0.rcache2") kerberos_tmp_filetrans_host_rcache($1, "nfs_0") kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0") kerberos_tmp_filetrans_host_rcache($1, "ldap_487") kerberos_tmp_filetrans_host_rcache($1, "ldap_55") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_filetrans_named_content'($*)) dnl ') ######################################## ## ## Write to temporary kadmind files. ## ## ## ## Domain allowed access. ## ## # define(`kerberos_write_kadmind_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerberos_write_kadmind_tmp_files'($*)) dnl gen_require(` type kadmind_tmp_t; ') files_search_tmp($1) allow $1 kadmind_tmp_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerberos_write_kadmind_tmp_files'($*)) dnl ') ## Service for reporting kernel oopses to kerneloops.org. ######################################## ## ## Execute a domain transition to run kerneloops. ## ## ## ## Domain allowed to transition. ## ## # define(`kerneloops_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerneloops_domtrans'($*)) dnl gen_require(` type kerneloops_t, kerneloops_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kerneloops_exec_t, kerneloops_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerneloops_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## kerneloops over dbus. ## ## ## ## Domain allowed access. ## ## # define(`kerneloops_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerneloops_dbus_chat'($*)) dnl gen_require(` type kerneloops_t; class dbus send_msg; ') allow $1 kerneloops_t:dbus send_msg; allow kerneloops_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerneloops_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit attempts to Send and ## receive messages from kerneloops ## over dbus. ## ## ## ## Domain to not audit. ## ## # define(`kerneloops_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerneloops_dontaudit_dbus_chat'($*)) dnl gen_require(` type kerneloops_t; class dbus send_msg; ') dontaudit $1 kerneloops_t:dbus send_msg; dontaudit kerneloops_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerneloops_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kerneloops temporary files. ## ## ## ## Domain allowed access. ## ## # define(`kerneloops_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerneloops_manage_tmp_files'($*)) dnl gen_require(` type kerneloops_tmp_t; ') files_search_tmp($1) allow $1 kerneloops_tmp_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerneloops_manage_tmp_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an kerneloops environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`kerneloops_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kerneloops_admin'($*)) dnl gen_require(` type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t; ') allow $1 kerneloops_t:process signal_perms; ps_process_pattern($1, kerneloops_t) tunable_policy(`deny_ptrace',`',` allow $1 kerneloops_t:process ptrace; ') init_labeled_script_domtrans($1, kerneloops_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kerneloops_initrc_exec_t system_r; allow $2 system_r; files_search_tmp($1) admin_pattern($1, kerneloops_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kerneloops_admin'($*)) dnl ') ## policy for system-setup-keyboard daemon ######################################## ## ## Execute a domain transition to run keyboard setup daemon. ## ## ## ## Domain allowed access. ## ## # define(`keyboardd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keyboardd_domtrans'($*)) dnl gen_require(` type keyboardd_t, keyboardd_exec_t; ') domtrans_pattern($1, keyboardd_exec_t, keyboardd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keyboardd_domtrans'($*)) dnl ') ###################################### ## ## Allow attempts to read to ## keyboardd unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`keyboardd_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keyboardd_read_pipes'($*)) dnl gen_require(` type keyboardd_t; ') allow $1 keyboardd_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keyboardd_read_pipes'($*)) dnl ') ## policy for keystone ######################################## ## ## Transition to keystone. ## ## ## ## Domain allowed to transition. ## ## # define(`keystone_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_domtrans'($*)) dnl gen_require(` type keystone_t, keystone_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, keystone_exec_t, keystone_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_domtrans'($*)) dnl ') ######################################## ## ## Read keystone's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`keystone_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_read_log'($*)) dnl gen_require(` type keystone_log_t; ') logging_search_logs($1) read_files_pattern($1, keystone_log_t, keystone_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_read_log'($*)) dnl ') ######################################## ## ## Append to keystone log files. ## ## ## ## Domain allowed access. ## ## # define(`keystone_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_append_log'($*)) dnl gen_require(` type keystone_log_t; ') logging_search_logs($1) append_files_pattern($1, keystone_log_t, keystone_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_append_log'($*)) dnl ') ######################################## ## ## Manage keystone log files ## ## ## ## Domain allowed access. ## ## # define(`keystone_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_manage_log'($*)) dnl gen_require(` type keystone_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, keystone_log_t, keystone_log_t) manage_files_pattern($1, keystone_log_t, keystone_log_t) manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_manage_log'($*)) dnl ') ######################################## ## ## Search keystone lib directories. ## ## ## ## Domain allowed access. ## ## # define(`keystone_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_search_lib'($*)) dnl gen_require(` type keystone_var_lib_t; ') allow $1 keystone_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_search_lib'($*)) dnl ') ######################################## ## ## Read keystone lib files. ## ## ## ## Domain allowed access. ## ## # define(`keystone_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_read_lib_files'($*)) dnl gen_require(` type keystone_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_read_lib_files'($*)) dnl ') ######################################## ## ## Manage keystone lib files. ## ## ## ## Domain allowed access. ## ## # define(`keystone_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_manage_lib_files'($*)) dnl gen_require(` type keystone_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage keystone lib directories. ## ## ## ## Domain allowed access. ## ## # define(`keystone_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_manage_lib_dirs'($*)) dnl gen_require(` type keystone_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute keystone server in the keystone domain. ## ## ## ## Domain allowed to transition. ## ## # define(`keystone_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_systemctl'($*)) dnl gen_require(` type keystone_t; type keystone_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 keystone_unit_file_t:file read_file_perms; allow $1 keystone_unit_file_t:service manage_service_perms; ps_process_pattern($1, keystone_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an keystone environment ## ## ## ## Domain allowed access. ## ## # define(`keystone_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `keystone_admin'($*)) dnl gen_require(` type keystone_t; type keystone_log_t; type keystone_var_lib_t; type keystone_unit_file_t; ') allow $1 keystone_t:process { ptrace signal_perms }; ps_process_pattern($1, keystone_t) logging_search_logs($1) admin_pattern($1, keystone_log_t) files_search_var_lib($1) admin_pattern($1, keystone_var_lib_t) keystone_systemctl($1) admin_pattern($1, keystone_unit_file_t) allow $1 keystone_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `keystone_admin'($*)) dnl ') ## IEEE 802.11 wireless LAN sniffer. ######################################## ## ## Role access for kismet. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`kismet_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_role'($*)) dnl gen_require(` type kismet_exec_t, kismet_home_t, kismet_tmp_t; type kistmet_tmpfs_t, kismet_t; ') kismet_run($1, $2) allow $2 kistmet_t:process { ptrace signal_perms }; ps_process_pattern($2, kismet_t) allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 kismet_home_t:file { manage_file_perms relabel_file_perms }; userdom_user_home_dir_filetrans($2, kismet_home_t, dir, ".kismet") allow $2 kismet_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 kismet_tmp_t:file { manage_file_perms relabel_file_perms }; allow $2 kismet_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 kismet_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 kismet_tmpfs_t:file { manage_file_perms relabel_file_perms }; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_role'($*)) dnl ') ######################################## ## ## Execute a domain transition to run kismet. ## ## ## ## Domain allowed to transition. ## ## # define(`kismet_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_domtrans'($*)) dnl gen_require(` type kismet_t, kismet_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kismet_exec_t, kismet_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_domtrans'($*)) dnl ') ######################################## ## ## Execute kismet in the kismet domain, and ## allow the specified role the kismet domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`kismet_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_run'($*)) dnl gen_require(` attribute_role kismet_roles; ') kismet_domtrans($1) roleattribute $2 kismet_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_run'($*)) dnl ') ######################################## ## ## Read kismet pid files. ## ## ## ## Domain allowed access. ## ## # define(`kismet_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_read_pid_files'($*)) dnl gen_require(` type kismet_var_run_t; ') files_search_pids($1) allow $1 kismet_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kismet pid files. ## ## ## ## Domain allowed access. ## ## # define(`kismet_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_manage_pid_files'($*)) dnl gen_require(` type kismet_var_run_t; ') files_search_pids($1) allow $1 kismet_var_run_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_manage_pid_files'($*)) dnl ') ######################################## ## ## Search kismet lib directories. ## ## ## ## Domain allowed access. ## ## # define(`kismet_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_search_lib'($*)) dnl gen_require(` type kismet_var_lib_t; ') files_search_var_lib($1) allow $1 kismet_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_search_lib'($*)) dnl ') ######################################## ## ## Read kismet lib files. ## ## ## ## Domain allowed access. ## ## # define(`kismet_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_read_lib_files'($*)) dnl gen_require(` type kismet_var_lib_t; ') files_search_var_lib($1) allow $1 kismet_var_lib_t:dir list_dir_perms; allow $1 kismet_var_lib_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kismet lib files. ## ## ## ## Domain allowed access. ## ## # define(`kismet_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_manage_lib_files'($*)) dnl gen_require(` type kismet_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_manage_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kismet lib content. ## ## ## ## Domain allowed access. ## ## # define(`kismet_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_manage_lib'($*)) dnl gen_require(` type kismet_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t) manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_manage_lib'($*)) dnl ') ######################################## ## ## Read kismet log files. ## ## ## ## Domain allowed access. ## ## ## # define(`kismet_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_read_log'($*)) dnl gen_require(` type kismet_log_t; ') logging_search_logs($1) read_files_pattern($1, kismet_log_t, kismet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_read_log'($*)) dnl ') ######################################## ## ## Append kismet log files. ## ## ## ## Domain allowed access. ## ## # define(`kismet_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_append_log'($*)) dnl gen_require(` type kismet_log_t; ') logging_search_logs($1) append_files_pattern($1, kismet_log_t, kismet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kismet log content. ## ## ## ## Domain allowed access. ## ## # define(`kismet_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_manage_log'($*)) dnl gen_require(` type kismet_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, kismet_log_t, kismet_log_t) manage_files_pattern($1, kismet_log_t, kismet_log_t) manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_manage_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an kismet environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`kismet_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kismet_admin'($*)) dnl gen_require(` type kismet_t, kismet_var_lib_t, kismet_var_run_t; type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t; ') init_labeled_script_domtrans($1, kismet_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 kismet_initrc_exec_t system_r; allow $2 system_r; ps_process_pattern($1, kismet_t) allow $1 kismet_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $1 kismet_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, kismet_var_lib_t) files_search_pids($1) admin_pattern($1, kismet_var_run_t) logging_search_logs($1) admin_pattern($1, kismet_log_t) files_search_tmp($1) admin_pattern($1, kismet_tmp_t) kismet_run($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kismet_admin'($*)) dnl ') ## Terminal emulator for Linux graphical console ######################################## ## ## Execute kmscon in the kmscon domain. ## ## ## ## Domain allowed to transition. ## ## # define(`kmscon_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kmscon_systemctl'($*)) dnl gen_require(` type kmscon_unit_file_t; type kmscon_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 kmscon_unit_file_t:file read_file_perms; allow $1 kmscon_unit_file_t:service manage_service_perms; ps_process_pattern($1, kmscon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kmscon_systemctl'($*)) dnl ') ## Policy for kpatch ######################################## ## ## Transition to kpatch. ## ## ## ## Domain allowed to transition. ## ## # define(`kpatch_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kpatch_domtrans'($*)) dnl gen_require(` type kpatch_t, kpatch_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kpatch_exec_t, kpatch_t) dontaudit kpatch_t $1:unix_stream_socket { getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kpatch_domtrans'($*)) dnl ') ######################################## ## ## NNP Transition to kpatch. ## ## ## ## Domain allowed to transition. ## ## # define(`kpatch_nnp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kpatch_nnp_domtrans'($*)) dnl gen_require(` type kpatch_t; ') allow $1 kpatch_t:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kpatch_nnp_domtrans'($*)) dnl ') ######################################## ## ## Read kpatch lib files ## ## ## ## Domain allowed access ## ## # define(`kpatch_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kpatch_read_lib_files'($*)) dnl gen_require(` type kpatch_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, kpatch_var_lib_t, kpatch_var_lib_t) read_files_pattern($1, kpatch_var_lib_t, kpatch_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kpatch_read_lib_files'($*)) dnl ') ######################################## ## ## Execute kpatch in the kpatch domain, and ## allow the specified role the kpatch domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the kpatch domain. ## ## # define(`kpatch_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kpatch_run'($*)) dnl gen_require(` type kpatch_t; ') kpatch_domtrans($1) kpatch_nnp_domtrans($1) role $2 types kpatch_t; allow $1 kpatch_t:process signal_perms; dontaudit kpatch_t $1:dir list_dir_perms; dontaudit kpatch_t $1:file read_file_perms; dontaudit kpatch_t $1:unix_stream_socket rw_socket_perms; allow kpatch_t $1:shm create_shm_perms; allow kpatch_t $1:sem create_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kpatch_run'($*)) dnl ') ## Kernel Samepage Merging Tuning Daemon. ######################################## ## ## Execute a domain transition to run ksmtuned. ## ## ## ## Domain allowed to transition. ## ## # define(`ksmtuned_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ksmtuned_domtrans'($*)) dnl gen_require(` type ksmtuned_t, ksmtuned_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ksmtuned_domtrans'($*)) dnl ') ######################################## ## ## Execute ksmtuned server in ## the ksmtuned domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ksmtuned_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ksmtuned_initrc_domtrans'($*)) dnl gen_require(` type ksmtuned_initrc_exec_t; ') init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ksmtuned_initrc_domtrans'($*)) dnl ') ####################################### ## ## Execute ksmtuned server in the ksmtunedd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ksmtuned_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ksmtuned_systemctl'($*)) dnl gen_require(` type ksmtuned_unit_file_t; type ksmtuned_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 ksmtuned_unit_file_t:file read_file_perms; allow $1 ksmtuned_unit_file_t:service manage_service_perms; ps_process_pattern($1, ksmtuned_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ksmtuned_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ksmtuned environment. ## ## ## ## Domain allowed access. ## ## ## # define(`ksmtuned_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ksmtuned_admin'($*)) dnl gen_require(` type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t; type ksmtuned_log_t; ') allow $1 ksmtuned_t:process signal_perms; ps_process_pattern($1, ksmtuned_t) tunable_policy(`deny_ptrace',`',` allow $1 ksmtuned_t:process ptrace; ') files_list_pids($1) admin_pattern($1, ksmtuned_var_run_t) logging_search_logs($1) admin_pattern($1, ksmtuned_log_t) ksmtuned_systemctl($1) admin_pattern($1, ksmtuned_unit_file_t) allow $1 ksmtuned_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ksmtuned_admin'($*)) dnl ') ## talk-server - daemon programs for the Internet talk ######################################## ## ## Execute TEMPLATE in the ktalkd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`ktalk_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ktalk_domtrans'($*)) dnl gen_require(` type ktalkd_t, ktalkd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ktalkd_exec_t, ktalkd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ktalk_domtrans'($*)) dnl ') ######################################## ## ## Execute ktalkd server in the ktalkd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ktalk_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ktalk_systemctl'($*)) dnl gen_require(` type ktalkd_t; type ktalkd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 ktalkd_unit_file_t:file read_file_perms; allow $1 ktalkd_unit_file_t:service manage_service_perms; ps_process_pattern($1, ktalkd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ktalk_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ktalkd environment ## ## ## ## Domain allowed access. ## ## ## # define(`ktalk_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ktalk_admin'($*)) dnl gen_require(` type ktalkd_t; type ktalkd_unit_file_t; ') allow $1 ktalkd_t:process { ptrace signal_perms }; ps_process_pattern($1, ktalkd_t) ktalk_systemctl($1) admin_pattern($1, ktalkd_unit_file_t) allow $1 ktalkd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ktalk_admin'($*)) dnl ') ## Layer 2 Tunneling Protocol daemons. ######################################## ## ## Transition to l2tpd. ## ## ## ## Domain allowed to transition. ## ## # define(`l2tpd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_domtrans'($*)) dnl gen_require(` type l2tpd_t, l2tpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, l2tpd_exec_t, l2tpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_domtrans'($*)) dnl ') ######################################## ## ## Execute l2tpd server in the l2tpd domain. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_initrc_domtrans'($*)) dnl gen_require(` type l2tpd_initrc_exec_t; ') init_labeled_script_domtrans($1, l2tpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Send to l2tpd via a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_dgram_send'($*)) dnl gen_require(` type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t; ') files_search_tmp($1) dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_dgram_send'($*)) dnl ') ######################################## ## ## Read and write l2tpd sockets. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_rw_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_rw_socket'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_rw_socket'($*)) dnl ') ######################################## ## ## Read l2tpd PID files. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_read_pid_files'($*)) dnl gen_require(` type l2tpd_var_run_t; ') files_search_pids($1) allow $1 l2tpd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_read_pid_files'($*)) dnl ') ##################################### ## ## Connect to l2tpd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_stream_connect'($*)) dnl gen_require(` type l2tpd_t, l2tpd_var_run_t, l2tpd_tmp_t; ') files_search_pids($1) stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t) stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_stream_connect'($*)) dnl ') ######################################## ## ## Read and write l2tpd unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_rw_pipes'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_rw_pipes'($*)) dnl ') ######################################## ## ## Allow send a signal to l2tpd. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_signal'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_signal'($*)) dnl ') ######################################## ## ## Allow send signull to l2tpd. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_signull'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_signull'($*)) dnl ') ######################################## ## ## Allow send sigkill to l2tpd. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_sigkill'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_sigkill'($*)) dnl ') ######################################## ## ## Send and receive messages from ## l2tpd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_dbus_chat'($*)) dnl gen_require(` type l2tpd_t; class dbus send_msg; ') allow $1 l2tpd_t:dbus send_msg; allow l2tpd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an l2tpd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`l2tpd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_admin'($*)) dnl gen_require(` type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t; type l2tp_conf_t, l2tpd_tmp_t; ') allow $1 l2tpd_t:process signal_perms; ps_process_pattern($1, l2tpd_t) tunable_policy(`deny_ptrace',`',` allow $1 l2tpd_t:process ptrace; ') l2tpd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 l2tpd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, l2tp_conf_t) files_search_pids($1) admin_pattern($1, l2tpd_var_run_t) files_search_tmp($1) admin_pattern($1, l2tpd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_admin'($*)) dnl ') ######################################## ## ## Read and write to l2tpd unix ## sockets. ## ## ## ## Domain allowed access. ## ## # define(`l2tpd_rw_pppox_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `l2tpd_rw_pppox_sockets'($*)) dnl gen_require(` type l2tpd_t; ') allow $1 l2tpd_t:pppox_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `l2tpd_rw_pppox_sockets'($*)) dnl ') ## OpenLDAP directory server ####################################### ## ## Execute OpenLDAP in the ldap domain. ## ## ## ## Domain allowed access. ## ## # define(`ldap_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_domtrans'($*)) dnl gen_require(` type slapd_t, slapd_exec_t; ') domtrans_pattern($1, slapd_exec_t, slapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_domtrans'($*)) dnl ') ####################################### ## ## Execute OpenLDAP server in the ldap domain. ## ## ## ## Domain allowed access. ## ## # define(`ldap_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_initrc_domtrans'($*)) dnl gen_require(` type slapd_initrc_exec_t; ') init_labeled_script_domtrans($1, slapd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute slapd server in the slapd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ldap_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_systemctl'($*)) dnl gen_require(` type slapd_unit_file_t; type slapd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 slapd_unit_file_t:file read_file_perms; allow $1 slapd_unit_file_t:service manage_service_perms; ps_process_pattern($1, slapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_systemctl'($*)) dnl ') ######################################## ## ## Read the contents of the OpenLDAP ## database directories. ## ## ## ## Domain allowed access. ## ## # define(`ldap_list_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_list_db'($*)) dnl gen_require(` type slapd_db_t; ') allow $1 slapd_db_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_list_db'($*)) dnl ') ######################################## ## ## Read the contents of the OpenLDAP ## database files. ## ## ## ## Domain allowed access. ## ## # define(`ldap_read_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_read_db_files'($*)) dnl gen_require(` type slapd_db_t; ') read_files_pattern($1, slapd_db_t, slapd_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_read_db_files'($*)) dnl ') ######################################## ## ## Read the OpenLDAP configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`ldap_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_read_config'($*)) dnl gen_require(` type slapd_etc_t; ') files_search_etc($1) allow $1 slapd_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_read_config'($*)) dnl ') ######################################## ## ## Read the OpenLDAP cert files. ## ## ## ## Domain allowed access. ## ## ## # define(`ldap_read_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_read_certs'($*)) dnl gen_require(` type slapd_cert_t; ') files_search_etc($1) allow $1 slapd_cert_t:dir list_dir_perms; read_files_pattern($1, slapd_cert_t, slapd_cert_t) read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_read_certs'($*)) dnl ') ######################################## ## ## Use LDAP over TCP connection. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`ldap_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_use'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_use'($*)) dnl ') ######################################## ## ## Connect to slapd over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ldap_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_stream_connect'($*)) dnl gen_require(` type slapd_t, slapd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ldap environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the ldap domain. ## ## ## # define(`ldap_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_admin'($*)) dnl gen_require(` type slapd_t, slapd_tmp_t, slapd_replog_t; type slapd_lock_t, slapd_etc_t, slapd_var_run_t; type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t; type slapd_db_t, slapd_keytab_t; type slapd_unit_file_t; ') allow $1 slapd_t:process signal_perms; ps_process_pattern($1, slapd_t) tunable_policy(`deny_ptrace',`',` allow $1 slapd_t:process ptrace; ') init_labeled_script_domtrans($1, slapd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 slapd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t }) admin_pattern($1, slapd_lock_t) files_list_var_lib($1) admin_pattern($1, slapd_replog_t) files_list_tmp($1) admin_pattern($1, slapd_tmp_t) files_list_pids($1) admin_pattern($1, slapd_var_run_t) ldap_systemctl($1) admin_pattern($1, slapd_unit_file_t) allow $1 slapd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_admin'($*)) dnl ') #################################### ## ## Read slapd tmpfs files ## ## ## ## Domain allowed access. ## ## # define(`ldap_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ldap_read_tmpfs_files'($*)) dnl gen_require(` type slapd_tmpfs_t; ') read_files_pattern($1, slapd_tmpfs_t, slapd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ldap_read_tmpfs_files'($*)) dnl ') ## Log analyzer for squid proxy. ######################################## ## ## Execute the lightsquid program in ## the lightsquid domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lightsquid_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lightsquid_domtrans'($*)) dnl gen_require(` type lightsquid_t, lightsquid_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, lightsquid_exec_t, lightsquid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lightsquid_domtrans'($*)) dnl ') ######################################## ## ## Execute lightsquid in the ## lightsquid domain, and allow the ## specified role the lightsquid domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`lightsquid_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lightsquid_run'($*)) dnl gen_require(` attribute_role lightsquid_roles; ') lightsquid_domtrans($1) roleattribute $2 lightsquid_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lightsquid_run'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an lightsquid environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`lightsquid_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lightsquid_admin'($*)) dnl gen_require(` type lightsquid_t, lightsquid_rw_content_t; ') allow $1 lightsquid_t:process { ptrace signal_perms }; ps_process_pattern($1, lightsquid_t) lightsquid_run($1, $2) files_search_var_lib($1) admin_pattern($1, lightsquid_rw_content_t) optional_policy(` apache_list_sys_content($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lightsquid_admin'($*)) dnl ') ## Likewise Active Directory support for UNIX. ## ##

## Likewise Open is a free, open source application that joins Linux, Unix, ## and Mac machines to Microsoft Active Directory to securely authenticate ## users with their domain credentials. ##

##
####################################### ## ## The template to define a likewise domain. ## ## ##

## This template creates a domain to be used for ## a new likewise daemon. ##

##
## ## ## The type of daemon to be used. ## ## # define(`likewise_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `likewise_domain_template'($*)) dnl gen_require(` attribute likewise_domains; type likewise_var_lib_t; ') ######################################## # # Declarations # type $1_t; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) domain_use_interactive_fds($1_t) typeattribute $1_t likewise_domains; type $1_var_run_t; files_pid_file($1_var_run_t) type $1_var_socket_t; files_type($1_var_socket_t) type $1_var_lib_t; files_type($1_var_lib_t) #################################### # # Local Policy # allow $1_t self:process { signal_perms getsched setsched }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; allow $1_t likewise_var_lib_t:dir setattr_dir_perms; manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, file) manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t) filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file) manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t) filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file) kernel_read_system_state($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `likewise_domain_template'($*)) dnl ') ######################################## ## ## Connect to lsassd. ## ## ## ## Domain allowed access. ## ## # define(`likewise_stream_connect_lsassd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `likewise_stream_connect_lsassd'($*)) dnl gen_require(` type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; ') files_search_pids($1) stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `likewise_stream_connect_lsassd'($*)) dnl ') ## implementation of the Precision Time Protocol (PTP) according to IEEE standard 1588 for Linux. ######################################## ## ## Execute domain in the phc2sys domain. ## ## ## ## Domain allowed to transition. ## ## # define(`linuxptp_domtrans_phc2sys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `linuxptp_domtrans_phc2sys'($*)) dnl gen_require(` type phc2sys_t, phc2sys_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, phc2sys_exec_t, phc2sys_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `linuxptp_domtrans_phc2sys'($*)) dnl ') ######################################## ## ## Execute domain in the phc2sys domain. ## ## ## ## Domain allowed to transition. ## ## # define(`linuxptp_domtrans_ptp4l',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `linuxptp_domtrans_ptp4l'($*)) dnl gen_require(` type ptp4l_t, ptp4l_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ptp4l_exec_t, ptp4l_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `linuxptp_domtrans_ptp4l'($*)) dnl ') ###################################### ## ## Connect to timemaster using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`timemaster_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timemaster_stream_connect'($*)) dnl gen_require(` type timemaster_t, timemaster_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, timemaster_var_run_t, timemaster_var_run_t, timemaster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timemaster_stream_connect'($*)) dnl ') ######################################## ## ## Read timemaster conf files. ## ## ## ## Domain allowed access. ## ## # define(`timemaster_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timemaster_read_pid_files'($*)) dnl gen_require(` type timemaster_var_run_t; ') read_files_pattern($1, timemaster_var_run_t, timemaster_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timemaster_read_pid_files'($*)) dnl ') ######################################## ## ## Read and write timemaster shared memory. ## ## ## ## Domain allowed access. ## ## # define(`timemaster_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timemaster_rw_shm'($*)) dnl gen_require(` type timemaster_t, timemaster_tmpfs_t; ') allow $1 timemaster_t:shm rw_shm_perms; list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timemaster_rw_shm'($*)) dnl ') ######################################## ## ## Read and write ptp4l_t shared memory. ## ## ## ## Domain allowed access. ## ## # define(`ptp4l_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ptp4l_rw_shm'($*)) dnl gen_require(` type ptp4l_t, timemaster_tmpfs_t; ') allow $1 ptp4l_t:shm rw_shm_perms; list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ptp4l_rw_shm'($*)) dnl ') ######################################## ## ## Read and write phc2sys_t shared memory. ## ## ## ## Domain allowed access. ## ## # define(`phc2sys_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `phc2sys_rw_shm'($*)) dnl gen_require(` type phc2sys_t, timemaster_tmpfs_t; ') allow $1 phc2sys_t:shm rw_shm_perms; list_dirs_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) rw_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) read_lnk_files_pattern($1, timemaster_tmpfs_t, timemaster_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `phc2sys_rw_shm'($*)) dnl ') ## Linux infared remote control daemon. ######################################## ## ## Execute a domain transition to run lircd. ## ## ## ## Domain allowed to transition. ## ## # define(`lircd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lircd_domtrans'($*)) dnl gen_require(` type lircd_t, lircd_exec_t; ') corecmd_search_bin($1) domain_auto_trans($1, lircd_exec_t, lircd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lircd_domtrans'($*)) dnl ') ###################################### ## ## Connect to lircd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`lircd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lircd_stream_connect'($*)) dnl gen_require(` type lircd_var_run_t, lircd_t; ') files_search_pids($1) stream_connect_pattern($1, lircd_var_run_t, lircd_var_run_t, lircd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lircd_stream_connect'($*)) dnl ') ####################################### ## ## Read lircd etc files. ## ## ## ## Domain allowed access. ## ## # define(`lircd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lircd_read_config'($*)) dnl gen_require(` type lircd_etc_t; ') files_search_etc($1) read_files_pattern($1, lircd_etc_t, lircd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lircd_read_config'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate a lircd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`lircd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lircd_admin'($*)) dnl gen_require(` type lircd_t, lircd_var_run_t; type lircd_initrc_exec_t, lircd_etc_t; ') allow $1 lircd_t:process signal_perms; ps_process_pattern($1, lircd_t) tunable_policy(`deny_ptrace',`',` allow $1 lircd_t:process ptrace; ') init_labeled_script_domtrans($1, lircd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 lircd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, lircd_etc_t) files_search_pids($1) admin_pattern($1, lircd_var_run_t) dev_list_all_dev_nodes($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lircd_admin'($*)) dnl ') ## Tool for building alternate livecd for different os and policy versions. ######################################## ## ## Execute a domain transition to run livecd. ## ## ## ## Domain allowed to transition. ## ## # define(`livecd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_domtrans'($*)) dnl gen_require(` type livecd_t, livecd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, livecd_exec_t, livecd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_domtrans'($*)) dnl ') ######################################## ## ## Execute livecd in the livecd ## domain, and allow the specified ## role the livecd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`livecd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_run'($*)) dnl gen_require(` type livecd_t; type livecd_exec_t; attribute_role livecd_roles; ') livecd_domtrans($1) roleattribute $2 livecd_roles; role_transition $2 livecd_exec_t system_r; optional_policy(` rpm_transition_script(livecd_t, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_run'($*)) dnl ') ######################################## ## ## Dontaudit read/write to a livecd leaks ## ## ## ## Domain to not audit. ## ## # define(`livecd_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_dontaudit_leaks'($*)) dnl gen_require(` type livecd_t; ') dontaudit $1 livecd_t:unix_dgram_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Read livecd temporary files. ## ## ## ## Domain allowed access. ## ## # define(`livecd_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_read_tmp_files'($*)) dnl gen_require(` type livecd_tmp_t; ') files_search_tmp($1) read_files_pattern($1, livecd_tmp_t, livecd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_read_tmp_files'($*)) dnl ') ######################################## ## ## Read and write livecd temporary files. ## ## ## ## Domain allowed access. ## ## # define(`livecd_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_rw_tmp_files'($*)) dnl gen_require(` type livecd_tmp_t; ') files_search_tmp($1) rw_files_pattern($1, livecd_tmp_t, livecd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_rw_tmp_files'($*)) dnl ') ######################################## ## ## Read and write livecd semaphores. ## ## ## ## Domain allowed access. ## ## # define(`livecd_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `livecd_rw_semaphores'($*)) dnl gen_require(` type livecd_t; ') allow $1 livecd_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `livecd_rw_semaphores'($*)) dnl ') ## Intel LLDP Agent. ####################################### ## ## Transition to lldpad. ## ## ## ## Domain allowed to transition. ## ## # define(`lldpad_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lldpad_domtrans'($*)) dnl gen_require(` type lldpad_t, lldpad_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, lldpad_exec_t, lldpad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lldpad_domtrans'($*)) dnl ') ####################################### ## ## Send to lldpad with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`lldpad_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lldpad_dgram_send'($*)) dnl gen_require(` type lldpad_t, lldpad_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, lldpad_var_run_t, lldpad_var_run_t, lldpad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lldpad_dgram_send'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an lldpad environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`lldpad_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lldpad_admin'($*)) dnl gen_require(` type lldpad_t, lldpad_initrc_exec_t, lldpad_var_lib_t; type lldpad_var_run_t; ') allow $1 lldpad_t:process { signal_perms }; ps_process_pattern($1, lldpad_t) tunable_policy(`deny_ptrace',`',` allow $1 lldpad_t:process ptrace; ') init_labeled_script_domtrans($1, lldpad_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 lldpad_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, lldpad_var_lib_t) files_search_pids($1) admin_pattern($1, lldpad_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lldpad_admin'($*)) dnl ') ######################################## ## ## Allow relabel lldpad_tmpfs_t ## ## ## ## Domain allowed access. ## ## # define(`lldpad_relabel_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lldpad_relabel_tmpfs'($*)) dnl gen_require(` type lldpad_tmpfs_t; ') allow $1 lldpad_tmpfs_t:file relabelfrom; allow $1 lldpad_tmpfs_t:file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lldpad_relabel_tmpfs'($*)) dnl ') ## Load keyboard mappings. ######################################## ## ## Execute the loadkeys program in ## the loadkeys domain. ## ## ## ## Domain allowed to transition. ## ## # define(`loadkeys_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `loadkeys_domtrans'($*)) dnl gen_require(` type loadkeys_t, loadkeys_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, loadkeys_exec_t, loadkeys_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `loadkeys_domtrans'($*)) dnl ') ######################################## ## ## Execute the loadkeys program in ## the loadkeys domain, and allow the ## specified role the loadkeys domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`loadkeys_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `loadkeys_run'($*)) dnl gen_require(` attribute_role loadkeys_roles; ') loadkeys_domtrans($1) roleattribute $2 loadkeys_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `loadkeys_run'($*)) dnl ') ######################################## ## ## Execute the loadkeys in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`loadkeys_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `loadkeys_exec'($*)) dnl gen_require(` type loadkeys_exec_t; ') corecmd_search_bin($1) can_exec($1, loadkeys_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `loadkeys_exec'($*)) dnl ') ## Library for locking devices. ####################################### ## ## Create, read, write, and delete ## lockdev lock files. ## ## ## ## Domain allowed access. ## ## # define(`lockdev_manage_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lockdev_manage_files'($*)) dnl gen_require(` type lockdev_lock_t; ') files_search_var_lib($1) manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lockdev_manage_files'($*)) dnl ') ######################################## ## ## Role access for lockdev. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`lockdev_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lockdev_role'($*)) dnl gen_require(` attribute_role lockdev_roles; type lockdev_t, lockdev_exec_t; ') ######################################## # # Declarations # roleattribute $1 lockdev_roles; ######################################## # # Policy # domtrans_pattern($2, lockdev_exec_t, lockdev_t) allow $2 lockdev_t:process { ptrace signal_perms }; ps_process_pattern($2, lockdev_t) allow lockdev_t $2:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lockdev_role'($*)) dnl ') ## Rotate and archive system logs ######################################## ## ## Execute logrotate in the logrotate domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logrotate_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_domtrans'($*)) dnl gen_require(` type logrotate_t, logrotate_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, logrotate_exec_t, logrotate_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_domtrans'($*)) dnl ') ######################################## ## ## Execute logrotate in the logrotate domain, and ## allow the specified role the logrotate domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`logrotate_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_run'($*)) dnl gen_require(` type logrotate_t; ') logrotate_domtrans($1) role $2 types logrotate_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_run'($*)) dnl ') ######################################## ## ## Execute logrotate in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`logrotate_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_exec'($*)) dnl gen_require(` type logrotate_exec_t; ') corecmd_search_bin($1) can_exec($1, logrotate_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_exec'($*)) dnl ') ######################################## ## ## Inherit and use logrotate file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`logrotate_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_use_fds'($*)) dnl gen_require(` type logrotate_t; ') allow $1 logrotate_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit logrotate file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`logrotate_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_dontaudit_use_fds'($*)) dnl gen_require(` type logrotate_t; ') dontaudit $1 logrotate_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Read a logrotate temporary files. ## ## ## ## Domain allowed access. ## ## # define(`logrotate_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logrotate_read_tmp_files'($*)) dnl gen_require(` type logrotate_tmp_t; ') files_search_tmp($1) allow $1 logrotate_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logrotate_read_tmp_files'($*)) dnl ') ## System log analyzer and reporter. ######################################## ## ## Read logwatch temporary files. ## ## ## ## Domain allowed access. ## ## # define(`logwatch_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logwatch_read_tmp_files'($*)) dnl gen_require(` type logwatch_tmp_t; ') files_search_tmp($1) allow $1 logwatch_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logwatch_read_tmp_files'($*)) dnl ') ######################################## ## ## Search logwatch cache directories. ## ## ## ## Domain allowed access. ## ## # define(`logwatch_search_cache_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logwatch_search_cache_dir'($*)) dnl gen_require(` type logwatch_cache_t; ') files_search_var($1) allow $1 logwatch_cache_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logwatch_search_cache_dir'($*)) dnl ') ####################################### ## ## Dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`logwatch_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logwatch_dontaudit_leaks'($*)) dnl gen_require(` type logwatch_t; ') dontaudit $1 logwatch_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logwatch_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## svirt cache files. ## ## ## ## Domain allowed access. ## ## # define(`logwatch_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logwatch_manage_cache'($*)) dnl gen_require(` type logwatch_cache_t; ') files_search_var($1) manage_files_pattern($1, logwatch_cache_t, logwatch_cache_t) manage_dirs_pattern($1, logwatch_cache_t, logwatch_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logwatch_manage_cache'($*)) dnl ') ## Line printer daemon ######################################## ## ## Role access for lpd ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`lpd_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_role'($*)) dnl gen_require(` attribute_role lpr_roles; type lpr_t, lpr_exec_t, print_spool_t; ') ######################################## # # Declarations # roleattribute $1 lpr_roles; ######################################## # # Policy # # Transition from the user domain to the derived domain. domtrans_pattern($2, lpr_exec_t, lpr_t) dontaudit lpr_t $2:unix_stream_socket { read write }; ps_process_pattern($2, lpr_t) allow $2 lpr_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 lpr_t:process ptrace; ') optional_policy(` cups_read_config($2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_role'($*)) dnl ') ######################################## ## ## Execute lpd in the lpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lpd_domtrans_checkpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_domtrans_checkpc'($*)) dnl gen_require(` type checkpc_t, checkpc_exec_t; ') domtrans_pattern($1, checkpc_exec_t, checkpc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_domtrans_checkpc'($*)) dnl ') ######################################## ## ## Execute amrecover in the lpd domain, and ## allow the specified role the lpd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`lpd_run_checkpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_run_checkpc'($*)) dnl gen_require(` type checkpc_t; ') lpd_domtrans_checkpc($1) role $2 types checkpc_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_run_checkpc'($*)) dnl ') ######################################## ## ## List the contents of the printer spool directories. ## ## ## ## Domain allowed access. ## ## # define(`lpd_list_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_list_spool'($*)) dnl gen_require(` type print_spool_t; ') files_search_spool($1) allow $1 print_spool_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_list_spool'($*)) dnl ') ######################################## ## ## Read the printer spool files. ## ## ## ## Domain allowed access. ## ## # define(`lpd_read_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_read_spool'($*)) dnl gen_require(` type print_spool_t; ') files_search_spool($1) read_files_pattern($1, print_spool_t, print_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_read_spool'($*)) dnl ') ######################################## ## ## Create, read, write, and delete printer spool files. ## ## ## ## Domain allowed access. ## ## # define(`lpd_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_manage_spool'($*)) dnl gen_require(` type print_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, print_spool_t, print_spool_t) manage_files_pattern($1, print_spool_t, print_spool_t) manage_lnk_files_pattern($1, print_spool_t, print_spool_t) manage_fifo_files_pattern($1, print_spool_t, print_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_manage_spool'($*)) dnl ') ######################################## ## ## Relabel from and to the spool files. ## ## ## ## Domain allowed access. ## ## # define(`lpd_relabel_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_relabel_spool'($*)) dnl gen_require(` type print_spool_t; ') files_search_spool($1) allow $1 print_spool_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_relabel_spool'($*)) dnl ') ######################################## ## ## List the contents of the printer spool directories. ## ## ## ## Domain allowed access. ## ## ## # define(`lpd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_read_config'($*)) dnl gen_require(` type printconf_t; ') allow $1 printconf_t:dir list_dir_perms; read_files_pattern($1, printconf_t, printconf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_read_config'($*)) dnl ') ######################################## ## ## Transition to a user lpr domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lpd_domtrans_lpr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_domtrans_lpr'($*)) dnl gen_require(` type lpr_t, lpr_exec_t; ') domtrans_pattern($1, lpr_exec_t, lpr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_domtrans_lpr'($*)) dnl ') ######################################## ## ## Execute lpr in the lpr domain, and ## allow the specified role the lpr domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`lpd_run_lpr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_run_lpr'($*)) dnl gen_require(` attribute_role lpr_roles; ') lpd_domtrans_lpr($1) roleattribute $2 lpr_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_run_lpr'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute lpr ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`lpd_exec_lpr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lpd_exec_lpr'($*)) dnl gen_require(` type lpr_exec_t; ') can_exec($1, lpr_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lpd_exec_lpr'($*)) dnl ') ## libStorageMgmt plug-in daemon ######################################## ## ## Execute TEMPLATE in the lsmd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`lsmd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lsmd_domtrans'($*)) dnl gen_require(` type lsmd_t, lsmd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, lsmd_exec_t, lsmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lsmd_domtrans'($*)) dnl ') ######################################## ## ## Read lsmd PID files. ## ## ## ## Domain allowed access. ## ## # define(`lsmd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lsmd_read_pid_files'($*)) dnl gen_require(` type lsmd_var_run_t; ') files_search_pids($1) read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lsmd_read_pid_files'($*)) dnl ') ######################################## ## ## Execute lsmd server in the lsmd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lsmd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lsmd_systemctl'($*)) dnl gen_require(` type lsmd_t; type lsmd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 lsmd_unit_file_t:file read_file_perms; allow $1 lsmd_unit_file_t:service manage_service_perms; ps_process_pattern($1, lsmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lsmd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an lsmd environment ## ## ## ## Domain allowed access. ## ## ## # define(`lsmd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lsmd_admin'($*)) dnl gen_require(` type lsmd_t; type lsmd_var_run_t; type lsmd_unit_file_t; ') allow $1 lsmd_t:process { ptrace signal_perms }; ps_process_pattern($1, lsmd_t) files_search_pids($1) admin_pattern($1, lsmd_var_run_t) lsmd_systemctl($1) admin_pattern($1, lsmd_unit_file_t) allow $1 lsmd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lsmd_admin'($*)) dnl ') ## LTTng 2.x central tracing registry session daemon. ######################################## ## ## Execute lttng_sessiond_exec_t in the lttng_sessiond domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lttng_sessiond_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lttng_sessiond_domtrans'($*)) dnl gen_require(` type lttng_sessiond_t, lttng_sessiond_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, lttng_sessiond_exec_t, lttng_sessiond_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lttng_sessiond_domtrans'($*)) dnl ') ###################################### ## ## Execute lttng_sessiond in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`lttng_sessiond_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lttng_sessiond_exec'($*)) dnl gen_require(` type lttng_sessiond_exec_t; ') corecmd_search_bin($1) can_exec($1, lttng_sessiond_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lttng_sessiond_exec'($*)) dnl ') ######################################## ## ## Execute lttng_sessiond server in the lttng_sessiond domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lttng_sessiond_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lttng_sessiond_systemctl'($*)) dnl gen_require(` type lttng_sessiond_t; type lttng_sessiond_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 lttng_sessiond_unit_file_t:file read_file_perms; allow $1 lttng_sessiond_unit_file_t:service manage_service_perms; ps_process_pattern($1, lttng_sessiond_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lttng_sessiond_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an lttng_sessiond environment ## ## ## ## Domain allowed access. ## ## # define(`lttng_sessiond_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lttng_sessiond_admin'($*)) dnl gen_require(` type lttng_sessiond_t; type lttng_sessiond_unit_file_t; ') allow $1 lttng_sessiond_t:process { signal_perms }; ps_process_pattern($1, lttng_sessiond_t) tunable_policy(`deny_ptrace',`',` allow $1 lttng_sessiond_t:process ptrace; ') lttng_sessiond_systemctl($1) admin_pattern($1, lttng_sessiond_unit_file_t) allow $1 lttng_sessiond_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lttng_sessiond_admin'($*)) dnl ') ######################################## ## ## Read and write lttng-tools shared memory. ## ## ## ## Domain allowed access. ## ## # define(`lttng_read_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lttng_read_shm'($*)) dnl gen_require(` type lttng_sessiond_tmpfs_t; ') read_files_pattern($1, lttng_sessiond_tmpfs_t, lttng_sessiond_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lttng_read_shm'($*)) dnl ') ## Mailman is for managing electronic mail discussion and e-newsletter lists ####################################### ## ## The template to define a mailmain domain. ## ## ##

## This template creates a domain to be used for ## a new mailman daemon. ##

##
## ## ## The type of daemon to be used eg, cgi would give mailman_cgi_ ## ## # define(`mailman_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_domain_template'($*)) dnl ######################################## # # Declarations # gen_require(` attribute mailman_domain; ') type mailman_$1_t, mailman_domain; domain_type(mailman_$1_t) type mailman_$1_exec_t; domain_entry_file(mailman_$1_t, mailman_$1_exec_t) role system_r types mailman_$1_t; type mailman_$1_tmp_t; files_tmp_file(mailman_$1_tmp_t) #################################### # # Policy # manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t) files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir }) kernel_read_system_state(mailman_$1_t) corenet_all_recvfrom_unlabeled(mailman_$1_t) corenet_all_recvfrom_netlabel(mailman_$1_t) corenet_tcp_sendrecv_generic_if(mailman_$1_t) corenet_udp_sendrecv_generic_if(mailman_$1_t) corenet_raw_sendrecv_generic_if(mailman_$1_t) corenet_tcp_sendrecv_generic_node(mailman_$1_t) corenet_udp_sendrecv_generic_node(mailman_$1_t) corenet_raw_sendrecv_generic_node(mailman_$1_t) corenet_tcp_sendrecv_all_ports(mailman_$1_t) corenet_udp_sendrecv_all_ports(mailman_$1_t) corenet_tcp_bind_generic_node(mailman_$1_t) corenet_udp_bind_generic_node(mailman_$1_t) corenet_tcp_connect_smtp_port(mailman_$1_t) corenet_sendrecv_smtp_client_packets(mailman_$1_t) auth_use_nsswitch(mailman_$1_t) logging_send_syslog_msg(mailman_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_domain_template'($*)) dnl ') ####################################### ## ## Execute mailman in the mailman domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mailman_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_domtrans'($*)) dnl gen_require(` type mailman_mail_exec_t, mailman_mail_t; ') domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_domtrans'($*)) dnl ') ######################################## ## ## Execute the mailman program in the mailman domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the mailman domain. ## ## ## # define(`mailman_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_run'($*)) dnl gen_require(` type mailman_mail_t; ') mailman_domtrans($1) role $2 types mailman_mail_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_run'($*)) dnl ') ####################################### ## ## Execute mailman CGI scripts in the ## mailman CGI domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mailman_domtrans_cgi',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_domtrans_cgi'($*)) dnl gen_require(` type mailman_cgi_exec_t, mailman_cgi_t; ') domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_domtrans_cgi'($*)) dnl ') ####################################### ## ## Execute mailman in the caller domain. ## ## ## ## Domain allowd access. ## ## # define(`mailman_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_exec'($*)) dnl gen_require(` type mailman_mail_exec_t; ') can_exec($1, mailman_mail_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_exec'($*)) dnl ') ####################################### ## ## Send generic signals to the mailman cgi domain. ## ## ## ## Domain allowed access. ## ## # define(`mailman_signal_cgi',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_signal_cgi'($*)) dnl gen_require(` type mailman_cgi_t; ') allow $1 mailman_cgi_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_signal_cgi'($*)) dnl ') ######################################## ## ## Send null signals to the mailman cgi domain. ## ## ## ## Domain allowed access. ## ## # define(`mailman_signull_cgi',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_signull_cgi'($*)) dnl gen_require(` type mailman_cgi_t; ') allow $1 mailman_cgi_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_signull_cgi'($*)) dnl ') ####################################### ## ## Allow domain to search data directories. ## ## ## ## Domain allowed access. ## ## # define(`mailman_search_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_search_data'($*)) dnl gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_search_data'($*)) dnl ') ####################################### ## ## Allow domain to to read mailman data files. ## ## ## ## Domain allowed access. ## ## # define(`mailman_read_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_read_data_files'($*)) dnl gen_require(` type mailman_data_t; ') list_dirs_pattern($1, mailman_data_t, mailman_data_t) read_files_pattern($1, mailman_data_t, mailman_data_t) read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_read_data_files'($*)) dnl ') ####################################### ## ## Allow domain to to create mailman data files ## and write the directory. ## ## ## ## Domain allowed access. ## ## # define(`mailman_manage_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_manage_data_files'($*)) dnl gen_require(` type mailman_data_t; ') manage_dirs_pattern($1, mailman_data_t, mailman_data_t) manage_files_pattern($1, mailman_data_t, mailman_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_manage_data_files'($*)) dnl ') ####################################### ## ## List the contents of mailman data directories. ## ## ## ## Domain allowed access. ## ## # define(`mailman_list_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_list_data'($*)) dnl gen_require(` type mailman_data_t; ') allow $1 mailman_data_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_list_data'($*)) dnl ') ####################################### ## ## Allow read acces to mailman data symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`mailman_read_data_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_read_data_symlinks'($*)) dnl gen_require(` type mailman_data_t; ') read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_read_data_symlinks'($*)) dnl ') ####################################### ## ## Read mailman logs. ## ## ## ## Domain allowed access. ## ## # define(`mailman_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_read_log'($*)) dnl gen_require(` type mailman_log_t; ') read_files_pattern($1, mailman_log_t, mailman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_read_log'($*)) dnl ') ####################################### ## ## Append to mailman logs. ## ## ## ## Domain allowed access. ## ## # define(`mailman_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_append_log'($*)) dnl gen_require(` type mailman_log_t; ') append_files_pattern($1, mailman_log_t, mailman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_append_log'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## mailman logs. ## ## ## ## Domain allowed access. ## ## # define(`mailman_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_manage_log'($*)) dnl gen_require(` type mailman_log_t; ') manage_files_pattern($1, mailman_log_t, mailman_log_t) manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_manage_log'($*)) dnl ') ####################################### ## ## Allow domain to read mailman archive files. ## ## ## ## Domain allowed access. ## ## # define(`mailman_read_archive',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_read_archive'($*)) dnl gen_require(` type mailman_archive_t; ') allow $1 mailman_archive_t:dir list_dir_perms; read_files_pattern($1, mailman_archive_t, mailman_archive_t) read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_read_archive'($*)) dnl ') ####################################### ## ## Execute mailman_queue in the mailman_queue domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mailman_domtrans_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailman_domtrans_queue'($*)) dnl gen_require(` type mailman_queue_exec_t, mailman_queue_t; ') domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailman_domtrans_queue'($*)) dnl ') ## E-mail security and anti-spam package for e-mail gateway systems. ######################################## ## ## Execute a domain transition to run ## MailScanner. ## ## ## ## Domain allowed to transition. ## ## # define(`mailscanner_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailscanner_initrc_domtrans'($*)) dnl gen_require(` type mscan_initrc_exec_t; ') init_labeled_script_domtrans($1, mscan_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailscanner_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an mailscanner environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`mailscanner_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mailscanner_admin'($*)) dnl gen_require(` type mscan_t, mscan_var_run_t, mscan_etc_t; type mscan_initrc_exec_t; ') mailscanner_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 mscan_initrc_exec_t system_r; allow $2 system_r; allow $1 mscan_t:process signal_perms; ps_process_pattern($1, mscan_t) tunable_policy(`deny_ptrace',`',` allow $1 mscan_t:process ptrace; ') admin_pattern($1, mscan_etc_t) files_list_etc($1) admin_pattern($1, mscan_var_run_t) files_list_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mailscanner_admin'($*)) dnl ') ## A Unix manpage-to-HTML converter. ######################################## ## ## Transition to man2html_script. ## ## ## ## Domain allowed to transition. ## ## # define(`man2html_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_script_domtrans'($*)) dnl gen_require(` type man2html_script_t, man2html_script_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, man2html_script_exec_t, man2html_script_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_script_domtrans'($*)) dnl ') ######################################## ## ## Search man2html_script content directories. ## ## ## ## Domain allowed access. ## ## # define(`man2html_search_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_search_content'($*)) dnl gen_require(` type man2html_content_t; type man2html_rw_content_t; ') allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_search_content'($*)) dnl ') ######################################## ## ## Read man2html cache files. ## ## ## ## Domain allowed access. ## ## # define(`man2html_read_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_read_content_files'($*)) dnl gen_require(` type man2html_content_t; type man2html_rw_content_t; ') files_search_var($1) allow $1 { man2html_rw_content_t man2html_content_t }:dir search_dir_perms; read_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) read_files_pattern($1, man2html_content_t, man2html_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_read_content_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## man2html content files. ## ## ## ## Domain allowed access. ## ## # define(`man2html_manage_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_manage_content_files'($*)) dnl gen_require(` type man2html_content_t; type man2html_rw_content_t; ') files_search_var($1) manage_files_pattern($1, man2html_rw_content_t, man2html_rw_content_t) manage_files_pattern($1, man2html_content_t, man2html_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_manage_content_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## man2html content dirs. ## ## ## ## Domain allowed access. ## ## # define(`man2html_manage_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_manage_content_dirs'($*)) dnl gen_require(` type man2html_content_t; type man2html_rw_content_t; ') files_search_var($1) manage_dirs_pattern($1, man2html_rw_content_t, man2html_rw_content_t) manage_dirs_pattern($1, man2html_content_t, man2html_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_manage_content_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an man2html environment ## ## ## ## Domain allowed access. ## ## # define(`man2html_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `man2html_admin'($*)) dnl gen_require(` type man2html_script_t; type man2html_rw_content_t; type man2html_content_t; ') allow $1 man2html_script_t:process { ptrace signal_perms }; ps_process_pattern($1, man2html_script_t) files_search_var($1) admin_pattern($1, man2html_content_t) admin_pattern($1, man2html_rw_content_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `man2html_admin'($*)) dnl ') ## policy for mandb ######################################## ## ## Transition to mandb. ## ## ## ## Domain allowed to transition. ## ## # define(`mandb_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_domtrans'($*)) dnl gen_require(` type mandb_t, mandb_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mandb_exec_t, mandb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_domtrans'($*)) dnl ') ######################################## ## ## Search mandb cache directories. ## ## ## ## Domain allowed access. ## ## # define(`mandb_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_search_cache'($*)) dnl gen_require(` type mandb_cache_t; ') allow $1 mandb_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_search_cache'($*)) dnl ') ######################################## ## ## Read mandb cache files. ## ## ## ## Domain allowed access. ## ## # define(`mandb_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_read_cache_files'($*)) dnl gen_require(` type mandb_cache_t; ') files_search_var($1) read_files_pattern($1, mandb_cache_t, mandb_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_read_cache_files'($*)) dnl ') ######################################## ## ## Mmap mandb cache files. ## ## ## ## Domain allowed access. ## ## # define(`mandb_map_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_map_cache_files'($*)) dnl gen_require(` type mandb_cache_t; ') allow $1 mandb_cache_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_map_cache_files'($*)) dnl ') ######################################## ## ## Relabel mandb cache files/directories ## ## ## ## Domain allowed access. ## ## # define(`mandb_relabel_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_relabel_cache'($*)) dnl gen_require(` type mandb_cache_t; ') allow $1 mandb_cache_t:dir relabel_dir_perms; allow $1 mandb_cache_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_relabel_cache'($*)) dnl ') ######################################## ## ## Set attributes on mandb cache files. ## ## ## ## Domain allowed access. ## ## # define(`mandb_setattr_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_setattr_cache_dirs'($*)) dnl gen_require(` type mandb_cache_t; ') files_search_var($1) allow $1 mandb_cache_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_setattr_cache_dirs'($*)) dnl ') ######################################## ## ## Delete mandb cache files. ## ## ## ## Domain allowed access. ## ## # define(`mandb_delete_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_delete_cache'($*)) dnl gen_require(` type mandb_cache_t; ') files_search_var($1) allow $1 mandb_cache_t:dir list_dir_perms; delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t) delete_files_pattern($1, mandb_cache_t, mandb_cache_t) delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_delete_cache'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mandb cache files. ## ## ## ## Domain allowed access. ## ## # define(`mandb_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_manage_cache_files'($*)) dnl gen_require(` type mandb_cache_t; ') files_search_var($1) manage_files_pattern($1, mandb_cache_t, mandb_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage mandb cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`mandb_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_manage_cache_dirs'($*)) dnl gen_require(` type mandb_cache_t; ') files_search_var($1) manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Create configuration files in user ## home directories with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`mandb_filetrans_named_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_filetrans_named_home_content'($*)) dnl gen_require(` type mandb_home_t; ') userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_filetrans_named_home_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an mandb environment ## ## ## ## Domain allowed access. ## ## # define(`mandb_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mandb_admin'($*)) dnl gen_require(` type mandb_t; type mandb_cache_t, mandb_lock_t; ') allow $1 mandb_t:process { ptrace signal_perms }; ps_process_pattern($1, mandb_t) files_search_var($1) admin_pattern($1, mandb_cache_t) files_search_locks($1) admin_pattern($1, mandb_lock_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mandb_admin'($*)) dnl ') ## Linux hardware error daemon. ######################################## ## ## Execute a domain transition to run mcelog. ## ## ## ## Domain allowed to transition. ## ## # define(`mcelog_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcelog_domtrans'($*)) dnl gen_require(` type mcelog_t, mcelog_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mcelog_exec_t, mcelog_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcelog_domtrans'($*)) dnl ') ###################################### ## ## Read mcelog logs. ## ## ## ## Domain allowed access. ## ## # define(`mcelog_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcelog_read_log'($*)) dnl gen_require(` type mcelog_log_t; ') logging_search_logs($1) read_files_pattern($1, mcelog_log_t, mcelog_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcelog_read_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an mcelog environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`mcelog_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcelog_admin'($*)) dnl gen_require(` type mcelog_t, mcelog_initrc_exec_t, mcelog_log_t; type mcelog_var_run_t, mcelog_etc_t; ') allow $1 mcelog_t:process { ptrace signal_perms }; ps_process_pattern($1, mcelog_t) init_labeled_script_domtrans($1, mcelog_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 mcelog_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, mcelog_etc_t) logging_search_logs($1) admin_pattern($1, mcelog_log_t) files_search_pids($1) admin_pattern($1, mcelog_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcelog_admin'($*)) dnl ') ## Mediawiki policy ####################################### ## ## Allow the specified domain to read ## mediawiki tmp files. ## ## ## ## Domain allowed access. ## ## # define(`mediawiki_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mediawiki_read_tmp_files'($*)) dnl gen_require(` type mediawiki_tmp_t; ') files_search_tmp($1) read_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) read_lnk_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mediawiki_read_tmp_files'($*)) dnl ') ####################################### ## ## Delete mediawiki tmp files. ## ## ## ## Domain allowed access. ## ## # define(`mediawiki_delete_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mediawiki_delete_tmp_files'($*)) dnl gen_require(` type mediawiki_tmp_t; ') delete_files_pattern($1, mediawiki_tmp_t, mediawiki_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mediawiki_delete_tmp_files'($*)) dnl ') ## high-performance memory object caching system ######################################## ## ## Execute a domain transition to run memcached. ## ## ## ## Domain allowed to transition. ## ## # define(`memcached_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `memcached_domtrans'($*)) dnl gen_require(` type memcached_t; type memcached_exec_t; ') domtrans_pattern($1, memcached_exec_t, memcached_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `memcached_domtrans'($*)) dnl ') ######################################## ## ## Read memcached PID files. ## ## ## ## Domain allowed access. ## ## # define(`memcached_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `memcached_read_pid_files'($*)) dnl gen_require(` type memcached_var_run_t; ') files_search_pids($1) allow $1 memcached_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `memcached_read_pid_files'($*)) dnl ') ######################################## ## ## Manage memcached PID files ## ## ## ## Domain allowed access. ## ## # define(`memcached_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `memcached_manage_pid_files'($*)) dnl gen_require(` type memcached_var_run_t; ') files_search_pids($1) manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `memcached_manage_pid_files'($*)) dnl ') ######################################## ## ## Connect to memcached over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`memcached_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `memcached_stream_connect'($*)) dnl gen_require(` type memcached_t, memcached_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, memcached_var_run_t, memcached_var_run_t, memcached_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `memcached_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an memcached environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the memcached domain. ## ## ## # define(`memcached_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `memcached_admin'($*)) dnl gen_require(` type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') allow $1 memcached_t:process signal_perms; ps_process_pattern($1, memcached_t) tunable_policy(`deny_ptrace',`',` allow $1 memcached_t:process ptrace; ') init_labeled_script_domtrans($1, memcached_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, memcached_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `memcached_admin'($*)) dnl ') ## Milter mail filters ######################################## ## ## Create a set of derived types for various ## mail filter applications using the milter interface. ## ## ## ## The name to be used for deriving type names. ## ## # define(`milter_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_template'($*)) dnl # attributes common to all milters gen_require(` attribute milter_data_type, milter_domains; ') type $1_milter_t, milter_domains; type $1_milter_exec_t; init_daemon_domain($1_milter_t, $1_milter_exec_t) role system_r types $1_milter_t; # Type for the milter data (e.g. the socket used to communicate with the MTA) type $1_milter_data_t, milter_data_type; files_pid_file($1_milter_data_t) # Allow communication with MTA over a unix-domain socket manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) # Create other data files and directories in the data directory manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t) logging_send_syslog_msg($1_milter_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_template'($*)) dnl ') ######################################## ## ## MTA communication with milter sockets ## ## ## ## Domain allowed access. ## ## # define(`milter_stream_connect_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_stream_connect_all'($*)) dnl gen_require(` attribute milter_data_type, milter_domains; ') files_search_pids($1) getattr_dirs_pattern($1, milter_data_type, milter_data_type) stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_stream_connect_all'($*)) dnl ') ######################################## ## ## Allow getattr of milter sockets ## ## ## ## Domain allowed access. ## ## # define(`milter_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_getattr_all_sockets'($*)) dnl gen_require(` attribute milter_data_type; ') getattr_dirs_pattern($1, milter_data_type, milter_data_type) getattr_sock_files_pattern($1, milter_data_type, milter_data_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Allow setattr of milter dirs ## ## ## ## Domain allowed access. ## ## # define(`milter_setattr_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_setattr_all_dirs'($*)) dnl gen_require(` attribute milter_data_type; ') setattr_dirs_pattern($1, milter_data_type, milter_data_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_setattr_all_dirs'($*)) dnl ') ######################################## ## ## Manage spamassassin milter state ## ## ## ## Domain allowed access. ## ## # define(`milter_manage_spamass_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_manage_spamass_state'($*)) dnl gen_require(` type spamass_milter_state_t; ') files_search_var_lib($1) manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t) manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_manage_spamass_state'($*)) dnl ') ####################################### ## ## Delete dkim-milter PID files. ## ## ## ## Domain allowed access. ## ## # define(`milter_delete_dkim_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `milter_delete_dkim_pid_files'($*)) dnl gen_require(` type dkim_milter_data_t; ') files_search_pids($1) delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `milter_delete_dkim_pid_files'($*)) dnl ') ## MiniDLNA lightweight DLNA/UPnP media server ######################################## ## ## All of the rules required to ## administrate an minidlna environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`minidlna_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `minidlna_admin'($*)) dnl gen_require(` type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t; type minidlna_conf_t, minidlna_log_t, minidlna_db_t; ') allow $1 minidlna_t:process { ptrace signal_perms }; ps_process_pattern($1, minidlna_t) minidlna_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 minidlna_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, minidlna_conf_t) logging_search_logs($1) admin_pattern($1, minidlna_log_t) files_search_var_lib($1) admin_pattern($1, minidlna_db_t) files_search_pids($1) admin_pattern($1, minidlna_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `minidlna_admin'($*)) dnl ') ######################################## ## ## Execute minidlna init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`minidlna_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `minidlna_initrc_domtrans'($*)) dnl gen_require(` type minidlna_initrc_exec_t; ') init_labeled_script_domtrans($1, minidlna_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `minidlna_initrc_domtrans'($*)) dnl ') ## Daemon used by MiniUPnPc to speed up device discoveries. ######################################## ## ## Read minissdpd configuration files. ## ## ## ## Domain allowed access. ## ## # define(`minissdpd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `minissdpd_read_config'($*)) dnl gen_require(` type minissdpd_conf_t; ') files_search_etc($1) allow $1 minissdpd_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `minissdpd_read_config'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an minissdpd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`minissdpd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `minissdpd_admin'($*)) dnl gen_require(` type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t; type minissdpd_var_run_t; ') allow $1 minissdpd_t:process { signal_perms }; ps_process_pattern($1, minissdpd_t) init_labeled_script_domtrans($1, minissdpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 minissdpd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, minissdpd_conf_t) files_search_pids($1) admin_pattern($1, minissdpd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `minissdpd_admin'($*)) dnl ') ## Mobile IPv6 and NEMO Basic Support implementation ######################################## ## ## Execute TEMPLATE in the mip6d domin. ## ## ## ## Domain allowed to transition. ## ## # define(`mip6d_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mip6d_domtrans'($*)) dnl gen_require(` type mip6d_t, mip6d_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mip6d_exec_t, mip6d_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mip6d_domtrans'($*)) dnl ') ######################################## ## ## Execute mip6d server in the mip6d domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mip6d_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mip6d_systemctl'($*)) dnl gen_require(` type mip6d_t; type mip6d_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 mip6d_unit_file_t:file read_file_perms; allow $1 mip6d_unit_file_t:service manage_service_perms; ps_process_pattern($1, mip6d_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mip6d_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an mip6d environment ## ## ## ## Domain allowed access. ## ## ## # define(`mip6d_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mip6d_admin'($*)) dnl gen_require(` type mip6d_t; type mip6d_unit_file_t; ') allow $1 mip6d_t:process { signal_perms }; ps_process_pattern($1, mip6d_t) tunable_policy(`deny_ptrace',`',` allow $1 mip6d_t:process ptrace; ') mip6d_systemctl($1) admin_pattern($1, mip6d_unit_file_t) allow $1 mip6d_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mip6d_admin'($*)) dnl ') ## policy for mirrormanager ######################################## ## ## Execute mirrormanager in the mirrormanager domin. ## ## ## ## Domain allowed to transition. ## ## # define(`mirrormanager_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_domtrans'($*)) dnl gen_require(` type mirrormanager_t, mirrormanager_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_domtrans'($*)) dnl ') ######################################## ## ## Read mirrormanager's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`mirrormanager_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_read_log'($*)) dnl gen_require(` type mirrormanager_log_t; ') logging_search_logs($1) read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_read_log'($*)) dnl ') ######################################## ## ## Append to mirrormanager log files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_append_log'($*)) dnl gen_require(` type mirrormanager_log_t; ') logging_search_logs($1) append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_append_log'($*)) dnl ') ######################################## ## ## Manage mirrormanager log files ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_log'($*)) dnl gen_require(` type mirrormanager_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t) manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_manage_log'($*)) dnl ') ######################################## ## ## Search mirrormanager lib directories. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_search_lib'($*)) dnl gen_require(` type mirrormanager_var_lib_t; ') allow $1 mirrormanager_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_search_lib'($*)) dnl ') ######################################## ## ## Read mirrormanager lib files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_read_lib_files'($*)) dnl gen_require(` type mirrormanager_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_read_lib_files'($*)) dnl ') ######################################## ## ## Manage mirrormanager lib files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_lib_files'($*)) dnl gen_require(` type mirrormanager_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage mirrormanager lib directories. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_lib_dirs'($*)) dnl gen_require(` type mirrormanager_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read mirrormanager PID files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_read_pid_files'($*)) dnl gen_require(` type mirrormanager_var_run_t; ') files_search_pids($1) read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_read_pid_files'($*)) dnl ') ######################################## ## ## Manage mirrormanager PID files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_pid_files'($*)) dnl gen_require(` type mirrormanager_var_run_t; ') files_search_pids($1) manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_manage_pid_files'($*)) dnl ') ######################################## ## ## Manage mirrormanager PID sock files. ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_manage_pid_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_manage_pid_sock_files'($*)) dnl gen_require(` type mirrormanager_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_manage_pid_sock_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an mirrormanager environment ## ## ## ## Domain allowed access. ## ## # define(`mirrormanager_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mirrormanager_admin'($*)) dnl gen_require(` type mirrormanager_t; type mirrormanager_log_t; type mirrormanager_var_lib_t; type mirrormanager_var_run_t; ') allow $1 mirrormanager_t:process { signal_perms }; ps_process_pattern($1, mirrormanager_t) tunable_policy(`deny_ptrace',`',` allow $1 mirrormanager_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, mirrormanager_log_t) files_search_var_lib($1) admin_pattern($1, mirrormanager_var_lib_t) files_search_pids($1) admin_pattern($1, mirrormanager_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mirrormanager_admin'($*)) dnl ') ## policy for mock ######################################## ## ## Execute a domain transition to run mock. ## ## ## ## Domain allowed to transition. ## ## # define(`mock_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_domtrans'($*)) dnl gen_require(` type mock_t, mock_exec_t; ') domtrans_pattern($1, mock_exec_t, mock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_domtrans'($*)) dnl ') ######################################## ## ## Search mock lib directories. ## ## ## ## Domain allowed access. ## ## # define(`mock_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_search_lib'($*)) dnl gen_require(` type mock_var_lib_t; ') allow $1 mock_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_search_lib'($*)) dnl ') ######################################## ## ## Read mock lib files. ## ## ## ## Domain allowed access. ## ## # define(`mock_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_read_lib_files'($*)) dnl gen_require(` type mock_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) read_files_pattern($1, mock_var_lib_t, mock_var_lib_t) read_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_read_lib_files'($*)) dnl ') ######################################## ## ## Getattr on mock lib file,dir,sock_file ... ## ## ## ## Domain allowed access. ## ## # define(`mock_getattr_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_getattr_lib'($*)) dnl gen_require(` type mock_var_lib_t; ') allow $1 mock_var_lib_t:dir_file_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_getattr_lib'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mock lib files. ## ## ## ## Domain allowed access. ## ## # define(`mock_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_manage_lib_files'($*)) dnl gen_require(` type mock_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage mock lib dirs files. ## ## ## ## Domain allowed access. ## ## # define(`mock_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_manage_lib_dirs'($*)) dnl gen_require(` type mock_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_manage_lib_dirs'($*)) dnl ') ######################################### ## ## Manage mock lib symlinks. ## ## ## ## Domain allowed access. ## ## # define(`mock_manage_lib_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_manage_lib_symlinks'($*)) dnl gen_require(` type mock_var_lib_t; ') files_search_var_lib($1) manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_manage_lib_symlinks'($*)) dnl ') ######################################## ## ## Manage mock lib files. ## ## ## ## Domain allowed access. ## ## # define(`mock_manage_lib_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_manage_lib_chr_files'($*)) dnl gen_require(` type mock_var_lib_t; ') files_search_var_lib($1) manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_manage_lib_chr_files'($*)) dnl ') ######################################## ## ## Manage mock lib files. ## ## ## ## Domain allowed access. ## ## # define(`mock_dontaudit_write_lib_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_dontaudit_write_lib_chr_files'($*)) dnl gen_require(` type mock_var_lib_t; ') dontaudit $1 mock_var_lib_t:chr_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_dontaudit_write_lib_chr_files'($*)) dnl ') ####################################### ## ## Dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`mock_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_dontaudit_leaks'($*)) dnl gen_require(` type mock_tmp_t; ') dontaudit $1 mock_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Execute mock in the mock domain, and ## allow the specified role the mock domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the mock domain. ## ## ## # define(`mock_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_run'($*)) dnl gen_require(` type mock_t; type mock_build_t; ') mock_domtrans($1) role $2 types mock_t; role $2 types mock_build_t; mount_run(mock_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_run'($*)) dnl ') ######################################## ## ## Role access for mock ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`mock_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_role'($*)) dnl gen_require(` type mock_t; ') role $1 types mock_t; mock_run($2, $1) ps_process_pattern($2, mock_t) allow $2 mock_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 mock_t:process ptrace; ') optional_policy(` mock_read_lib_files($2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_role'($*)) dnl ') ####################################### ## ## Send a generic signal to mock. ## ## ## ## Domain allowed access. ## ## # define(`mock_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_signal'($*)) dnl gen_require(` type mock_t; ') allow $1 mock_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_signal'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an mock environment ## ## ## ## Domain allowed access. ## ## # define(`mock_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mock_admin'($*)) dnl gen_require(` type mock_t, mock_var_lib_t; type mock_build_t, mock_etc_t, mock_tmp_t; ') allow $1 mock_t:process signal_perms; ps_process_pattern($1, mock_t) tunable_policy(`deny_ptrace',`',` allow $1 mock_t:process ptrace; allow $1 mock_build_t:process ptrace; ') allow $1 mock_build_t:process signal_perms; ps_process_pattern($1, mock_build_t) files_list_var_lib($1) admin_pattern($1, mock_var_lib_t) files_list_tmp($1) admin_pattern($1, mock_tmp_t) files_search_etc($1) admin_pattern($1, mock_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mock_admin'($*)) dnl ') ## Provides a DBus interface to communicate with mobile broadband (GSM, CDMA, UMTS, ...) cards. ######################################## ## ## Execute a domain transition to run modemmanager. ## ## ## ## Domain allowed to transition. ## ## # define(`modemmanager_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modemmanager_domtrans'($*)) dnl gen_require(` type modemmanager_t, modemmanager_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, modemmanager_exec_t, modemmanager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modemmanager_domtrans'($*)) dnl ') ######################################## ## ## Execute modemmanager server in the modemmanager domain. ## ## ## ## Domain allowed access. ## ## # define(`modemmanager_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modemmanager_systemctl'($*)) dnl gen_require(` type modemmanager_t; type modemmanager_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 modemmanager_unit_file_t:file read_file_perms; allow $1 modemmanager_unit_file_t:service manage_service_perms; ps_process_pattern($1, modemmanager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modemmanager_systemctl'($*)) dnl ') ######################################## ## ## Send and receive messages from ## modemmanager over dbus. ## ## ## ## Domain allowed access. ## ## # define(`modemmanager_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modemmanager_dbus_chat'($*)) dnl gen_require(` type modemmanager_t; class dbus send_msg; ') allow $1 modemmanager_t:dbus send_msg; allow modemmanager_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modemmanager_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an modemmanager environment ## ## ## ## Domain allowed access. ## ## ## # define(`modemmanager_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modemmanager_admin'($*)) dnl gen_require(` type modemmanager_t; type modemmanager_unit_file_t; ') allow $1 modemmanager_t:process { ptrace signal_perms }; ps_process_pattern($1, modemmanager_t) modemmanager_systemctl($1) admin_pattern($1, modemmanager_unit_file_t) allow $1 modemmanager_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modemmanager_admin'($*)) dnl ') ## MojoMojo Wiki. ######################################## ## ## All of the rules required to ## administrate an mojomojo environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`mojomojo_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mojomojo_admin'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.') apache_admin($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mojomojo_admin'($*)) dnl ') ## policy for mon_statd ######################################## ## ## Execute mon_statd in the mon_statd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`mon_statd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mon_statd_domtrans'($*)) dnl gen_require(` type mon_statd_t, mon_statd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mon_statd_exec_t, mon_statd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mon_statd_domtrans'($*)) dnl ') ######################################## ## ## Execute mon_procd in the mon_procd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`mon_procd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mon_procd_domtrans'($*)) dnl gen_require(` type mon_procd_t, mon_procd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mon_procd_exec_t, mon_procd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mon_procd_domtrans'($*)) dnl ') ## Scalable, high-performance, open source NoSQL database. ######################################## ## ## All of the rules required to ## administrate an mongodb environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`mongodb_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mongodb_admin'($*)) dnl gen_require(` type mongod_t, mongod_initrc_exec_t, mongod_log_t; type mongod_var_lib_t, mongod_var_run_t; ') allow $1 mongod_t:process { ptrace signal_perms }; ps_process_pattern($1, mongod_t) init_labeled_script_domtrans($1, mongod_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 mongod_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, mongod_log_t) files_search_var_lib($1) admin_pattern($1, mongod_var_lib_t) files_search_pids($1) admin_pattern($1, mongod_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mongodb_admin'($*)) dnl ') ## Run .NET server and client applications on Linux. ####################################### ## ## The role template for the mono module. ## ## ##

## This template creates a derived domains which are used ## for mono applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`mono_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mono_role_template'($*)) dnl gen_require(` attribute mono_domain; type mono_exec_t; ') ######################################## # # Declarations # type $1_mono_t, mono_domain; domain_type($1_mono_t) domain_entry_file($1_mono_t, mono_exec_t) role $2 types $1_mono_t; domain_interactive_fd($1_mono_t) application_type($1_mono_t) ######################################## # # Policy # domtrans_pattern($3, mono_exec_t, $1_mono_t) allow $3 $1_mono_t:process { ptrace noatsecure signal_perms }; ps_process_pattern($2, $1_mono_t) corecmd_bin_domtrans($1_mono_t, $3) userdom_manage_user_tmpfs_files($1_mono_t) optional_policy(` fs_dontaudit_rw_tmpfs_files($1_mono_t) xserver_role($1_r, $1_mono_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mono_role_template'($*)) dnl ') ######################################## ## ## Execute mono in the mono domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mono_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mono_domtrans'($*)) dnl gen_require(` type mono_t, mono_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mono_exec_t, mono_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mono_domtrans'($*)) dnl ') ######################################## ## ## Execute mono in the mono domain, and ## allow the specified role the mono domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`mono_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mono_run'($*)) dnl gen_require(` attribute_role mono_roles; ') mono_domtrans($1) roleattribute $2 mono_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mono_run'($*)) dnl ') ######################################## ## ## Execute mono in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`mono_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mono_exec'($*)) dnl gen_require(` type mono_exec_t; ') corecmd_search_bin($1) can_exec($1, mono_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mono_exec'($*)) dnl ') ######################################## ## ## Read and write mono shared memory. ## ## ## ## Domain allowed access. ## ## # define(`mono_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mono_rw_shm'($*)) dnl gen_require(` type mono_t; ') allow $1 mono_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mono_rw_shm'($*)) dnl ') ## Monopoly daemon. ######################################## ## ## All of the rules required to ## administrate an monop environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`monop_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `monop_admin'($*)) dnl gen_require(` type monopd_t, monopd_initrc_exec_t, monopd_share_t; type monopd_etc_t, monopd_var_run_t; ') allow $1 monopd_t:process { ptrace signal_perms }; ps_process_pattern($1, monopd_t) init_labeled_script_domtrans($1, monopd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 monopd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, monopd_etc_t) files_search_pids($1) admin_pattern($1, monopd_var_run_t) files_search_usr($1) admin_pattern($1, monopd_share_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `monop_admin'($*)) dnl ') ## Detect motion using a video4linux device ######################################## ## ## Execute motion in the motion domain. ## ## ## ## Domain allowed to transition. ## ## # define(`motion_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_domtrans'($*)) dnl gen_require(` type motion_t, motion_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, motion_exec_t, motion_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_domtrans'($*)) dnl ') ######################################## ## ## Read motion's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`motion_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_read_log'($*)) dnl gen_require(` type motion_log_t; ') logging_search_logs($1) read_files_pattern($1, motion_log_t, motion_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_read_log'($*)) dnl ') ######################################## ## ## Append to motion log files. ## ## ## ## Domain allowed access. ## ## # define(`motion_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_append_log'($*)) dnl gen_require(` type motion_log_t; ') logging_search_logs($1) append_files_pattern($1, motion_log_t, motion_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_append_log'($*)) dnl ') ######################################## ## ## Manage motion log files ## ## ## ## Domain allowed access. ## ## # define(`motion_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_manage_log'($*)) dnl gen_require(` type motion_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, motion_log_t, motion_log_t) manage_files_pattern($1, motion_log_t, motion_log_t) manage_lnk_files_pattern($1, motion_log_t, motion_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_manage_log'($*)) dnl ') ######################################## ## ## Manage motion pid files ## ## ## ## Domain allowed access. ## ## # define(`motion_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_manage_pid'($*)) dnl gen_require(` type motion_var_run_t; ') manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t) manage_files_pattern($1, motion_var_run_t, motion_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_manage_pid'($*)) dnl ') ######################################## ## ## Manage motion data files ## ## ## ## Domain allowed access. ## ## # define(`motion_manage_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_manage_data'($*)) dnl gen_require(` type motion_data_t; ') manage_dirs_pattern($1, motion_data_t, motion_data_t) manage_files_pattern($1, motion_data_t, motion_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_manage_data'($*)) dnl ') ######################################## ## ## Execute motion server in the motion domain. ## ## ## ## Domain allowed to transition. ## ## # define(`motion_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_systemctl'($*)) dnl gen_require(` type motion_t; type motion_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 motion_unit_file_t:file read_file_perms; allow $1 motion_unit_file_t:service manage_service_perms; ps_process_pattern($1, motion_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_systemctl'($*)) dnl ') ######################################## ## ## Manage all motion files. ## ## ## ## Domain allowed to transition. ## ## # define(`motion_manage_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_manage_all_files'($*)) dnl motion_manage_log($1) motion_manage_pid($1) motion_manage_data($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_manage_all_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an motion environment ## ## ## ## Domain allowed access. ## ## ## # define(`motion_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `motion_admin'($*)) dnl gen_require(` type motion_t; type motion_log_t; type motion_unit_file_t; ') allow $1 motion_t:process { signal_perms }; ps_process_pattern($1, motion_t) tunable_policy(`deny_ptrace',`',` allow $1 motion_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, motion_log_t) motion_systemctl($1) admin_pattern($1, motion_unit_file_t) allow $1 motion_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `motion_admin'($*)) dnl ') ## Policy for Mozilla and related web browsers ######################################## ## ## Role access for mozilla ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`mozilla_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_role'($*)) dnl gen_require(` type mozilla_t, mozilla_exec_t, mozilla_home_t; attribute_role mozilla_roles; ') roleattribute $1 mozilla_roles; domain_auto_trans($2, mozilla_exec_t, mozilla_t) # Unrestricted inheritance from the caller. allow $2 mozilla_t:process { noatsecure siginh rlimitinh }; allow mozilla_t $2:fd use; allow mozilla_t $2:process { sigchld signull }; allow mozilla_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. ps_process_pattern($2, mozilla_t) allow $2 mozilla_t:process signal_perms; allow $2 mozilla_t:fd use; allow $2 mozilla_t:shm { associate getattr }; allow $2 mozilla_t:shm { unix_read unix_write }; allow $2 mozilla_t:unix_stream_socket connectto; # X access, Home files manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t) manage_files_pattern($2, mozilla_home_t, mozilla_home_t) manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t) #should be remove then with adding of roleattribute mozilla_run_plugin(mozilla_t, $1) mozilla_dbus_chat($2) userdom_manage_tmp_role($1, mozilla_t) optional_policy(` nsplugin_role($1, mozilla_t) ') optional_policy(` pulseaudio_role($1, mozilla_t) pulseaudio_filetrans_admin_home_content(mozilla_t) pulseaudio_filetrans_home_content(mozilla_t) ') mozilla_filetrans_home_content($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_role'($*)) dnl ') ######################################## ## ## Read mozilla home directory content ## ## ## ## Domain allowed access. ## ## # define(`mozilla_read_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_read_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') allow $1 mozilla_home_t:dir list_dir_perms; allow $1 mozilla_home_t:file read_file_perms; allow $1 mozilla_home_t:lnk_file read_lnk_file_perms; userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_read_user_home_files'($*)) dnl ') ######################################## ## ## Write mozilla home directory content ## ## ## ## Domain allowed access. ## ## # define(`mozilla_write_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_write_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') write_files_pattern($1, mozilla_home_t, mozilla_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_write_user_home_files'($*)) dnl ') ######################################## ## ## Dontaudit attempts to read/write mozilla home directory content ## ## ## ## Domain to not audit. ## ## # define(`mozilla_dontaudit_rw_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_rw_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') dontaudit $1 mozilla_home_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_rw_user_home_files'($*)) dnl ') ######################################## ## ## Dontaudit attempts to write mozilla home directory content ## ## ## ## Domain to not audit. ## ## # define(`mozilla_dontaudit_manage_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_dontaudit_manage_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') dontaudit $1 mozilla_home_t:dir manage_dir_perms; dontaudit $1 mozilla_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_dontaudit_manage_user_home_files'($*)) dnl ') ######################################## ## ## Execute mozilla home directory content. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_exec_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_exec_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') can_exec($1, mozilla_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_exec_user_home_files'($*)) dnl ') ######################################## ## ## Execmod mozilla home directory content. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_execmod_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_execmod_user_home_files'($*)) dnl gen_require(` type mozilla_home_t; ') allow $1 mozilla_home_t:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_execmod_user_home_files'($*)) dnl ') ######################################## ## ## Run mozilla in the mozilla domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mozilla_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_domtrans'($*)) dnl gen_require(` type mozilla_t, mozilla_exec_t; ') domtrans_pattern($1, mozilla_exec_t, mozilla_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_domtrans'($*)) dnl ') ######################################## ## ## Execute a mozilla_exec_t in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`mozilla_domtrans_spec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_spec'($*)) dnl gen_require(` type mozilla_exec_t; ') domain_entry_file($2, mozilla_exec_t) domtrans_pattern($1, mozilla_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_domtrans_spec'($*)) dnl ') ######################################## ## ## Execute a domain transition to run mozilla_plugin. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_domtrans_plugin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_domtrans_plugin'($*)) dnl gen_require(` type mozilla_plugin_t, mozilla_plugin_exec_t; type mozilla_plugin_config_t, mozilla_plugin_config_exec_t; type mozilla_plugin_rw_t; class dbus send_msg; ') domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t) domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t) allow mozilla_plugin_t $1:process signull; dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms; dontaudit mozilla_plugin_t $1:process signal; allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; allow $1 mozilla_plugin_t:fd use; allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms }; allow mozilla_plugin_t $1:shm { rw_shm_perms destroy }; allow mozilla_plugin_t $1:sem create_sem_perms; allow $1 mozilla_plugin_t:sem rw_sem_perms; allow $1 mozilla_plugin_t:shm rw_shm_perms; allow $1 mozilla_plugin_t:fifo_file rw_fifo_file_perms; ps_process_pattern($1, mozilla_plugin_t) ps_process_pattern(mozilla_plugin_t, $1) allow $1 mozilla_plugin_t:process { signal_perms noatsecure }; list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) can_exec($1, mozilla_plugin_rw_t) allow $1 mozilla_plugin_t:dbus send_msg; allow mozilla_plugin_t $1:dbus send_msg; allow mozilla_plugin_t $1:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_domtrans_plugin'($*)) dnl ') ######################################## ## ## Allow caller to transition to mozilla_plugin_t with NoNewPrivileges ## ## ## ## Domain allowed access. ## ## # define(`mozilla_nnp_domtrans_plugin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_nnp_domtrans_plugin'($*)) dnl gen_require(` type mozilla_plugin_t; ') allow $1 mozilla_plugin_t:process2 nnp_transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_nnp_domtrans_plugin'($*)) dnl ') ######################################## ## ## Execute mozilla_plugin in the mozilla_plugin domain, and ## allow the specified role the mozilla_plugin domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the mozilla_plugin domain. ## ## # define(`mozilla_run_plugin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_run_plugin'($*)) dnl gen_require(` type mozilla_plugin_t; attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ') mozilla_domtrans_plugin($1) roleattribute $2 mozilla_plugin_roles; roleattribute $2 mozilla_plugin_config_roles; tunable_policy(`deny_ptrace',`',` allow $1 mozilla_plugin_t:process ptrace; ') optional_policy(` lpd_run_lpr(mozilla_plugin_t, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_run_plugin'($*)) dnl ') ####################################### ## ## Execute qemu unconfined programs in the role. ## ## ## ## The role to allow the mozilla_plugin domain. ## ## ## # define(`mozilla_role_plugin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_role_plugin'($*)) dnl gen_require(` attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles; ') roleattribute $1 mozilla_plugin_roles; roleattribute $1 mozilla_plugin_config_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_role_plugin'($*)) dnl ') ######################################## ## ## Send and receive messages from ## mozilla over dbus. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_dbus_chat'($*)) dnl gen_require(` type mozilla_t; class dbus send_msg; ') allow $1 mozilla_t:dbus send_msg; allow mozilla_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_dbus_chat'($*)) dnl ') ######################################## ## ## read/write mozilla per user tcp_socket ## ## ## ## Domain allowed access. ## ## # define(`mozilla_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_rw_tcp_sockets'($*)) dnl gen_require(` type mozilla_t; ') allow $1 mozilla_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_rw_tcp_sockets'($*)) dnl ') ####################################### ## ## Read mozilla_plugin tmpfs files ## ## ## ## Domain allowed access ## ## # define(`mozilla_plugin_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_tmpfs_files'($*)) dnl gen_require(` type mozilla_plugin_tmpfs_t; ') allow $1 mozilla_plugin_tmpfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_tmpfs_files'($*)) dnl ') ####################################### ## ## Read/Write mozilla_plugin tmpfs files ## ## ## ## Domain allowed access ## ## # define(`mozilla_plugin_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_tmpfs_files'($*)) dnl gen_require(` type mozilla_plugin_tmpfs_t; ') rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## Delete mozilla_plugin tmpfs files ## ## ## ## Domain allowed access ## ## # define(`mozilla_plugin_delete_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_delete_tmpfs_files'($*)) dnl gen_require(` type mozilla_plugin_tmpfs_t; ') allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_delete_tmpfs_files'($*)) dnl ') ####################################### ## ## Dontaudit generict ipc read/write to a mozilla_plugin ## ## ## ## Domain to not audit. ## ## # define(`mozilla_plugin_dontaudit_rw_sem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_rw_sem'($*)) dnl gen_require(` type mozilla_plugin_t; ') dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_rw_sem'($*)) dnl ') ####################################### ## ## Allow generict ipc read/write to a mozilla_plugin ## ## ## ## Domain to not audit. ## ## # define(`mozilla_plugin_rw_sem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_sem'($*)) dnl gen_require(` type mozilla_plugin_t; ') allow $1 mozilla_plugin_t:sem { associate unix_read unix_write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_sem'($*)) dnl ') ######################################## ## ## Dontaudit read/write to a mozilla_plugin leaks ## ## ## ## Domain to not audit. ## ## # define(`mozilla_plugin_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_leaks'($*)) dnl gen_require(` type mozilla_plugin_t; ') dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_leaks'($*)) dnl ') ####################################### ## ## Dontaudit read/write to a mozilla_plugin tmp files. ## ## ## ## Domain to not audit. ## ## # define(`mozilla_plugin_dontaudit_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_dontaudit_rw_tmp_files'($*)) dnl gen_require(` type mozilla_plugin_tmp_t; ') dontaudit $1 mozilla_plugin_tmp_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_dontaudit_rw_tmp_files'($*)) dnl ') ####################################### ## ## Allow read/write to a mozilla_plugin tmp files. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_plugin_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_rw_tmp_files'($*)) dnl gen_require(` type mozilla_plugin_tmp_t; ') dontaudit $1 mozilla_plugin_tmp_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_rw_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mozilla_plugin rw files. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_plugin_manage_rw_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_manage_rw_files'($*)) dnl gen_require(` type mozilla_plugin_rw_t; ') allow $1 mozilla_plugin_rw_t:file manage_file_perms; allow $1 mozilla_plugin_rw_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_manage_rw_files'($*)) dnl ') ######################################## ## ## read mozilla_plugin rw files. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_plugin_read_rw_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_rw_files'($*)) dnl gen_require(` type mozilla_plugin_rw_t; ') read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_rw_files'($*)) dnl ') ######################################## ## ## Create mozilla content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_filetrans_home_content'($*)) dnl gen_require(` type mozilla_home_t, mozilla_plugin_rw_t; ') files_filetrans_lib($1, mozilla_plugin_rw_t, file, "nswrapper_32_64.nppdf.so") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea") userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS") userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc") userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "mozilla.pdf") userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex") optional_policy(` gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla") gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_filetrans_home_content'($*)) dnl ') ######################################## ## ## Allow the domain to read mozilla_plugin state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`mozilla_plugin_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mozilla_plugin_read_state'($*)) dnl gen_require(` type mozilla_plugin_t; ') kernel_search_proc($1) ps_process_pattern($1, mozilla_plugin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mozilla_plugin_read_state'($*)) dnl ') ## Music Player Daemon. ######################################## ## ## Role access for mpd. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`mpd_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_role'($*)) dnl refpolicywarn(`$0($*) has been deprecated') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_role'($*)) dnl ') ######################################## ## ## Execute a domain transition to run mpd. ## ## ## ## Domain allowed to transition. ## ## # define(`mpd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_domtrans'($*)) dnl gen_require(` type mpd_t, mpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mpd_exec_t, mpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_domtrans'($*)) dnl ') ######################################## ## ## Execute mpd server in the mpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mpd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_initrc_domtrans'($*)) dnl gen_require(` type mpd_initrc_exec_t; ') init_labeled_script_domtrans($1, mpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_initrc_domtrans'($*)) dnl ') ####################################### ## ## Read mpd data files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_read_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_read_data_files'($*)) dnl gen_require(` type mpd_data_t; ') mpd_search_lib($1) read_files_pattern($1, mpd_data_t, mpd_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_read_data_files'($*)) dnl ') ###################################### ## ## Create, read, write, and delete ## mpd data files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_manage_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_manage_data_files'($*)) dnl gen_require(` type mpd_data_t; ') mpd_search_lib($1) manage_files_pattern($1, mpd_data_t, mpd_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_manage_data_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mpd user data content. ## ## ## ## Domain allowed access. ## ## # define(`mpd_manage_user_data_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_manage_user_data_content'($*)) dnl gen_require(` type mpd_user_data_t; ') userdom_search_user_home_dirs($1) allow $1 mpd_user_data_t:dir manage_dir_perms; allow $1 mpd_user_data_t:file manage_file_perms; allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_manage_user_data_content'($*)) dnl ') ######################################## ## ## Relabel mpd user data content. ## ## ## ## Domain allowed access. ## ## # define(`mpd_relabel_user_data_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_relabel_user_data_content'($*)) dnl gen_require(` type mpd_user_data_t; ') userdom_search_user_home_dirs($1) allow $1 mpd_user_data_t:dir relabel_dir_perms; allow $1 mpd_user_data_t:file relabel_file_perms; allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_relabel_user_data_content'($*)) dnl ') ######################################## ## ## Create objects in user home ## directories with the mpd user data type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`mpd_home_filetrans_user_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_home_filetrans_user_data'($*)) dnl gen_require(` type mpd_user_data_t; ') userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_home_filetrans_user_data'($*)) dnl ') ####################################### ## ## Read mpd tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_read_tmpfs_files'($*)) dnl gen_require(` type mpd_tmpfs_t; ') fs_search_tmpfs($1) read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_read_tmpfs_files'($*)) dnl ') ################################### ## ## Create, read, write, and delete ## mpd tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_manage_tmpfs_files'($*)) dnl gen_require(` type mpd_tmpfs_t; ') fs_search_tmpfs($1) manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_manage_tmpfs_files'($*)) dnl ') ######################################## ## ## Search mpd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`mpd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_search_lib'($*)) dnl gen_require(` type mpd_var_lib_t; ') files_search_var_lib($1) allow $1 mpd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_search_lib'($*)) dnl ') ######################################## ## ## Read mpd lib files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_read_lib_files'($*)) dnl gen_require(` type mpd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mpd lib files. ## ## ## ## Domain allowed access. ## ## # define(`mpd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_files'($*)) dnl gen_require(` type mpd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_manage_lib_files'($*)) dnl ') ####################################### ## ## Create specified objects in mpd ## lib directories with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`mpd_var_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_var_lib_filetrans'($*)) dnl gen_require(` type mpd_var_lib_t; ') files_search_var_lib($1) filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_var_lib_filetrans'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mpd lib dirs. ## ## ## ## Domain allowed access. ## ## # define(`mpd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_manage_lib_dirs'($*)) dnl gen_require(` type mpd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Connect to mpd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`mpd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_stream_connect'($*)) dnl gen_require(` type mpd_t, mpd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an mpd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`mpd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mpd_admin'($*)) dnl gen_require(` type mpd_t, mpd_initrc_exec_t, mpd_etc_t; type mpd_data_t, mpd_log_t, mpd_var_lib_t; type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; ') allow $1 mpd_t:process signal_perms; ps_process_pattern($1, mpd_t) tunable_policy(`deny_ptrace',`',` allow $1 mpd_t:process ptrace; ') mpd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 mpd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, mpd_etc_t) files_search_var_lib($1) admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t }) logging_search_logs($1) admin_pattern($1, mpd_log_t) files_search_tmp($1) admin_pattern($1, mpd_tmp_t) fs_search_tmpfs($1) admin_pattern($1, mpd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mpd_admin'($*)) dnl ') ## Mplayer media player and encoder. ######################################## ## ## Role access for mplayer ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`mplayer_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_role'($*)) dnl gen_require(` attribute_role mencoder_roles, mplayer_roles; type mencoder_t, mencoder_exec_t, mplayer_home_t; type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t; ') ######################################## # # Declarations # roleattribute $1 mencoder_roles; roleattribute $1 mplayer_roles; ######################################## # # Policy # domtrans_pattern($2, mencoder_exec_t, mencoder_t) domtrans_pattern($2, mplayer_exec_t, mplayer_t) allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; ps_process_pattern($2, { mplayer_t mencoder_t }) allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms }; allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer") allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms }; allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_role'($*)) dnl ') ######################################## ## ## Run mplayer in mplayer domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mplayer_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_domtrans'($*)) dnl gen_require(` type mplayer_t, mplayer_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mplayer_exec_t, mplayer_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_domtrans'($*)) dnl ') ######################################## ## ## Execute mplayer in the caller domain. ## ## ## ## Domain allowed access. ## ## # # define(`mplayer_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_exec'($*)) dnl gen_require(` type mplayer_exec_t; ') corecmd_search_bin($1) can_exec($1, mplayer_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_exec'($*)) dnl ') ######################################## ## ## Read mplayer user home content files. ## ## ## ## Domain allowed access. ## ## # define(`mplayer_read_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_read_user_home_files'($*)) dnl gen_require(` type mplayer_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, mplayer_home_t, mplayer_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_read_user_home_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## generic mplayer home content. ## ## ## ## Domain allowed access. ## ## # define(`mplayer_manage_generic_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_manage_generic_home_content'($*)) dnl gen_require(` type mplayer_home_t; ') userdom_search_user_home_dirs($1) allow $1 mplayer_home_t:dir manage_dir_perms; allow $1 mplayer_home_t:file manage_file_perms; allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_manage_generic_home_content'($*)) dnl ') ######################################## ## ## Create specified objects in user home ## directories with the generic mplayer ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`mplayer_home_filetrans_mplayer_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_home_filetrans_mplayer_home'($*)) dnl gen_require(` type mplayer_home_t; ') userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_home_filetrans_mplayer_home'($*)) dnl ') ######################################## ## ## Create specified objects in user home ## directories with the generic mplayer ## home type. ## ## ## ## Domain allowed access. ## ## # define(`mplayer_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mplayer_filetrans_home_content'($*)) dnl gen_require(` type mplayer_home_t; ') userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mplayer_filetrans_home_content'($*)) dnl ') ## Network traffic graphing. ######################################## ## ## Read mrtg lib files. ## ## ## ## Domain allowed access. ## ## # define(`mrtg_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mrtg_read_lib_files'($*)) dnl gen_require(` type mrtg_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mrtg_read_lib_files'($*)) dnl ') ######################################## ## ## Create and append mrtg log files. ## ## ## ## Domain allowed access. ## ## # define(`mrtg_append_create_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mrtg_append_create_logs'($*)) dnl gen_require(` type mrtg_log_t; ') logging_search_logs($1) append_files_pattern($1, mrtg_log_t, mrtg_log_t) create_files_pattern($1, mrtg_log_t, mrtg_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mrtg_append_create_logs'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an mrtg environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`mrtg_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mrtg_admin'($*)) dnl gen_require(` type mrtg_t, mrtg_var_run_t, mrtg_initrc_exec_t; type mrtg_var_lib_t, mrtg_lock_t, mrtg_log_t; type mrtg_etc_t; ') allow $1 mrtg_t:process { ptrace signal_perms }; ps_process_pattern($1, mrtg_t) init_labeled_script_domtrans($1, mrtg_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 mrtg_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, mrtg_etc_t) files_search_locks($1) admin_pattern($1, mrtg_lock_t) logging_search_logs($1) admin_pattern($1, mrtg_log_t) files_search_pids($1) admin_pattern($1, mrtg_var_run_t) files_search_var_lib($1) admin_pattern($1, mrtg_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mrtg_admin'($*)) dnl ') ## Policy common to all email tranfer agents. ######################################## ## ## MTA stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`mta_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_stub'($*)) dnl gen_require(` type sendmail_exec_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_stub'($*)) dnl ') ####################################### ## ## Basic mail transfer agent domain template. ## ## ##

## This template creates a derived domain which is ## a email transfer agent, which sends mail on ## behalf of the user. ##

##

## This is the basic types and rules, common ## to the system agent and user agents. ##

##
## ## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`mta_base_mail_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_base_mail_template'($*)) dnl gen_require(` attribute user_mail_domain; type sendmail_exec_t; ') ############################## # # $1_mail_t declarations # type $1_mail_t, user_mail_domain; application_domain($1_mail_t, sendmail_exec_t) type $1_mail_tmp_t; files_tmp_file($1_mail_tmp_t) manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t) files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir }) kernel_read_system_state($1_mail_t) corenet_all_recvfrom_netlabel($1_mail_t) auth_use_nsswitch($1_mail_t) logging_send_syslog_msg($1_mail_t) optional_policy(` postfix_domtrans_user_mail_handler($1_mail_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_base_mail_template'($*)) dnl ') ######################################## ## ## Role access for mta ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`mta_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_role'($*)) dnl gen_require(` attribute mta_user_agent; type user_mail_t, sendmail_exec_t; ') role $1 types { user_mail_t mta_user_agent }; # Transition from the user domain to the derived domain. domtrans_pattern($2, sendmail_exec_t, user_mail_t) allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms; allow mta_user_agent $2:fd use; allow mta_user_agent $2:process sigchld; allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms; allow $2 user_mail_t:process signal; optional_policy(` exim_run($2, $1) ') optional_policy(` mailman_run(mta_user_agent, $1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_role'($*)) dnl ') ######################################## ## ## Make the specified domain usable for a mail server. ## ## ## ## Type to be used as a mail server domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`mta_mailserver',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_mailserver'($*)) dnl gen_require(` attribute mailserver_domain; ') init_daemon_domain($1, $2) typeattribute $1 mailserver_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_mailserver'($*)) dnl ') ######################################## ## ## Make the specified type a MTA executable file. ## ## ## ## Type to be used as a mail client. ## ## # define(`mta_agent_executable',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_agent_executable'($*)) dnl gen_require(` attribute mta_exec_type; ') typeattribute $1 mta_exec_type; application_executable_file($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_agent_executable'($*)) dnl ') ###################################### ## ## Dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`mta_dontaudit_leaks_system_mail',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_dontaudit_leaks_system_mail'($*)) dnl gen_require(` type system_mail_t; ') dontaudit $1 system_mail_t:fifo_file write; dontaudit $1 system_mail_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_dontaudit_leaks_system_mail'($*)) dnl ') ######################################## ## ## Make the specified type by a system MTA. ## ## ## ## Type to be used as a mail client. ## ## # define(`mta_system_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_system_content'($*)) dnl gen_require(` attribute mailcontent_type; ') typeattribute $1 mailcontent_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_system_content'($*)) dnl ') ######################################## ## ## Modified mailserver interface for ## sendmail daemon use. ## ## ##

## A modified MTA mail server interface for ## the sendmail program. It's design does ## not fit well with policy, and using the ## regular interface causes a type_transition ## conflict if direct running of init scripts ## is enabled. ##

##

## This interface should most likely only be used ## by the sendmail policy. ##

##
## ## ## The type to be used for the mail server. ## ## # define(`mta_sendmail_mailserver',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_sendmail_mailserver'($*)) dnl gen_require(` attribute mailserver_domain; type sendmail_exec_t; ') init_system_domain($1, sendmail_exec_t) typeattribute $1 mailserver_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_sendmail_mailserver'($*)) dnl ') ####################################### ## ## Make a type a mailserver type used ## for sending mail. ## ## ## ## Mail server domain type used for sending mail. ## ## # define(`mta_mailserver_sender',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_mailserver_sender'($*)) dnl gen_require(` attribute mailserver_sender; ') typeattribute $1 mailserver_sender; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_mailserver_sender'($*)) dnl ') ####################################### ## ## Make a type a mailserver type used ## for delivering mail to local users. ## ## ## ## Mail server domain type used for delivering mail. ## ## # define(`mta_mailserver_delivery',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_mailserver_delivery'($*)) dnl gen_require(` attribute mailserver_delivery; ') typeattribute $1 mailserver_delivery; userdom_home_manager($1) optional_policy(` mta_rw_delivery_tcp_sockets($1) ') userdom_filetrans_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_mailserver_delivery'($*)) dnl ') ####################################### ## ## Make a type a mailserver type used ## for sending mail on behalf of local ## users to the local mail spool. ## ## ## ## Mail server domain type used for sending local mail. ## ## # define(`mta_mailserver_user_agent',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_mailserver_user_agent'($*)) dnl gen_require(` attribute mta_user_agent; ') typeattribute $1 mta_user_agent; optional_policy(` # apache should set close-on-exec apache_dontaudit_rw_stream_sockets($1) apache_dontaudit_rw_sys_script_stream_sockets($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_mailserver_user_agent'($*)) dnl ') ######################################## ## ## Send mail from the system. ## ## ## ## Domain allowed to transition. ## ## # define(`mta_send_mail',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_send_mail'($*)) dnl gen_require(` attribute mta_user_agent; type system_mail_t; attribute mta_exec_type; ') allow $1 mta_exec_type:lnk_file read_lnk_file_perms; corecmd_read_bin_symlinks($1) domtrans_pattern($1, mta_exec_type, system_mail_t) allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_send_mail'($*)) dnl ') ######################################## ## ## Execute send mail in a specified domain. ## ## ##

## Execute send mail in a specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # define(`mta_sendmail_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_sendmail_domtrans'($*)) dnl gen_require(` attribute mta_exec_type; attribute mta_user_agent; ') files_search_usr($1) allow $1 mta_exec_type:lnk_file read_lnk_file_perms; corecmd_read_bin_symlinks($1) allow $2 mta_exec_type:file entrypoint; domtrans_pattern($1, mta_exec_type, $2) allow mta_user_agent $1:fd use; allow mta_user_agent $1:process sigchld; allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_sendmail_domtrans'($*)) dnl ') ######################################## ## ## Send system mail client a signal ## ## ## ## Domain allowed access. ## ## # define(`mta_signal_system_mail',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_signal_system_mail'($*)) dnl gen_require(` type system_mail_t; ') allow $1 system_mail_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_signal_system_mail'($*)) dnl ') ######################################## ## ## Allow role to access system_mail_t. ## ## ## ## Role allowed access. ## ## # define(`mta_role_access_system_mail',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_role_access_system_mail'($*)) dnl gen_require(` type system_mail_t; ') role $1 types system_mail_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_role_access_system_mail'($*)) dnl ') ######################################## ## ## Send all user mail client a signal ## ## ## ## Domain allowed access. ## ## # define(`mta_signal_user_agent',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_signal_user_agent'($*)) dnl gen_require(` attribute mta_user_agent; ') allow $1 mta_user_agent:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_signal_user_agent'($*)) dnl ') ######################################## ## ## Send all user mail client a kill signal ## ## ## ## Domain allowed access. ## ## # define(`mta_kill_user_agent',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_kill_user_agent'($*)) dnl gen_require(` attribute mta_user_agent; ') allow $1 mta_user_agent:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_kill_user_agent'($*)) dnl ') ######################################## ## ## Send system mail client a kill signal ## ## ## ## Domain allowed access. ## ## # define(`mta_kill_system_mail',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_kill_system_mail'($*)) dnl gen_require(` type system_mail_t; ') allow $1 system_mail_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_kill_system_mail'($*)) dnl ') ######################################## ## ## Execute sendmail in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`mta_sendmail_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_sendmail_exec'($*)) dnl gen_require(` type sendmail_exec_t; ') can_exec($1, sendmail_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_sendmail_exec'($*)) dnl ') ######################################## ## ## Check whether sendmail executable ## files are executable. ## ## ## ## Domain allowed access. ## ## # define(`mta_sendmail_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_sendmail_access_check'($*)) dnl gen_require(` type sendmail_exec_t; ') corecmd_search_bin($1) allow $1 sendmail_exec_t:file { getattr_file_perms execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_sendmail_access_check'($*)) dnl ') ######################################## ## ## Read mail server configuration. ## ## ## ## Domain allowed access. ## ## ## # define(`mta_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_config'($*)) dnl gen_require(` type etc_mail_t; ') files_search_etc($1) allow $1 etc_mail_t:dir list_dir_perms; read_files_pattern($1, etc_mail_t, etc_mail_t) read_lnk_files_pattern($1, etc_mail_t, etc_mail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_config'($*)) dnl ') ######################################## ## ## write mail server configuration. ## ## ## ## Domain allowed access. ## ## ## # define(`mta_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_write_config'($*)) dnl gen_require(` type etc_mail_t; ') write_files_pattern($1, etc_mail_t, etc_mail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_write_config'($*)) dnl ') ######################################## ## ## Manage mail server configuration. ## ## ## ## Domain allowed access. ## ## ## # define(`mta_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_manage_config'($*)) dnl gen_require(` type etc_mail_t; ') manage_files_pattern($1, etc_mail_t, etc_mail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_manage_config'($*)) dnl ') ######################################## ## ## Read mail address aliases. ## ## ## ## Domain allowed access. ## ## # define(`mta_read_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') files_search_etc($1) allow $1 etc_aliases_t:file read_file_perms; allow $1 etc_aliases_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_aliases'($*)) dnl ') ######################################## ## ## Mmap mail address aliases. ## ## ## ## Domain allowed access. ## ## # define(`mta_map_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_map_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') allow $1 etc_aliases_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_map_aliases'($*)) dnl ') ######################################## ## ## Create, read, write, and delete mail address aliases. ## ## ## ## Domain allowed access. ## ## # define(`mta_manage_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_manage_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') files_search_etc($1) manage_files_pattern($1, etc_aliases_t, etc_aliases_t) manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t) mta_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_manage_aliases'($*)) dnl ') ######################################## ## ## Type transition files created in /etc ## to the mail address aliases type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`mta_etc_filetrans_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_etc_filetrans_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') files_etc_filetrans($1, etc_aliases_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_etc_filetrans_aliases'($*)) dnl ') ######################################## ## ## Read and write mail aliases. ## ## ## ## Domain allowed access. ## ## ## # define(`mta_rw_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_rw_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') files_search_etc($1) allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_rw_aliases'($*)) dnl ') ####################################### ## ## Do not audit attempts to read and write TCP ## sockets of mail delivery domains. ## ## ## ## Domain to not audit. ## ## # define(`mta_dontaudit_rw_delivery_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl gen_require(` attribute mailserver_delivery; ') dontaudit $1 mailserver_delivery:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_delivery_tcp_sockets'($*)) dnl ') ###################################### ## ## Allow attempts to read and write TCP ## sockets of mail delivery domains. ## ## ## ## Domain to not audit. ## ## # define(`mta_rw_delivery_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_rw_delivery_tcp_sockets'($*)) dnl gen_require(` attribute mailserver_delivery; ') allow $1 mailserver_delivery:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_rw_delivery_tcp_sockets'($*)) dnl ') ####################################### ## ## Connect to all mail servers over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`mta_tcp_connect_all_mailservers',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_tcp_connect_all_mailservers'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_tcp_connect_all_mailservers'($*)) dnl ') ####################################### ## ## Do not audit attempts to read a symlink ## in the mail spool. ## ## ## ## Domain to not audit. ## ## # define(`mta_dontaudit_read_spool_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_dontaudit_read_spool_symlinks'($*)) dnl gen_require(` type mail_spool_t; ') dontaudit $1 mail_spool_t:lnk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_dontaudit_read_spool_symlinks'($*)) dnl ') ######################################## ## ## Get the attributes of mail spool files. ## ## ## ## Domain allowed access. ## ## # define(`mta_getattr_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_getattr_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; getattr_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_getattr_spool'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of mail spool files. ## ## ## ## Domain to not audit. ## ## # define(`mta_dontaudit_getattr_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_dontaudit_getattr_spool_files'($*)) dnl gen_require(` type mail_spool_t; ') files_dontaudit_search_spool($1) dontaudit $1 mail_spool_t:dir search_dir_perms; dontaudit $1 mail_spool_t:lnk_file read_lnk_file_perms; dontaudit $1 mail_spool_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_dontaudit_getattr_spool_files'($*)) dnl ') ####################################### ## ## Create private objects in the ## mail spool directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`mta_spool_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) filetrans_pattern($1, mail_spool_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_spool_filetrans'($*)) dnl ') ####################################### ## ## Read the mail spool. ## ## ## ## Domain allowed access. ## ## # define(`mta_read_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) read_files_pattern($1, mail_spool_t, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_spool'($*)) dnl ') ######################################## ## ## Read and write the mail spool. ## ## ## ## Domain allowed access. ## ## # define(`mta_rw_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_rw_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; allow $1 mail_spool_t:file setattr_file_perms; manage_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_rw_spool'($*)) dnl ') ####################################### ## ## Create, read, and write the mail spool. ## ## ## ## Domain allowed access. ## ## # define(`mta_append_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_append_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) allow $1 mail_spool_t:dir list_dir_perms; create_files_pattern($1, mail_spool_t, mail_spool_t) write_files_pattern($1, mail_spool_t, mail_spool_t) read_lnk_files_pattern($1, mail_spool_t, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_append_spool'($*)) dnl ') ####################################### ## ## Delete from the mail spool. ## ## ## ## Domain allowed access. ## ## # define(`mta_delete_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_delete_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) delete_files_pattern($1, mail_spool_t, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_delete_spool'($*)) dnl ') ######################################## ## ## Create, read, write, and delete mail spool files. ## ## ## ## Domain allowed access. ## ## # define(`mta_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_manage_spool'($*)) dnl gen_require(` type mail_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, mail_spool_t, mail_spool_t) manage_files_pattern($1, mail_spool_t, mail_spool_t) manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) allow $1 mail_spool_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_manage_spool'($*)) dnl ') ######################################## ## ## Search mail queue dirs. ## ## ## ## Domain allowed access. ## ## # define(`mta_search_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_search_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') files_search_spool($1) allow $1 mqueue_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_search_queue'($*)) dnl ') ####################################### ## ## List the mail queue. ## ## ## ## Domain allowed access. ## ## # define(`mta_list_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_list_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') allow $1 mqueue_spool_t:dir list_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_list_queue'($*)) dnl ') ####################################### ## ## Read the mail queue. ## ## ## ## Domain allowed access. ## ## # define(`mta_read_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') read_files_pattern($1, mqueue_spool_t, mqueue_spool_t) files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_queue'($*)) dnl ') ####################################### ## ## Do not audit attempts to read and ## write the mail queue. ## ## ## ## Domain to not audit. ## ## # define(`mta_dontaudit_rw_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_dontaudit_rw_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') dontaudit $1 mqueue_spool_t:dir search_dir_perms; dontaudit $1 mqueue_spool_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_dontaudit_rw_queue'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## mail queue files. ## ## ## ## Domain allowed access. ## ## # define(`mta_manage_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_manage_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t) manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_manage_queue'($*)) dnl ') ####################################### ## ## Create private objects in the ## mqueue spool directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`mta_spool_filetrans_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_spool_filetrans_queue'($*)) dnl gen_require(` type mqueue_spool_t; ') files_search_spool($1) filetrans_pattern($1, mqueue_spool_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_spool_filetrans_queue'($*)) dnl ') ####################################### ## ## Read sendmail binary. ## ## ## ## Domain allowed access. ## ## # # cjp: added for postfix define(`mta_read_sendmail_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_sendmail_bin'($*)) dnl gen_require(` type sendmail_exec_t; ') allow $1 sendmail_exec_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_sendmail_bin'($*)) dnl ') ####################################### ## ## Read and write unix domain stream sockets ## of user mail domains. ## ## ## ## Domain allowed access. ## ## # define(`mta_rw_user_mail_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_rw_user_mail_stream_sockets'($*)) dnl gen_require(` attribute user_mail_domain; ') allow $1 user_mail_domain:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_rw_user_mail_stream_sockets'($*)) dnl ') ######################################## ## ## Type transition files created in calling dir ## to the mail address aliases type. ## ## ## ## Domain allowed access. ## ## ## ## ## Directory to transition on. ## ## # define(`mta_filetrans_aliases',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_filetrans_aliases'($*)) dnl gen_require(` type etc_aliases_t; ') filetrans_pattern($1, $2, etc_aliases_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_filetrans_aliases'($*)) dnl ') ###################################### ## ## ALlow domain to append mail content in the homedir ## ## ## ## Domain allowed access. ## ## # define(`mta_append_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_append_home'($*)) dnl gen_require(` type mail_home_t; ') userdom_search_user_home_dirs($1) append_files_pattern($1, mail_home_t, mail_home_t) ifdef(`distro_redhat',` userdom_search_admin_dir($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_append_home'($*)) dnl ') ###################################### ## ## ALlow domain to read mail content in the homedir ## ## ## ## Domain allowed access. ## ## # define(`mta_read_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_home'($*)) dnl gen_require(` type mail_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, mail_home_t, mail_home_t) ifdef(`distro_redhat',` userdom_search_admin_dir($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_home'($*)) dnl ') #################################### ## ## ALlow domain to mmap mail content in the homedir ## ## ## ## Domain allowed access. ## ## # define(`mta_mmap_home_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_mmap_home_rw'($*)) dnl gen_require(` type mail_home_rw_t; ') allow $1 mail_home_rw_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_mmap_home_rw'($*)) dnl ') #################################### ## ## ALlow domain to read mail content in the homedir ## ## ## ## Domain allowed access. ## ## # define(`mta_read_home_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_read_home_rw'($*)) dnl gen_require(` type mail_home_rw_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, mail_home_rw_t, mail_home_rw_t) list_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) ifdef(`distro_redhat',` userdom_search_admin_dir($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_read_home_rw'($*)) dnl ') #################################### ## ## Allow domain to manage mail content in the homedir ## ## ## ## Domain allowed access. ## ## # define(`mta_manage_home_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_manage_home_rw'($*)) dnl gen_require(` type mail_home_rw_t; ') userdom_search_user_home_dirs($1) userdom_search_admin_dir($1) manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t) manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t) userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ifdef(`distro_redhat',` userdom_search_admin_dir($1) userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_manage_home_rw'($*)) dnl ') ######################################## ## ## create mail content in the in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`mta_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_filetrans_admin_home_content'($*)) dnl gen_require(` type mail_home_t; type mail_home_rw_t; ') userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter") userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".esmtprc") userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc") userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Transition to mta named home content ## ## ## ## Domain allowed access. ## ## # define(`mta_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_filetrans_home_content'($*)) dnl gen_require(` type mail_home_t; type mail_home_rw_t; ') userdom_user_home_dir_filetrans($1, mail_home_t, file, ".esmtprc") userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc") userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter") userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward") userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir") userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir") userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue") userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".esmtp_queue") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_filetrans_home_content'($*)) dnl ') ######################################## ## ## Transition to mta named content ## ## ## ## Domain allowed access. ## ## # define(`mta_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mta_filetrans_named_content'($*)) dnl gen_require(` type etc_aliases_t; type etc_mail_t; ') #filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file }) mta_etc_filetrans_aliases($1, "aliases") mta_etc_filetrans_aliases($1, "aliases.db") mta_etc_filetrans_aliases($1, "aliasesdb-stamp") mta_etc_filetrans_aliases($1, "__db.aliases.db") mta_etc_filetrans_aliases($1, "virtusertable.db") mta_etc_filetrans_aliases($1, "access.db") mta_etc_filetrans_aliases($1, "domaintable.db") filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "virtusertable.db") filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "access.db") filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "domaintable.db") filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "mailertable.db") filetrans_pattern($1, etc_mail_t, etc_aliases_t, file, "aliasesdb-stamp") mta_filetrans_home_content($1) mta_filetrans_admin_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mta_filetrans_named_content'($*)) dnl ') ## Munin network-wide load graphing (formerly LRRD) ######################################## ## ## Create a set of derived types for various ## munin plugins, ## ## ## ## The name to be used for deriving type names. ## ## # define(`munin_plugin_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_plugin_template'($*)) dnl gen_require(` attribute munin_plugin_domain, munin_plugin_tmp_content; type munin_t; ') type $1_munin_plugin_t, munin_plugin_domain; type $1_munin_plugin_exec_t; typealias $1_munin_plugin_t alias munin_$1_plugin_t; typealias $1_munin_plugin_exec_t alias munin_$1_plugin_exec_t; application_domain($1_munin_plugin_t, $1_munin_plugin_exec_t) role system_r types $1_munin_plugin_t; type $1_munin_plugin_tmp_t, munin_plugin_tmp_content; typealias $1_munin_plugin_tmp_t alias munin_$1_plugin_tmp_t; files_tmp_file($1_munin_plugin_tmp_t) ######################################## # # Policy # # automatic transition rules from munin domain # to specific munin plugin domain domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t) manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t) files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file }) kernel_read_system_state($1_munin_plugin_t) corenet_all_recvfrom_unlabeled($1_munin_plugin_t) corenet_all_recvfrom_netlabel($1_munin_plugin_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_plugin_template'($*)) dnl ') ######################################## ## ## Connect to munin over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`munin_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_stream_connect'($*)) dnl gen_require(` type munin_var_run_t, munin_t; ') files_search_pids($1) stream_connect_pattern($1, munin_var_run_t, munin_var_run_t, munin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_stream_connect'($*)) dnl ') ####################################### ## ## Read munin configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`munin_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_read_config'($*)) dnl gen_require(` type munin_etc_t; ') allow $1 munin_etc_t:dir list_dir_perms; allow $1 munin_etc_t:file read_file_perms; allow $1 munin_etc_t:lnk_file read_lnk_file_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_read_config'($*)) dnl ') ####################################### ## ## Read munin library files. ## ## ## ## Domain allowed access. ## ## # define(`munin_read_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_read_var_lib_files'($*)) dnl gen_require(` type munin_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, munin_var_lib_t, munin_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_read_var_lib_files'($*)) dnl ') ####################################### ## ## Manage munin library files. ## ## ## ## Domain allowed access. ## ## # define(`munin_manage_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_manage_var_lib_files'($*)) dnl gen_require(` type munin_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t) manage_dirs_pattern($1, munin_var_lib_t, munin_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_manage_var_lib_files'($*)) dnl ') ####################################### ## ## Append munin library files. ## ## ## ## Domain allowed access. ## ## # define(`munin_append_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_append_var_lib_files'($*)) dnl gen_require(` type munin_var_lib_t; ') files_search_var_lib($1) append_files_pattern($1, munin_var_lib_t, munin_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_append_var_lib_files'($*)) dnl ') ###################################### ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`munin_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_dontaudit_leaks'($*)) dnl gen_require(` type munin_t; ') dontaudit $1 munin_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_dontaudit_leaks'($*)) dnl ') ####################################### ## ## Append to the munin log. ## ## ## ## Domain allowed access. ## ## ## # define(`munin_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_append_log'($*)) dnl gen_require(` type munin_log_t; ') logging_search_logs($1) allow $1 munin_log_t:dir list_dir_perms; append_files_pattern($1, munin_log_t, munin_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_append_log'($*)) dnl ') ####################################### ## ## Search munin library directories. ## ## ## ## Domain allowed access. ## ## # define(`munin_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_search_lib'($*)) dnl gen_require(` type munin_var_lib_t; ') allow $1 munin_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_search_lib'($*)) dnl ') ####################################### ## ## Do not audit attempts to search ## munin library directories. ## ## ## ## Domain to not audit. ## ## # define(`munin_dontaudit_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_dontaudit_search_lib'($*)) dnl gen_require(` type munin_var_lib_t; ') dontaudit $1 munin_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_dontaudit_search_lib'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an munin environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the munin domain. ## ## ## # define(`munin_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `munin_admin'($*)) dnl gen_require(` attribute munin_plugin_domain, munin_plugin_tmp_content; type munin_t, munin_etc_t, munin_tmp_t; type munin_log_t, munin_var_lib_t, munin_var_run_t; type munin_content_t, munin_plugin_state_t, munin_initrc_exec_t; ') allow $1 munin_t:process signal_perms; ps_process_pattern($1, munin_t) tunable_policy(`deny_ptrace',`',` allow $1 munin_t:process ptrace; ') init_labeled_script_domtrans($1, munin_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 munin_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, { munin_tmp_t munin_plugin_tmp_content }) logging_list_logs($1) admin_pattern($1, munin_log_t) files_list_etc($1) admin_pattern($1, munin_etc_t) files_list_var_lib($1) admin_pattern($1, { munin_var_lib_t munin_plugin_state_t }) files_list_pids($1) admin_pattern($1, munin_var_run_t) admin_pattern($1, munin_content_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `munin_admin'($*)) dnl ') ## Policy for MySQL ###################################### ## ## Execute MySQL in the mysql domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mysql_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_domtrans'($*)) dnl gen_require(` type mysqld_t, mysqld_exec_t; ') domtrans_pattern($1, mysqld_exec_t, mysqld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_domtrans'($*)) dnl ') ###################################### ## ## Execute MySQL in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`mysql_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_exec'($*)) dnl gen_require(` type mysqld_exec_t; ') can_exec($1, mysqld_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_exec'($*)) dnl ') ######################################## ## ## Send a generic signal to MySQL. ## ## ## ## Domain allowed access. ## ## # define(`mysql_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_signal'($*)) dnl gen_require(` type mysqld_t; ') allow $1 mysqld_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_signal'($*)) dnl ') ####################################### ## ## Send a null signal to mysql. ## ## ## ## Domain allowed access. ## ## # define(`mysql_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_signull'($*)) dnl gen_require(` type mysqld_t; ') allow $1 mysqld_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_signull'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to postgresql with a tcp socket. ## ## ## ## Domain allowed access. ## ## # define(`mysql_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_tcp_connect'($*)) dnl gen_require(` type mysqld_t; ') corenet_tcp_recvfrom_labeled($1, mysqld_t) corenet_tcp_sendrecv_mysqld_port($1) corenet_tcp_connect_mysqld_port($1) corenet_sendrecv_mysqld_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_tcp_connect'($*)) dnl ') ######################################## ## ## Connect to MySQL using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## ## # define(`mysql_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_stream_connect'($*)) dnl gen_require(` type mysqld_t, mysqld_var_run_t, mysqld_db_t; ') files_search_pids($1) stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t) stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_stream_connect'($*)) dnl ') ######################################## ## ## Read MySQL configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`mysql_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_read_config'($*)) dnl gen_require(` type mysqld_etc_t; ') allow $1 mysqld_etc_t:dir list_dir_perms; allow $1 mysqld_etc_t:file read_file_perms; allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_read_config'($*)) dnl ') ######################################## ## ## Search the directories that contain MySQL ## database storage. ## ## ## ## Domain allowed access. ## ## # # cjp: "_dir" in the name is added to clarify that this # is not searching the database itself. define(`mysql_search_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_search_db'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_search_db'($*)) dnl ') ######################################## ## ## List the directories that contain MySQL ## database storage. ## ## ## ## Domain allowed access. ## ## # define(`mysql_list_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_list_db'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_list_db'($*)) dnl ') ######################################## ## ## Read and write to the MySQL database directory. ## ## ## ## Domain allowed access. ## ## # define(`mysql_rw_db_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_rw_db_dirs'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_rw_db_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete MySQL database directories. ## ## ## ## Domain allowed access. ## ## # define(`mysql_manage_db_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_manage_db_dirs'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_manage_db_dirs'($*)) dnl ') ####################################### ## ## Append to the MySQL database directory. ## ## ## ## Domain allowed access. ## ## # define(`mysql_append_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_append_db_files'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) append_files_pattern($1, mysqld_db_t, mysqld_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_append_db_files'($*)) dnl ') ####################################### ## ## Read and write to the MySQL database directory. ## ## ## ## Domain allowed access. ## ## # define(`mysql_read_db_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_read_db_lnk_files'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) read_lnk_files_pattern($1, mysqld_db_t, mysqld_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_read_db_lnk_files'($*)) dnl ') ####################################### ## ## Read and write to the MySQL database directory. ## ## ## ## Domain allowed access. ## ## # define(`mysql_rw_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_rw_db_files'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) rw_files_pattern($1, mysqld_db_t, mysqld_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_rw_db_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete MySQL database files. ## ## ## ## Domain allowed access. ## ## # define(`mysql_manage_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_manage_db_files'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) manage_files_pattern($1, mysqld_db_t, mysqld_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_manage_db_files'($*)) dnl ') ######################################## ## ## Read and write to the MySQL database ## named socket. ## ## ## ## Domain allowed access. ## ## # define(`mysql_rw_db_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_rw_db_sockets'($*)) dnl gen_require(` type mysqld_db_t; ') files_search_var_lib($1) allow $1 mysqld_db_t:dir search_dir_perms; allow $1 mysqld_db_t:sock_file rw_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_rw_db_sockets'($*)) dnl ') ######################################## ## ## Allow the specified domain to append to MySQL log files. ## ## ## ## Domain allowed access. ## ## # define(`mysql_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_append_log'($*)) dnl gen_require(` type mysqld_log_t; ') logging_search_logs($1) allow $1 mysqld_log_t:dir list_dir_perms; append_files_pattern($1, mysqld_log_t, mysqld_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_append_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to append to the MySQL logs. ## ## ## ## Domain to not audit. ## ## # define(`mysql_dontaudit_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_append_log'($*)) dnl gen_require(` type mysqld_log_t; ') dontaudit $1 mysqld_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_dontaudit_append_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to read MySQL log files. ## ## ## ## Domain allowed access. ## ## ## # define(`mysql_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_read_log'($*)) dnl gen_require(` type mysqld_log_t; ') logging_search_logs($1) allow $1 mysqld_log_t:dir list_dir_perms; read_files_pattern($1, mysqld_log_t, mysqld_log_t) read_lnk_files_pattern($1, mysqld_log_t, mysqld_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_read_log'($*)) dnl ') ######################################## ## ## dontaudit attempts to read MySQL log files. ## ## ## ## Domain to not audit. ## ## ## # define(`mysql_dontaudit_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_read_log'($*)) dnl gen_require(` type mysqld_log_t; ') dontaudit $1 mysqld_log_t:file read_file_perms; dontaudit $1 mysqld_log_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_dontaudit_read_log'($*)) dnl ') ######################################## ## ## Write to the MySQL log. ## ## ## ## Domain allowed access. ## ## # define(`mysql_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_write_log'($*)) dnl gen_require(` type mysqld_log_t; ') logging_search_logs($1) allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_write_log'($*)) dnl ') ######################################## ## ## dontaudit attempts to write to the MySQL log files. ## ## ## ## Domain to not audit. ## ## ## # define(`mysql_dontaudit_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_write_log'($*)) dnl gen_require(` type mysqld_log_t; ') dontaudit $1 mysqld_log_t:file { write_file_perms setattr_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_dontaudit_write_log'($*)) dnl ') ######################################## ## ## dontaudit attempts to read/write to the MySQL db files. ## ## ## ## Domain to not audit. ## ## ## # define(`mysql_dontaudit_rw_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_dontaudit_rw_db'($*)) dnl gen_require(` type mysqld_db_t; ') dontaudit $1 mysqld_db_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_dontaudit_rw_db'($*)) dnl ') ###################################### ## ## Execute MySQL safe script in the mysql safe domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mysql_domtrans_mysql_safe',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_domtrans_mysql_safe'($*)) dnl gen_require(` type mysqld_safe_t, mysqld_safe_exec_t; ') domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_domtrans_mysql_safe'($*)) dnl ') ###################################### ## ## Execute MySQL_safe in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`mysql_safe_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_safe_exec'($*)) dnl gen_require(` type mysqld_safe_exec_t; ') can_exec($1, mysqld_safe_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_safe_exec'($*)) dnl ') ##################################### ## ## Read MySQL PID files. ## ## ## ## Domain allowed access. ## ## # define(`mysql_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_read_pid_files'($*)) dnl gen_require(` type mysqld_var_run_t; ') mysql_search_pid_files($1) read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_read_pid_files'($*)) dnl ') ##################################### ## ## Search MySQL PID files. ## ## ## ## Domain allowed access. ## ## ## # define(`mysql_search_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_search_pid_files'($*)) dnl gen_require(` type mysqld_var_run_t; ') search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_search_pid_files'($*)) dnl ') ######################################## ## ## Execute mysqld server in the mysqld domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mysql_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_systemctl'($*)) dnl gen_require(` type mysqld_unit_file_t; type mysqld_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 mysqld_unit_file_t:file read_file_perms; allow $1 mysqld_unit_file_t:service manage_service_perms; ps_process_pattern($1, mysqld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_systemctl'($*)) dnl ') ######################################## ## ## read mysqld homedir content (.k5login) ## ## ## ## Domain allowed access. ## ## # define(`mysql_read_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_read_home_content'($*)) dnl gen_require(` type mysqld_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, mysqld_home_t, mysqld_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_read_home_content'($*)) dnl ') ######################################## ## ## Transition to mysqld named content ## ## ## ## Domain allowed access. ## ## # define(`mysql_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_filetrans_named_content'($*)) dnl gen_require(` type mysqld_home_t; type mysqld_var_run_t; ') userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf") files_pid_filetrans($1, mysqld_var_run_t, {dir}, "mysqld") files_pid_filetrans($1, mysqld_var_run_t, {dir}, "mysql") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate an mysql environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the mysql domain. ## ## ## # define(`mysql_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mysql_admin'($*)) dnl gen_require(` type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t; type mysqld_tmp_t, mysqld_db_t, mysqld_log_t; type mysqld_etc_t; type mysqld_home_t; type mysqld_unit_file_t; ') allow $1 mysqld_t:process signal_perms; ps_process_pattern($1, mysqld_t) tunable_policy(`deny_ptrace',`',` allow $1 mysqld_t:process ptrace; ') init_labeled_script_domtrans($1, mysqld_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 mysqld_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, mysqld_var_run_t) admin_pattern($1, mysqld_db_t) files_list_etc($1) admin_pattern($1, mysqld_etc_t) logging_list_logs($1) admin_pattern($1, mysqld_log_t) files_list_tmp($1) admin_pattern($1, mysqld_tmp_t) userdom_search_user_home_dirs($1) files_list_root($1) admin_pattern($1, mysqld_home_t) mysql_systemctl($1) admin_pattern($1, mysqld_unit_file_t) allow $1 mysqld_unit_file_t:service all_service_perms; mysql_stream_connect($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mysql_admin'($*)) dnl ') ## policy for mythtv_script ######################################## ## ## Execute TEMPLATE in the mythtv_script domin. ## ## ## ## Domain allowed to transition. ## ## # define(`mythtv_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_script_domtrans'($*)) dnl gen_require(` type mythtv_script_t, mythtv_script_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mythtv_script_exec_t, mythtv_script_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_script_domtrans'($*)) dnl ') ####################################### ## ## read mythtv libs. ## ## ## ## Domain allowed access. ## ## # define(`mythtv_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_read_lib'($*)) dnl gen_require(` type mythtv_var_lib_t; ') read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) files_list_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_read_lib'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## mythtv lib content. ## ## ## ## Domain allowed access. ## ## # define(`mythtv_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_manage_lib'($*)) dnl gen_require(` type mythtv_var_lib_t; ') manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t) files_list_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_manage_lib'($*)) dnl ') ####################################### ## ## read mythtv logs. ## ## ## ## Domain allowed access. ## ## # define(`mythtv_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_read_log'($*)) dnl gen_require(` type mythtv_var_log_t; ') read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_read_log'($*)) dnl ') ####################################### ## ## Append mythtv log files. ## ## ## ## Domain allowed access. ## ## # define(`mythtv_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_append_log'($*)) dnl gen_require(` type mythtv_var_log_t; ') append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_append_log'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## mythtv log content. ## ## ## ## Domain allowed access. ## ## # define(`mythtv_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_manage_log'($*)) dnl gen_require(` type mythtv_var_log_t; ') manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t) logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_manage_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an mythtv environment. ## ## ## ## Domain allowed access. ## ## ## # define(`mythtv_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mythtv_admin'($*)) dnl gen_require(` type mythtv_script_t, mythtv_var_lib_t; type mythtv_var_log_t; ') allow $1 mythtv_script_t:process signal_perms; ps_process_pattern($1, mythtv_script_t) tunable_policy(`deny_ptrace',`',` allow $1 mythtv_script_t:process ptrace; ') logging_list_logs($1) admin_pattern($1, mythtv_var_log_t) files_list_var_lib($1) admin_pattern($1, mythtv_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mythtv_admin'($*)) dnl ') ## New monitoring suite that aims to be faster and more stable, while giving you a clearer view of the state of your network. ######################################## ## ## Execute naemon in the naemon domin. ## ## ## ## Domain allowed to transition. ## ## # define(`naemon_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_domtrans'($*)) dnl gen_require(` type naemon_t, naemon_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, naemon_exec_t, naemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_domtrans'($*)) dnl ') ######################################## ## ## Execute naemon server in the naemon domain. ## ## ## ## Domain allowed access. ## ## # define(`naemon_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_initrc_domtrans'($*)) dnl gen_require(` type naemon_initrc_exec_t; ') init_labeled_script_domtrans($1, naemon_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search naemon cache directories. ## ## ## ## Domain allowed access. ## ## # define(`naemon_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_search_cache'($*)) dnl gen_require(` type naemon_cache_t; ') allow $1 naemon_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_search_cache'($*)) dnl ') ######################################## ## ## Read naemon cache files. ## ## ## ## Domain allowed access. ## ## # define(`naemon_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_read_cache_files'($*)) dnl gen_require(` type naemon_cache_t; ') files_search_var($1) read_files_pattern($1, naemon_cache_t, naemon_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## naemon cache files. ## ## ## ## Domain allowed access. ## ## # define(`naemon_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_manage_cache_files'($*)) dnl gen_require(` type naemon_cache_t; ') files_search_var($1) manage_files_pattern($1, naemon_cache_t, naemon_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage naemon cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`naemon_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_manage_cache_dirs'($*)) dnl gen_require(` type naemon_cache_t; ') files_search_var($1) manage_dirs_pattern($1, naemon_cache_t, naemon_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read naemon's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`naemon_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_read_log'($*)) dnl gen_require(` type naemon_log_t; ') logging_search_logs($1) read_files_pattern($1, naemon_log_t, naemon_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_read_log'($*)) dnl ') ######################################## ## ## Append to naemon log files. ## ## ## ## Domain allowed access. ## ## # define(`naemon_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_append_log'($*)) dnl gen_require(` type naemon_log_t; ') logging_search_logs($1) append_files_pattern($1, naemon_log_t, naemon_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_append_log'($*)) dnl ') ######################################## ## ## Manage naemon log files ## ## ## ## Domain allowed access. ## ## # define(`naemon_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_manage_log'($*)) dnl gen_require(` type naemon_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, naemon_log_t, naemon_log_t) manage_files_pattern($1, naemon_log_t, naemon_log_t) manage_lnk_files_pattern($1, naemon_log_t, naemon_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_manage_log'($*)) dnl ') ######################################## ## ## Search naemon lib directories. ## ## ## ## Domain allowed access. ## ## # define(`naemon_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_search_lib'($*)) dnl gen_require(` type naemon_var_lib_t; ') allow $1 naemon_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_search_lib'($*)) dnl ') ######################################## ## ## Read naemon lib files. ## ## ## ## Domain allowed access. ## ## # define(`naemon_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_read_lib_files'($*)) dnl gen_require(` type naemon_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_read_lib_files'($*)) dnl ') ######################################## ## ## Manage naemon lib files. ## ## ## ## Domain allowed access. ## ## # define(`naemon_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_manage_lib_files'($*)) dnl gen_require(` type naemon_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, naemon_var_lib_t, naemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage naemon lib directories. ## ## ## ## Domain allowed access. ## ## # define(`naemon_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_manage_lib_dirs'($*)) dnl gen_require(` type naemon_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, naemon_var_lib_t, naemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an naemon environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`naemon_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `naemon_admin'($*)) dnl gen_require(` type naemon_t; type naemon_initrc_exec_t; type naemon_cache_t; type naemon_log_t; type naemon_var_lib_t; ') allow $1 naemon_t:process { signal_perms }; ps_process_pattern($1, naemon_t) tunable_policy(`deny_ptrace',`',` allow $1 naemon_t:process ptrace; ') naemon_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 naemon_initrc_exec_t system_r; allow $2 system_r; files_search_var($1) admin_pattern($1, naemon_cache_t) logging_search_logs($1) admin_pattern($1, naemon_log_t) files_search_var_lib($1) admin_pattern($1, naemon_var_lib_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `naemon_admin'($*)) dnl ') ## Net Saint / NAGIOS - network monitoring server ######################################## ## ## Create a set of derived types for various ## nagios plugins, ## ## ## ## The name to be used for deriving type names. ## ## # define(`nagios_plugin_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_plugin_template'($*)) dnl gen_require(` attribute nagios_plugin_domain; type nagios_t, nrpe_t; ') type nagios_$1_plugin_t, nagios_plugin_domain; type nagios_$1_plugin_exec_t; application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t) role system_r types nagios_$1_plugin_t; domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) allow nagios_t nagios_$1_plugin_exec_t:file ioctl; # needed by command.cfg domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t) kernel_read_system_state(nagios_$1_plugin_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_plugin_template'($*)) dnl ') ######################################## ## ## Execute the nagios unconfined plugins with ## a domain transition. ## ## ## ## Domain allowed access. ## ## # define(`nagios_domtrans_unconfined_plugins',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_domtrans_unconfined_plugins'($*)) dnl gen_require(` type nagios_unconfined_plugin_t; type nagios_unconfined_plugin_exec_t; ') domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_domtrans_unconfined_plugins'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write nagios ## unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`nagios_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_pipes'($*)) dnl gen_require(` type nagios_t; ') dontaudit $1 nagios_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_pipes'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## nagios configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`nagios_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_read_config'($*)) dnl gen_require(` type nagios_etc_t; ') allow $1 nagios_etc_t:dir list_dir_perms; allow $1 nagios_etc_t:file read_file_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_read_config'($*)) dnl ') ###################################### ## ## Read nagios lib files. ## ## ## ## Domain allowed access. ## ## # define(`nagios_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_read_lib'($*)) dnl gen_require(` type nagios_var_lib_t; ') files_search_var($1) list_dirs_pattern($1, nagios_var_lib_t, nagios_var_lib_t) read_files_pattern($1, nagios_var_lib_t, nagios_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_read_lib'($*)) dnl ') ###################################### ## ## Read nagios logs. ## ## ## ## Domain allowed access. ## ## # define(`nagios_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_read_log'($*)) dnl gen_require(` type nagios_log_t; ') logging_search_logs($1) read_files_pattern($1, nagios_log_t, nagios_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_read_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write nagios logs. ## ## ## ## Domain to not audit. ## ## # define(`nagios_dontaudit_rw_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_rw_log'($*)) dnl gen_require(` type nagios_log_t; ') dontaudit $1 nagios_log_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_dontaudit_rw_log'($*)) dnl ') ######################################## ## ## Search nagios spool directories. ## ## ## ## Domain allowed access. ## ## # define(`nagios_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_search_spool'($*)) dnl gen_require(` type nagios_spool_t; ') allow $1 nagios_spool_t:dir search_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_search_spool'($*)) dnl ') ######################################## ## ## Append nagios spool files. ## ## ## ## Domain allowed access. ## ## # define(`nagios_append_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_append_spool'($*)) dnl gen_require(` type nagios_spool_t; ') allow $1 nagios_spool_t:file append_file_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_append_spool'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## nagios temporary files. ## ## ## ## Domain allowed access. ## ## # define(`nagios_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_read_tmp_files'($*)) dnl gen_require(` type nagios_tmp_t; ') allow $1 nagios_tmp_t:file read_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_read_tmp_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## nagios temporary files. ## ## ## ## Domain allowed access. ## ## # define(`nagios_rw_inerited_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_rw_inerited_tmp_files'($*)) dnl gen_require(` type nagios_tmp_t; ') allow $1 nagios_tmp_t:file rw_inherited_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_rw_inerited_tmp_files'($*)) dnl ') ######################################## ## ## Execute the nagios NRPE with ## a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`nagios_domtrans_nrpe',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_domtrans_nrpe'($*)) dnl gen_require(` type nrpe_t, nrpe_exec_t; ') domtrans_pattern($1, nrpe_exec_t, nrpe_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_domtrans_nrpe'($*)) dnl ') ###################################### ## ## Do not audit attempts to write nrpe daemon unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`nagios_dontaudit_write_pipes_nrpe',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_dontaudit_write_pipes_nrpe'($*)) dnl gen_require(` type nrpe_t; ') dontaudit $1 nrpe_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_dontaudit_write_pipes_nrpe'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an nagios environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the nagios domain. ## ## ## # define(`nagios_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_admin'($*)) dnl gen_require(` type nagios_t, nrpe_t, nagios_initrc_exec_t; type nagios_tmp_t, nagios_log_t, nagios_var_run_t; type nagios_etc_t, nrpe_etc_t, nagios_spool_t; ') allow $1 nagios_t:process signal_perms; ps_process_pattern($1, nagios_t) tunable_policy(`deny_ptrace',`',` allow $1 nagios_t:process ptrace; ') init_labeled_script_domtrans($1, nagios_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 nagios_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, nagios_tmp_t) logging_list_logs($1) admin_pattern($1, nagios_log_t) files_list_etc($1) admin_pattern($1, nagios_etc_t) files_list_spool($1) admin_pattern($1, nagios_spool_t) files_list_pids($1) admin_pattern($1, nagios_var_run_t) admin_pattern($1, nrpe_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_admin'($*)) dnl ') ######################################## ## ## Send a null signal to nagios_unconfined_plugin. ## ## ## ## Domain allowed access. ## ## # define(`nagios_unconfined_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nagios_unconfined_signull'($*)) dnl gen_require(` type nagios_unconfined_plugin_t; ') allow $1 nagios_unconfined_plugin_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nagios_unconfined_signull'($*)) dnl ') ## policy for namespace ######################################## ## ## Execute a domain transition to run namespace_init. ## ## ## ## Domain allowed access. ## ## # define(`namespace_init_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `namespace_init_domtrans'($*)) dnl gen_require(` type namespace_init_t, namespace_init_exec_t; ') domtrans_pattern($1, namespace_init_exec_t, namespace_init_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `namespace_init_domtrans'($*)) dnl ') ######################################## ## ## Execute namespace_init in the namespace_init domain, and ## allow the specified role the namespace_init domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the namespace_init domain. ## ## # define(`namespace_init_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `namespace_init_run'($*)) dnl gen_require(` type namespace_init_t; ') namespace_init_domtrans($1) role $2 types namespace_init_t; seutil_run_setfiles(namespace_init_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `namespace_init_run'($*)) dnl ') ## Cross-platform network configuration library. ######################################## ## ## Execute a domain transition to run ncftool. ## ## ## ## Domain allowed to transition. ## ## # define(`ncftool_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ncftool_domtrans'($*)) dnl gen_require(` type ncftool_t, ncftool_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ncftool_exec_t, ncftool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ncftool_domtrans'($*)) dnl ') ######################################## ## ## Execute ncftool in the ncftool ## domain, and allow the specified ## role the ncftool domain. ## ## ## ## Domain allowed access ## ## ## ## ## Role allowed access. ## ## # define(`ncftool_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ncftool_run'($*)) dnl gen_require(` type ncftool_t; attribute_role ncftool_roles; ') ncftool_domtrans($1) roleattribute $2 ncftool_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ncftool_run'($*)) dnl ') ## Network scanning daemon. ######################################## ## ## Connect to nessus over a TCP socket (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`nessus_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nessus_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nessus_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an nessus environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`nessus_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nessus_admin'($*)) dnl gen_require(` type nessusd_t, nessusd_db_t, nessusd_initrc_exec_t; type nessusd_etc_t, nessusd_log_t, nessusd_var_run_t; ') allow $1 nessusd_t:process { ptrace signal_perms }; ps_process_pattern($1, nessusd_t) init_labeled_script_domtrans($1, nessusd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 nessusd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, nessusd_log_t) files_search_etc($1) admin_pattern($1, nessusd_etc_t) files_search_pids($1) admin_pattern($1, nessusd_var_run_t) files_search_var_lib($1) admin_pattern($1, nessusd_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nessus_admin'($*)) dnl ') ## Manager for dynamically switching between networks. ######################################## ## ## Read and write NetworkManager UDP sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. define(`networkmanager_rw_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_rw_udp_sockets'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:udp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_rw_udp_sockets'($*)) dnl ') ######################################## ## ## Read and write NetworkManager packet sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. define(`networkmanager_rw_packet_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_rw_packet_sockets'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:packet_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_rw_packet_sockets'($*)) dnl ') ####################################### ## ## Allow caller to relabel tun_socket ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_attach_tun_iface',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_attach_tun_iface'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_attach_tun_iface'($*)) dnl ') ######################################## ## ## Read and write NetworkManager netlink ## routing sockets. ## ## ## ## Domain allowed access. ## ## # # cjp: added for named. define(`networkmanager_rw_routing_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_rw_routing_sockets'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:netlink_route_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_rw_routing_sockets'($*)) dnl ') ######################################## ## ## Read networkmanager unnamed pipes ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_read_pipes'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_read_pipes'($*)) dnl ') ######################################## ## ## Execute NetworkManager with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`networkmanager_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_domtrans'($*)) dnl gen_require(` type NetworkManager_t, NetworkManager_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_domtrans'($*)) dnl ') ####################################### ## ## Execute NetworkManager scripts with an automatic domain transition to initrc. ## ## ## ## Domain allowed to transition. ## ## # define(`networkmanager_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_initrc_domtrans'($*)) dnl gen_require(` type NetworkManager_initrc_exec_t; ') init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute NetworkManager server in the NetworkManager domain. ## ## ## ## Domain allowed to transition. ## ## # define(`networkmanager_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_systemctl'($*)) dnl gen_require(` type NetworkManager_unit_file_t; type NetworkManager_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 NetworkManager_unit_file_t:file read_file_perms; allow $1 NetworkManager_unit_file_t:service manage_service_perms; ps_process_pattern($1, NetworkManager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_systemctl'($*)) dnl ') ######################################## ## ## Send and receive messages from ## NetworkManager over dbus. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_dbus_chat'($*)) dnl gen_require(` type NetworkManager_t; class dbus send_msg; ') allow $1 NetworkManager_t:dbus send_msg; allow NetworkManager_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_dbus_chat'($*)) dnl ') ####################################### ## ## Read metworkmanager process state files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_read_state'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:dir search_dir_perms; allow $1 NetworkManager_t:file read_file_perms; allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_read_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and ## receive messages from NetworkManager ## over dbus. ## ## ## ## Domain to not audit. ## ## # define(`networkmanager_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_dontaudit_dbus_chat'($*)) dnl gen_require(` type NetworkManager_t; class dbus send_msg; ') dontaudit $1 NetworkManager_t:dbus send_msg; dontaudit NetworkManager_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Send a generic signal to NetworkManager ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_signal'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_signal'($*)) dnl ') ######################################## ## ## Create, read, and write ## networkmanager library files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_manage_lib_files'($*)) dnl gen_require(` type NetworkManager_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_manage_lib_files'($*)) dnl ') ######################################## ## ## Read networkmanager lib files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_read_lib_files'($*)) dnl gen_require(` type NetworkManager_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_read_lib_files'($*)) dnl ') ####################################### ## ## Read NetworkManager conf files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_read_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_read_conf'($*)) dnl gen_require(` type NetworkManager_etc_t; type NetworkManager_etc_rw_t; ') allow $1 NetworkManager_etc_t:dir list_dir_perms; read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t) read_files_pattern($1,NetworkManager_etc_rw_t,NetworkManager_etc_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_read_conf'($*)) dnl ') ######################################## ## ## Read NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_read_pid_files'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_read_pid_files'($*)) dnl ') ######################################## ## ## Manage NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_manage_pid_files'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_manage_pid_files'($*)) dnl ') ######################################## ## ## Manage NetworkManager PID sock files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_manage_pid_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_manage_pid_sock_files'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) manage_sock_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_manage_pid_sock_files'($*)) dnl ') ######################################## ## ## Watch NetworkManager PID directories. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_watch_pid_dirs'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) watch_dirs_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Create objects in /etc with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`networkmanager_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_pid_filetrans'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') filetrans_pattern($1, NetworkManager_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_pid_filetrans'($*)) dnl ') #################################### ## ## Connect to networkmanager over ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_stream_connect'($*)) dnl gen_require(` type NetworkManager_t, NetworkManager_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_stream_connect'($*)) dnl ') ######################################## ## ## Delete NetworkManager PID files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_delete_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_delete_pid_files'($*)) dnl gen_require(` type NetworkManager_var_run_t; ') files_search_pids($1) delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_delete_pid_files'($*)) dnl ') ######################################## ## ## Execute NetworkManager in the NetworkManager domain, and ## allow the specified role the NetworkManager domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`networkmanager_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_run'($*)) dnl gen_require(` type NetworkManager_t, NetworkManager_exec_t; ') networkmanager_domtrans($1) role $2 types NetworkManager_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_run'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## to Network Manager log files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_append_log'($*)) dnl gen_require(` type NetworkManager_log_t; ') logging_search_logs($1) allow $1 NetworkManager_log_t:dir list_dir_perms; append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t) allow $1 NetworkManager_log_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_append_log'($*)) dnl ') ####################################### ## ## Allow the specified domain to manage ## to Network Manager lib files. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_manage_lib'($*)) dnl gen_require(` type NetworkManager_var_lib_t; ') manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t) allow $1 NetworkManager_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_manage_lib'($*)) dnl ') ####################################### ## ## Read the process state (/proc/pid) of NetworkManager. ## ## ## ## Domain allowed access. ## ## # define(`NetworkManager_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `NetworkManager_read_state'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:dir search_dir_perms; allow $1 NetworkManager_t:file read_file_perms; allow $1 NetworkManager_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `NetworkManager_read_state'($*)) dnl ') ####################################### ## ## Send to NetworkManager with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_dgram_send'($*)) dnl gen_require(` type NetworkManager_t, NetworkManager_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_dgram_send'($*)) dnl ') ######################################## ## ## Send sigchld to networkmanager. ## ## ## ## Domain allowed access. ## ## # # define(`networkmanager_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_sigchld'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_sigchld'($*)) dnl ') ######################################## ## ## Send signull to networkmanager. ## ## ## ## Domain allowed access. ## ## # # define(`networkmanager_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_signull'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_signull'($*)) dnl ') ######################################## ## ## Send sigkill to networkmanager. ## ## ## ## Domain allowed access. ## ## # # define(`networkmanager_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_sigkill'($*)) dnl gen_require(` type NetworkManager_t; ') allow $1 NetworkManager_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_sigkill'($*)) dnl ') ######################################## ## ## Transition to networkmanager named content ## ## ## ## Domain allowed access. ## ## # define(`networkmanager_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `networkmanager_filetrans_named_content'($*)) dnl gen_require(` type NetworkManager_var_run_t; type NetworkManager_var_lib_t; ') files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth0.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth1.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth2.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth3.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth4.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth5.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth6.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth7.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth8.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-eth9.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf") files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf") files_pid_filetrans($1, NetworkManager_var_run_t, dir, "teamd") files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf") files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf") logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `networkmanager_filetrans_named_content'($*)) dnl ') ## Respond to IPv6 Node Information Queries ######################################## ## ## Execute ninfod in the ninfod domin. ## ## ## ## Domain allowed to transition. ## ## # define(`ninfod_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ninfod_domtrans'($*)) dnl gen_require(` type ninfod_t, ninfod_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ninfod_exec_t, ninfod_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ninfod_domtrans'($*)) dnl ') ######################################## ## ## Execute ninfod server in the ninfod domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ninfod_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ninfod_systemctl'($*)) dnl gen_require(` type ninfod_t; type ninfod_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 ninfod_unit_file_t:file read_file_perms; allow $1 ninfod_unit_file_t:service manage_service_perms; ps_process_pattern($1, ninfod_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ninfod_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ninfod environment ## ## ## ## Domain allowed access. ## ## ## # define(`ninfod_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ninfod_admin'($*)) dnl gen_require(` type ninfod_t; type ninfod_unit_file_t; ') allow $1 ninfod_t:process { signal_perms }; ps_process_pattern($1, ninfod_t) tunable_policy(`deny_ptrace',`',` allow $1 ninfod_t:process ptrace; ') ninfod_systemctl($1) admin_pattern($1, ninfod_unit_file_t) allow $1 ninfod_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ninfod_admin'($*)) dnl ') ## Policy for NIS (YP) servers and clients ######################################## ## ## Use the ypbind service to access NIS services ## unconditionally. ## ## ##

## Use the ypbind service to access NIS services ## unconditionally. ##

##

## This interface was added because of apache and ## spamassassin, to fix a nested conditionals problem. ## When that support is added, this should be removed, ## and the regular interface should be used. ##

##
## ## ## Domain allowed access. ## ## # define(`nis_use_ypbind_uncond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_use_ypbind_uncond'($*)) dnl gen_require(` type var_yp_t; ') dontaudit $1 self:capability net_bind_service; allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; allow $1 var_yp_t:dir list_dir_perms; allow $1 var_yp_t:lnk_file read_lnk_file_perms; allow $1 var_yp_t:file read_file_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) corenet_tcp_bind_generic_node($1) corenet_udp_bind_generic_node($1) corenet_tcp_bind_generic_port($1) corenet_udp_bind_generic_port($1) corenet_dontaudit_tcp_bind_all_ports($1) corenet_dontaudit_udp_bind_all_ports($1) corenet_tcp_connect_portmap_port($1) corenet_tcp_connect_all_reserved_ports($1) corenet_tcp_connect_generic_port($1) corenet_sendrecv_portmap_client_packets($1) corenet_sendrecv_generic_client_packets($1) corenet_sendrecv_generic_server_packets($1) sysnet_read_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_use_ypbind_uncond'($*)) dnl ') ######################################## ## ## Use the ypbind service to access NIS services. ## ## ##

## Allow the specified domain to use the ypbind service ## to access Network Information Service (NIS) services. ## Information that can be retreived from NIS includes ## usernames, passwords, home directories, and groups. ## If the network is configured to have a single sign-on ## using NIS, it is likely that any program that does ## authentication will need this access. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`nis_use_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_use_ypbind'($*)) dnl tunable_policy(`nis_enabled',` nis_use_ypbind_uncond($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_use_ypbind'($*)) dnl ') ######################################## ## ## Use the nis to authenticate passwords ## ## ## ## Domain allowed access. ## ## ## # define(`nis_authenticate',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_authenticate'($*)) dnl tunable_policy(`nis_enabled',` nis_use_ypbind_uncond($1) corenet_tcp_bind_all_rpc_ports($1) corenet_udp_bind_all_rpc_ports($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_authenticate'($*)) dnl ') ######################################## ## ## Execute ypbind in the ypbind domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_domtrans_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypbind'($*)) dnl gen_require(` type ypbind_t, ypbind_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ypbind_exec_t, ypbind_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_domtrans_ypbind'($*)) dnl ') ####################################### ## ## Execute ypbind in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_exec_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_exec_ypbind'($*)) dnl gen_require(` type ypbind_t, ypbind_exec_t; ') can_exec($1, ypbind_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_exec_ypbind'($*)) dnl ') ######################################## ## ## Execute ypbind in the ypbind domain, and ## allow the specified role the ypbind domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`nis_run_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_run_ypbind'($*)) dnl gen_require(` type ypbind_t; ') nis_domtrans_ypbind($1) role $2 types ypbind_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_run_ypbind'($*)) dnl ') ######################################## ## ## Send generic signals to ypbind. ## ## ## ## Domain allowed access. ## ## # define(`nis_signal_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_signal_ypbind'($*)) dnl gen_require(` type ypbind_t; ') allow $1 ypbind_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_signal_ypbind'($*)) dnl ') ######################################## ## ## List the contents of the NIS data directory. ## ## ## ## Domain allowed access. ## ## # define(`nis_list_var_yp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_list_var_yp'($*)) dnl gen_require(` type var_yp_t; ') files_search_var($1) allow $1 var_yp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_list_var_yp'($*)) dnl ') ######################################## ## ## Send UDP network traffic to NIS clients. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`nis_udp_send_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_udp_send_ypbind'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_udp_send_ypbind'($*)) dnl ') ######################################## ## ## Connect to ypbind over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`nis_tcp_connect_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_tcp_connect_ypbind'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_tcp_connect_ypbind'($*)) dnl ') ######################################## ## ## Read ypbind pid files. ## ## ## ## Domain allowed access. ## ## # define(`nis_read_ypbind_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_read_ypbind_pid'($*)) dnl gen_require(` type ypbind_var_run_t; ') files_search_pids($1) allow $1 ypbind_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_read_ypbind_pid'($*)) dnl ') ######################################## ## ## Delete ypbind pid files. ## ## ## ## Domain allowed access. ## ## # define(`nis_delete_ypbind_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_delete_ypbind_pid'($*)) dnl gen_require(` type ypbind_t; ') # TODO: add delete pid from dir call to files allow $1 ypbind_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_delete_ypbind_pid'($*)) dnl ') ######################################## ## ## Read ypserv configuration files. ## ## ## ## Domain allowed access. ## ## # define(`nis_read_ypserv_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_read_ypserv_config'($*)) dnl gen_require(` type ypserv_conf_t; ') files_search_etc($1) allow $1 ypserv_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_read_ypserv_config'($*)) dnl ') ######################################## ## ## Execute ypxfr in the ypxfr domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_domtrans_ypxfr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_domtrans_ypxfr'($*)) dnl gen_require(` type ypxfr_t, ypxfr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ypxfr_exec_t, ypxfr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_domtrans_ypxfr'($*)) dnl ') ######################################## ## ## Execute nis server in the nis domain. ## ## ## ## Domain allowed to transition. ## ## # # define(`nis_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans'($*)) dnl gen_require(` type nis_initrc_exec_t; ') init_labeled_script_domtrans($1, nis_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute nis server in the nis domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_initrc_domtrans_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_initrc_domtrans_ypbind'($*)) dnl gen_require(` type ypbind_initrc_exec_t; ') init_labeled_script_domtrans($1, ypbind_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_initrc_domtrans_ypbind'($*)) dnl ') ######################################## ## ## Execute ypbind server in the ypbind domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_systemctl_ypbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_systemctl_ypbind'($*)) dnl gen_require(` type ypbind_unit_file_t; type ypbind_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 ypbind_unit_file_t:file read_file_perms; allow $1 ypbind_unit_file_t:service manage_service_perms; ps_process_pattern($1, ypbind_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_systemctl_ypbind'($*)) dnl ') ######################################## ## ## Execute ypbind server in the ypbind domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nis_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_systemctl'($*)) dnl gen_require(` type nis_unit_file_t, ypbind_unit_file_t; type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 nis_unit_file_t:file read_file_perms; allow $1 nis_unit_file_t:service manage_service_perms; ps_process_pattern($1, ypbind_t) ps_process_pattern($1, yppasswdd_t) ps_process_pattern($1, ypserv_t) ps_process_pattern($1, ypxfr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an nis environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`nis_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nis_admin'($*)) dnl gen_require(` type ypbind_t, yppasswdd_t, ypserv_t; type ypserv_conf_t; type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t; type ypserv_tmp_t; type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t; type nis_unit_file_t; type ypbind_unit_file_t; ') allow $1 ypbind_t:process signal_perms; ps_process_pattern($1, ypbind_t) tunable_policy(`deny_ptrace',`',` allow $1 ypbind_t:process ptrace; allow $1 yppasswdd_t:process ptrace; allow $1 ypserv_t:process ptrace; allow $1 ypxfr_t:process ptrace; ') allow $1 yppasswdd_t:process signal_perms; ps_process_pattern($1, yppasswdd_t) allow $1 ypserv_t:process signal_perms; ps_process_pattern($1, ypserv_t) allow $1 ypxfr_t:process signal_perms; ps_process_pattern($1, ypxfr_t) nis_initrc_domtrans($1) nis_initrc_domtrans_ypbind($1) domain_system_change_exemption($1) role_transition $2 nis_initrc_exec_t system_r; role_transition $2 ypbind_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, ypbind_var_run_t) nis_systemctl_ypbind($1) admin_pattern($1, ypbind_unit_file_t) allow $1 ypbind_unit_file_t:service all_service_perms; admin_pattern($1, yppasswdd_var_run_t) files_list_etc($1) admin_pattern($1, ypserv_conf_t) admin_pattern($1, ypserv_var_run_t) admin_pattern($1, ypserv_tmp_t) nis_systemctl($1) admin_pattern($1, nis_unit_file_t) allow $1 nis_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nis_admin'($*)) dnl ') ## openstack-nova ###################################### ## ## Manage nova lib files. ## ## ## ## Domain allowed access. ## ## # define(`nova_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nova_manage_lib_files'($*)) dnl gen_require(` type nova_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nova_manage_lib_files'($*)) dnl ') ####################################### ## ## Creates types and rules for a basic ## openstack-nova systemd daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`nova_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nova_domain_template'($*)) dnl gen_require(` type nova_t; type nova_exec_t; type nova_unit_file_t; type nova_tmp_t; ') typealias nova_t alias nova_$1_t; typealias nova_exec_t alias nova_$1_exec_t; typealias nova_unit_file_t alias nova_$1_unit_file_t; typealias nova_tmp_t alias nova_$1_tmp_t; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nova_domain_template'($*)) dnl ') ## Name service cache daemon ######################################## ## ## Send generic signals to NSCD. ## ## ## ## Domain allowed access. ## ## # define(`nscd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_signal'($*)) dnl gen_require(` type nscd_t; ') allow $1 nscd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_signal'($*)) dnl ') ######################################## ## ## Send NSCD the kill signal. ## ## ## ## Domain allowed access. ## ## # define(`nscd_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_kill'($*)) dnl gen_require(` type nscd_t; ') allow $1 nscd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_kill'($*)) dnl ') ######################################## ## ## Send signulls to NSCD. ## ## ## ## Domain allowed access. ## ## # define(`nscd_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_signull'($*)) dnl gen_require(` type nscd_t; ') allow $1 nscd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_signull'($*)) dnl ') ######################################## ## ## Execute NSCD in the nscd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nscd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_domtrans'($*)) dnl gen_require(` type nscd_t, nscd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nscd_exec_t, nscd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_domtrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute nscd ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`nscd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_exec'($*)) dnl gen_require(` type nscd_exec_t; ') can_exec($1, nscd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_exec'($*)) dnl ') ######################################## ## ## Use NSCD services by connecting using ## a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`nscd_socket_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_socket_use'($*)) dnl gen_require(` type nscd_t, nscd_var_run_t; class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; ') allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; files_search_pids($1) stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) allow $1 nscd_t:unix_stream_socket { connectto create_socket_perms }; dontaudit $1 nscd_var_run_t:file read_file_perms; allow $1 nscd_var_run_t:file map; ps_process_pattern(nscd_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_socket_use'($*)) dnl ') ######################################## ## ## Use nscd services ## ## ## ## Domain allowed access. ## ## # define(`nscd_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_use'($*)) dnl nscd_socket_use($1) tunable_policy(`nscd_use_shm',` nscd_shm_use($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_use'($*)) dnl ') ######################################## ## ## Do not audit attempts to write nscd sock files ## ## ## ## Domain to not audit. ## ## # define(`nscd_dontaudit_write_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_write_sock_file'($*)) dnl gen_require(` type nscd_t, nscd_var_run_t; ') dontaudit $1 nscd_t:sock_file write; dontaudit $1 nscd_var_run_t:sock_file write; dontaudit $1 nscd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_dontaudit_write_sock_file'($*)) dnl ') ######################################## ## ## Use NSCD services by mapping the database from ## an inherited NSCD file descriptor. ## ## ## ## Domain allowed access. ## ## # define(`nscd_shm_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_shm_use'($*)) dnl gen_require(` type nscd_t, nscd_var_run_t; class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv shmemnetgrp getnetgrp }; ') allow $1 nscd_var_run_t:dir list_dir_perms; allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp}; # Receive fd from nscd and map the backing file with read access. allow $1 nscd_t:fd use; # cjp: these were originally inherited from the # nscd_socket_domain macro. need to investigate # if they are all actually required allow $1 self:unix_stream_socket create_stream_socket_perms; # dg: This may not be required. allow $1 nscd_var_run_t:sock_file read_sock_file_perms; stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) files_search_pids($1) allow $1 nscd_t:nscd { getpwd getgrp gethost getserv getnetgrp }; dontaudit $1 nscd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_shm_use'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the NSCD pid directory. ## ## ## ## Domain to not audit. ## ## # define(`nscd_dontaudit_search_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_search_pid'($*)) dnl gen_require(` type nscd_var_run_t; ') dontaudit $1 nscd_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_dontaudit_search_pid'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the NSCD pid directory. ## ## ## ## Domain to not audit. ## ## # define(`nscd_dontaudit_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_dontaudit_read_pid'($*)) dnl gen_require(` type nscd_var_run_t; ') dontaudit $1 nscd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_dontaudit_read_pid'($*)) dnl ') ######################################## ## ## Read NSCD pid file. ## ## ## ## Domain allowed access. ## ## # define(`nscd_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_read_pid'($*)) dnl gen_require(` type nscd_var_run_t; ') files_search_pids($1) read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_read_pid'($*)) dnl ') ######################################## ## ## Unconfined access to NSCD services. ## ## ## ## Domain allowed access. ## ## # define(`nscd_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_unconfined'($*)) dnl gen_require(` type nscd_t; class nscd all_nscd_perms; ') allow $1 nscd_t:nscd *; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_unconfined'($*)) dnl ') ######################################## ## ## Execute nscd in the nscd domain, and ## allow the specified role the nscd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`nscd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_run'($*)) dnl gen_require(` type nscd_t; ') nscd_domtrans($1) role $2 types nscd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_run'($*)) dnl ') ######################################## ## ## Execute the nscd server init script. ## ## ## ## Domain allowed to transition. ## ## # define(`nscd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_initrc_domtrans'($*)) dnl gen_require(` type nscd_initrc_exec_t; ') init_labeled_script_domtrans($1, nscd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute nscd server in the nscd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nscd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_systemctl'($*)) dnl gen_require(` type nscd_unit_file_t; type nscd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 nscd_unit_file_t:file read_file_perms; allow $1 nscd_unit_file_t:service manage_service_perms; ps_process_pattern($1, nscd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an nscd environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the nscd domain. ## ## ## # define(`nscd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nscd_admin'($*)) dnl gen_require(` type nscd_t, nscd_log_t, nscd_var_run_t; type nscd_initrc_exec_t; type nscd_unit_file_t; ') allow $1 nscd_t:process signal_perms; ps_process_pattern($1, nscd_t) tunable_policy(`deny_ptrace',`',` allow $1 nscd_t:process ptrace; ') init_labeled_script_domtrans($1, nscd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 nscd_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, nscd_log_t) files_list_pids($1) admin_pattern($1, nscd_var_run_t) nscd_systemctl($1) admin_pattern($1, nscd_unit_file_t) allow $1 nscd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nscd_admin'($*)) dnl ') ## Authoritative only name server ######################################## ## ## Read NSD pid file. ## ## ## ## Domain allowed access. ## ## # define(`nsd_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nsd_read_pid'($*)) dnl gen_require(` type nsd_var_run_t; ') files_search_pids($1) read_files_pattern($1, nsd_var_run_t, nsd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nsd_read_pid'($*)) dnl ') ######################################## ## ## Send and receive datagrams from NSD. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`nsd_udp_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nsd_udp_chat'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nsd_udp_chat'($*)) dnl ') ######################################## ## ## Connect to NSD over a TCP socket (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`nsd_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nsd_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nsd_tcp_connect'($*)) dnl ') ## nslcd - local LDAP name service daemon. ######################################## ## ## Execute a domain transition to run nslcd. ## ## ## ## Domain allowed to transition. ## ## # define(`nslcd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_domtrans'($*)) dnl gen_require(` type nslcd_t, nslcd_exec_t; ') domtrans_pattern($1, nslcd_exec_t, nslcd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_domtrans'($*)) dnl ') ######################################## ## ## Execute nslcd server in the nslcd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nslcd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_initrc_domtrans'($*)) dnl gen_require(` type nslcd_initrc_exec_t; ') init_labeled_script_domtrans($1, nslcd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read nslcd PID files. ## ## ## ## Domain allowed access. ## ## # define(`nslcd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_read_pid_files'($*)) dnl gen_require(` type nslcd_var_run_t; ') files_search_pids($1) allow $1 nslcd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_read_pid_files'($*)) dnl ') ######################################## ## ## Dontaudit write to nslcd over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`nslcd_dontaudit_write_ock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_dontaudit_write_ock_file'($*)) dnl gen_require(` type nslcd_var_run_t; ') dontaudit $1 nslcd_var_run_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_dontaudit_write_ock_file'($*)) dnl ') ######################################## ## ## Connect to nslcd over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`nslcd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_stream_connect'($*)) dnl gen_require(` type nslcd_t, nslcd_var_run_t; ') stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_stream_connect'($*)) dnl ') ####################################### ## ## Do not audit attempts to write nslcd sock files ## ## ## ## Domain to not audit. ## ## # define(`nslcd_dontaudit_write_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_dontaudit_write_sock_file'($*)) dnl gen_require(` type nslcd_t, nslcd_var_run_t; ') dontaudit $1 nslcd_t:sock_file write; dontaudit $1 nslcd_var_run_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_dontaudit_write_sock_file'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an nslcd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`nslcd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nslcd_admin'($*)) dnl gen_require(` type nslcd_t, nslcd_initrc_exec_t, nslcd_var_run_t; type nslcd_conf_t; ') ps_process_pattern($1, nslcd_t) allow $1 nslcd_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $1 nslcd_t:process ptrace; ') # Allow nslcd_t to restart the apache service nslcd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 nslcd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, nslcd_conf_t) files_list_pids($1) admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nslcd_admin'($*)) dnl ') ## A network traffic probe similar to the UNIX top command. ######################################## ## ## All of the rules required to ## administrate an ntop environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ntop_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntop_admin'($*)) dnl gen_require(` type ntop_t, ntop_etc_t, ntop_var_run_t; type ntop_initrc_exec_t, ntop_var_lib_t; ') allow $1 ntop_t:process { ptrace signal_perms }; ps_process_pattern($1, ntop_t) init_labeled_script_domtrans($1, ntop_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ntop_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, ntop_etc_t) files_search_var_lib($1) admin_pattern($1, ntop_var_lib_t) files_list_pids($1) admin_pattern($1, ntop_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntop_admin'($*)) dnl ') ## Network time protocol daemon ######################################## ## ## NTP stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`ntp_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_stub'($*)) dnl gen_require(` type ntpd_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_stub'($*)) dnl ') ######################################## ## ## Execute ntp server in the ntpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ntp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_domtrans'($*)) dnl gen_require(` type ntpd_t, ntpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ntpd_exec_t, ntpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_domtrans'($*)) dnl ') ######################################## ## ## Execute ntp server in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ntp_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_exec'($*)) dnl gen_require(` type ntpd_exec_t; ') corecmd_search_bin($1) can_exec($1, ntpd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_exec'($*)) dnl ') ######################################## ## ## Execute ntp in the ntp domain, and ## allow the specified role the ntp domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ntp_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_run'($*)) dnl gen_require(` type ntpd_t; ') ntp_domtrans($1) role $2 types ntpd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_run'($*)) dnl ') ######################################## ## ## Execute ntp server in the ntpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ntp_domtrans_ntpdate',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_domtrans_ntpdate'($*)) dnl gen_require(` type ntpd_t, ntpdate_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ntpdate_exec_t, ntpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_domtrans_ntpdate'($*)) dnl ') ######################################## ## ## Execute ntp server in the ntpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ntp_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_initrc_domtrans'($*)) dnl gen_require(` type ntpd_initrc_exec_t; ') init_labeled_script_domtrans($1, ntpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_initrc_domtrans'($*)) dnl ') ##################################### ## ## Allow domain to read ntpd systemd unit files. ## ## ## ## Domain allowed access. ## ## # define(`ntp_read_unit_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_read_unit_file'($*)) dnl gen_require(` type ntpd_unit_file_t; ') files_search_var_lib($1) allow $1 ntpd_unit_file_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_read_unit_file'($*)) dnl ') ######################################## ## ## Execute ntpd server in the ntpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ntp_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_systemctl'($*)) dnl gen_require(` type ntpd_unit_file_t; type ntpd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 ntpd_unit_file_t:file read_file_perms; allow $1 ntpd_unit_file_t:service manage_service_perms; ps_process_pattern($1, ntpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_systemctl'($*)) dnl ') ######################################## ## ## Send a generic signal to ntpd ## ## ## ## Domain allowed access. ## ## # define(`ntp_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_signal'($*)) dnl gen_require(` type ntpd_t; ') allow $1 ntpd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_signal'($*)) dnl ') ######################################## ## ## Read ntp drift files. ## ## ## ## Domain allowed access. ## ## # define(`ntp_read_drift_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_read_drift_files'($*)) dnl gen_require(` type ntp_drift_t; ') files_search_var_lib($1) read_files_pattern($1, ntp_drift_t, ntp_drift_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_read_drift_files'($*)) dnl ') ######################################## ## ## Read and write ntpd shared memory. ## ## ## ## Domain allowed access. ## ## # define(`ntp_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_rw_shm'($*)) dnl gen_require(` type ntpd_t, ntpd_tmpfs_t; ') allow $1 ntpd_t:shm rw_shm_perms; list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_rw_shm'($*)) dnl ') ######################################## ## ## Allow the domain to read ntpd state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`ntp_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_read_state'($*)) dnl gen_require(` type ntpd_t; ') kernel_search_proc($1) ps_process_pattern($1, ntpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_read_state'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ntp environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the ntp domain. ## ## ## # define(`ntp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_admin'($*)) dnl gen_require(` type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t; type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t; type ntpd_unit_file_t; ') allow $1 ntpd_t:process signal_perms; ps_process_pattern($1, ntpd_t) tunable_policy(`deny_ptrace',`',` allow $1 ntpd_t:process ptrace; ') init_labeled_script_domtrans($1, ntpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ntpd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, ntpd_key_t) logging_list_logs($1) admin_pattern($1, ntpd_log_t) files_list_tmp($1) admin_pattern($1, ntpd_tmp_t) files_list_var_lib($1) admin_pattern($1, ntp_drift_t) files_list_pids($1) admin_pattern($1, ntpd_var_run_t) ntp_systemctl($1) admin_pattern($1, ntpd_unit_file_t) allow $1 ntpd_unit_file_t:service all_service_perms; ntp_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_admin'($*)) dnl ') ######################################## ## ## Transition content labels to ntp named content ## ## ## ## Domain allowed access. ## ## # define(`ntp_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_filetrans_named_content'($*)) dnl gen_require(` type ntp_conf_t; type ntp_drift_t; ') files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf") files_etc_filetrans($1, ntp_conf_t, dir, "ntp") files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_filetrans_named_content'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## ntp log content. ## ## ## ## Domain allowed access. ## ## # define(`ntp_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ntp_manage_log'($*)) dnl gen_require(` type ntpd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, ntpd_log_t, ntpd_log_t) manage_files_pattern($1, ntpd_log_t, ntpd_log_t) manage_lnk_files_pattern($1, ntpd_log_t, ntpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ntp_manage_log'($*)) dnl ') ## policy for numad ######################################## ## ## Transition to numad. ## ## ## ## Domain allowed to transition. ## ## # define(`numad_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `numad_domtrans'($*)) dnl gen_require(` type numad_t, numad_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, numad_exec_t, numad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `numad_domtrans'($*)) dnl ') ######################################## ## ## Execute numad server in the numad domain. ## ## ## ## Domain allowed to transition. ## ## # define(`numad_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `numad_systemctl'($*)) dnl gen_require(` type numad_t; type numad_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 numad_unit_file_t:file read_file_perms; allow $1 numad_unit_file_t:service all_service_perms; ps_process_pattern($1, numad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `numad_systemctl'($*)) dnl ') ######################################## ## ## Send and receive messages from ## numad over dbus. ## ## ## ## Domain allowed access. ## ## # define(`numad_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `numad_dbus_chat'($*)) dnl gen_require(` type numad_t; class dbus send_msg; ') allow $1 numad_t:dbus send_msg; allow numad_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `numad_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an numad environment ## ## ## ## Domain allowed access. ## ## # define(`numad_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `numad_admin'($*)) dnl gen_require(` type numad_t; type numad_unit_file_t; ') allow $1 numad_t:process { ptrace signal_perms }; ps_process_pattern($1, numad_t) numad_systemctl($1) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `numad_admin'($*)) dnl ') ## nut - Network UPS Tools ####################################### ## ## Creates types and rules for a basic ## Network UPS Tools systemd daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`nut_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nut_domain_template'($*)) dnl gen_require(` attribute nut_domain; ') type nut_$1_t, nut_domain; type nut_$1_exec_t; init_daemon_domain(nut_$1_t, nut_$1_exec_t) type nut_$1_tmp_t; files_tmp_file(nut_$1_tmp_t) manage_dirs_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) manage_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) manage_lnk_files_pattern(nut_$1_t, nut_$1_tmp_t, nut_$1_tmp_t) files_tmp_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) fs_tmpfs_filetrans(nut_$1_t, nut_$1_tmp_t, { lnk_file file dir }) auth_use_nsswitch(nut_$1_t) logging_send_syslog_msg(nut_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nut_domain_template'($*)) dnl ') ####################################### ## ## Execute swift server in the swift domain. ## ## ## ## Domain allowed to transition. ## ## # define(`nut_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nut_systemctl'($*)) dnl gen_require(` type nut_t; type nut_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 nut_unit_file_t:file read_file_perms; allow $1 nut_unit_file_t:service manage_service_perms; ps_process_pattern($1, nut_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nut_systemctl'($*)) dnl ') ## NX remote desktop. ######################################## ## ## Transition to nx server. ## ## ## ## Domain allowed to transition. ## ## # define(`nx_spec_domtrans_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nx_spec_domtrans_server'($*)) dnl gen_require(` type nx_server_t, nx_server_exec_t; ') corecmd_search_bin($1) spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nx_spec_domtrans_server'($*)) dnl ') ######################################## ## ## Read nx home directory content. ## ## ## ## Domain allowed access. ## ## # define(`nx_read_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nx_read_home_files'($*)) dnl gen_require(` type nx_server_home_ssh_t, nx_server_var_lib_t; ') files_search_var_lib($1) allow $1 nx_server_var_lib_t:dir search_dir_perms; read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nx_read_home_files'($*)) dnl ') ######################################## ## ## Search nx lib directories. ## ## ## ## Domain allowed access. ## ## # define(`nx_search_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nx_search_var_lib'($*)) dnl gen_require(` type nx_server_var_lib_t; ') files_search_var_lib($1) allow $1 nx_server_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nx_search_var_lib'($*)) dnl ') ######################################## ## ## Create specified objects in nx lib ## directories with a private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`nx_var_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nx_var_lib_filetrans'($*)) dnl gen_require(` type nx_server_var_lib_t; ') filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nx_var_lib_filetrans'($*)) dnl ') ######################################## ## ## Transition to nx named content ## ## ## ## Domain allowed access. ## ## # define(`nx_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `nx_filetrans_named_content'($*)) dnl gen_require(` type nx_server_home_ssh_t, nx_server_var_lib_t; ') filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `nx_filetrans_named_content'($*)) dnl ') ## Open AntiVirus scannerdaemon and signature update. ######################################## ## ## Execute oav_update in the oav_update domain. ## ## ## ## Domain allowed to transition. ## ## # define(`oav_domtrans_update',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oav_domtrans_update'($*)) dnl gen_require(` type oav_update_t, oav_update_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, oav_update_exec_t, oav_update_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oav_domtrans_update'($*)) dnl ') ######################################## ## ## Execute oav_update in the oav update ## domain, and allow the specified role ## the oav_update domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`oav_run_update',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oav_run_update'($*)) dnl gen_require(` attribute_role oav_update_roles; ') oav_domtrans_update($1) roleattribute $2 oav_update_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oav_run_update'($*)) dnl ') ## D-Bus service providing high-level OBEX client and server side functionality. ######################################## ## ## Transition to obex. ## ## ## ## Domain allowed to transition. ## ## # define(`obex_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `obex_domtrans'($*)) dnl gen_require(` type obex_t, obex_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, obex_exec_t, obex_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `obex_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## obex over dbus. ## ## ## ## Domain allowed access. ## ## # define(`obex_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `obex_dbus_chat'($*)) dnl gen_require(` type obex_t; class dbus send_msg; ') allow $1 obex_t:dbus send_msg; allow obex_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `obex_dbus_chat'($*)) dnl ') ####################################### ## ## Role access for obex domains ## that executes via dbus-session ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## ## ## ## User domain prefix to be used. ## ## # define(`obex_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `obex_role'($*)) dnl gen_require(` attribute_role obex_roles; type obex_t, obex_exec_t; ') ######################################## # # Declarations # roleattribute $1 obex_roles; ######################################## # # Policy # allow $2 obex_t:process signal_perms; ps_process_pattern($2, obex_t) dbus_session_domain($3, obex_exec_t, obex_t) obex_dbus_chat($2) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `obex_role'($*)) dnl ') ## ## Oddjob provides a mechanism by which unprivileged applications can ## request that specified privileged operations be performed on their ## behalf. ## ######################################## ## ## Execute a domain transition to run oddjob. ## ## ## ## Domain allowed to transition. ## ## # define(`oddjob_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_domtrans'($*)) dnl gen_require(` type oddjob_t, oddjob_exec_t; ') domtrans_pattern($1, oddjob_exec_t, oddjob_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_domtrans'($*)) dnl ') ##################################### ## ## Do not audit attempts to read and write ## oddjob fifo file. ## ## ## ## Domain to not audit. ## ## # define(`oddjob_dontaudit_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_dontaudit_rw_fifo_file'($*)) dnl gen_require(` type oddjob_t; ') dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_dontaudit_rw_fifo_file'($*)) dnl ') ######################################## ## ## Make the specified program domain accessable ## from the oddjob. ## ## ## ## The type of the process to transition to. ## ## ## ## ## The type of the file used as an entrypoint to this domain. ## ## # define(`oddjob_system_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_system_entry'($*)) dnl gen_require(` type oddjob_t; ') domtrans_pattern(oddjob_t, $2, $1) domain_user_exemption_target($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_system_entry'($*)) dnl ') ######################################## ## ## Send and receive messages from ## oddjob over dbus. ## ## ## ## Domain allowed access. ## ## # define(`oddjob_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_dbus_chat'($*)) dnl gen_require(` type oddjob_t; class dbus send_msg; ') allow $1 oddjob_t:dbus send_msg; allow oddjob_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_dbus_chat'($*)) dnl ') ###################################### ## ## Send a SIGCHLD signal to oddjob. ## ## ## ## Domain allowed access. ## ## # define(`oddjob_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_sigchld'($*)) dnl gen_require(` type oddjob_t; ') allow $1 oddjob_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_sigchld'($*)) dnl ') ######################################## ## ## Execute a domain transition to run oddjob_mkhomedir. ## ## ## ## Domain allowed to transition. ## ## # define(`oddjob_domtrans_mkhomedir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_domtrans_mkhomedir'($*)) dnl gen_require(` type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t; ') domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_domtrans_mkhomedir'($*)) dnl ') ######################################## ## ## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`oddjob_run_mkhomedir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_run_mkhomedir'($*)) dnl gen_require(` type oddjob_mkhomedir_t; ') oddjob_domtrans_mkhomedir($1) role $2 types oddjob_mkhomedir_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_run_mkhomedir'($*)) dnl ') ######################################## ## ## Execute the oddjob program in the oddjob domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`oddjob_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_run'($*)) dnl gen_require(` type oddjob_t; ') oddjob_domtrans($1) role $2 types oddjob_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_run'($*)) dnl ') ####################################### ## ## Execute oddjob in the oddjob domain. ## ## ## ## Domain allowed to transition. ## ## # define(`oddjob_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_systemctl'($*)) dnl gen_require(` type oddjob_unit_file_t; type oddjob_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 oddjob_unit_file_t:file read_file_perms; allow $1 oddjob_unit_file_t:service manage_service_perms; ps_process_pattern($1, oddjob_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_systemctl'($*)) dnl ') ######################################## ## ## Create a domain which can be started by init, ## with a range transition. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # define(`oddjob_ranged_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_ranged_domain'($*)) dnl gen_require(` type oddjob_t; ') oddjob_system_entry($1, $2) ifdef(`enable_mcs',` range_transition oddjob_t $2:process $3; ') ifdef(`enable_mls',` range_transition oddjob_t $2:process $3; mls_rangetrans_target($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_ranged_domain'($*)) dnl ') ######################################## ## ## Allow any oddjob_mkhomedir_exec_t to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`oddjob_mkhomedir_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oddjob_mkhomedir_entrypoint'($*)) dnl gen_require(` type oddjob_mkhomedir_exec_t; ') allow $1 oddjob_mkhomedir_exec_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oddjob_mkhomedir_entrypoint'($*)) dnl ') ## An ident daemon with IP masq/NAT support and the ability to specify responses. ######################################## ## ## Role access for oident. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`oident_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_role'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_role'($*)) dnl ') ######################################## ## ## Read oidentd user home content. ## ## ## ## Domain allowed access. ## ## # define(`oident_read_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_read_user_content'($*)) dnl gen_require(` type oidentd_home_t; ') userdom_search_user_home_dirs($1) allow $1 oidentd_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_read_user_content'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## oidentd user home content. ## ## ## ## Domain allowed access. ## ## # define(`oident_manage_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_manage_user_content'($*)) dnl gen_require(` type oidentd_home_t; ') userdom_search_user_home_dirs($1) allow $1 oidentd_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_manage_user_content'($*)) dnl ') ######################################## ## ## Relabel oidentd user home content. ## ## ## ## Domain allowed access. ## ## # define(`oident_relabel_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_relabel_user_content'($*)) dnl gen_require(` type oidentd_home_t; ') userdom_search_user_home_dirs($1) allow $1 oidentd_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_relabel_user_content'($*)) dnl ') ######################################## ## ## Create objects in user home ## directories with the oidentd home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`oident_home_filetrans_oidentd_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_home_filetrans_oidentd_home'($*)) dnl gen_require(` type oidentd_home_t; ') userdom_user_home_dir_filetrans($1, oidentd_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_home_filetrans_oidentd_home'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an oident environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`oident_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oident_admin'($*)) dnl gen_require(` type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t; ') allow $1 oidentd_t:process { ptrace signal_perms }; ps_process_pattern($1, oidentd_t) init_labeled_script_domtrans($1, oidentd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 oidentd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, oidentd_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oident_admin'($*)) dnl ') ## Policy for opafm ## Open Certificate Authority. ######################################## ## ## Execute the openca with ## a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`openca_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openca_domtrans'($*)) dnl gen_require(` type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; ') files_search_usr($1) allow $1 openca_usr_share_t:dir search_dir_perms; domtrans_pattern($1, openca_ca_exec_t, openca_ca_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openca_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to openca. ## ## ## ## Domain allowed access. ## ## # define(`openca_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openca_signal'($*)) dnl gen_require(` type openca_ca_t; ') allow $1 openca_ca_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openca_signal'($*)) dnl ') ######################################## ## ## Send stop signals to openca. ## ## ## ## Domain allowed access. ## ## # define(`openca_sigstop',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openca_sigstop'($*)) dnl gen_require(` type openca_ca_t; ') allow $1 openca_ca_t:process sigstop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openca_sigstop'($*)) dnl ') ######################################## ## ## Send kill signals to openca. ## ## ## ## Domain allowed access. ## ## # define(`openca_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openca_kill'($*)) dnl gen_require(` type openca_ca_t; ') allow $1 openca_ca_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openca_kill'($*)) dnl ') ## Service for handling smart card readers. ######################################## ## ## Send null signals to openct. ## ## ## ## Domain allowed access. ## ## # define(`openct_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_signull'($*)) dnl gen_require(` type openct_t; ') allow $1 openct_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_signull'($*)) dnl ') ######################################## ## ## Execute openct in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`openct_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_exec'($*)) dnl gen_require(` type openct_t, openct_exec_t; ') corecmd_search_bin($1) can_exec($1, openct_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_exec'($*)) dnl ') ######################################## ## ## Execute a domain transition to run openct. ## ## ## ## Domain allowed to transition. ## ## # define(`openct_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_domtrans'($*)) dnl gen_require(` type openct_t, openct_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openct_exec_t, openct_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_domtrans'($*)) dnl ') ######################################## ## ## Read openct pid files. ## ## ## ## Domain allowed access. ## ## # define(`openct_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_read_pid_files'($*)) dnl gen_require(` type openct_var_run_t; ') files_search_pids($1) read_files_pattern($1, openct_var_run_t, openct_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_read_pid_files'($*)) dnl ') ######################################## ## ## Connect to openct over an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`openct_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_stream_connect'($*)) dnl gen_require(` type openct_t, openct_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, openct_var_run_t, openct_var_run_t, openct_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an openct environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`openct_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openct_admin'($*)) dnl gen_require(` type openct_t, openct_initrc_exec_t, openct_var_run_t; ') allow $1 openct_t:process { ptrace signal_perms }; ps_process_pattern($1, openct_t) init_labeled_script_domtrans($1, openct_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 openct_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, openct_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openct_admin'($*)) dnl ') ## policy for opendnssec ######################################## ## ## Execute opendnssec_exec_t in the opendnssec domain. ## ## ## ## Domain allowed to transition. ## ## # define(`opendnssec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_domtrans'($*)) dnl gen_require(` type opendnssec_t, opendnssec_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, opendnssec_exec_t, opendnssec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_domtrans'($*)) dnl ') ###################################### ## ## Execute opendnssec in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`opendnssec_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_exec'($*)) dnl gen_require(` type opendnssec_exec_t; ') corecmd_search_bin($1) can_exec($1, opendnssec_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_exec'($*)) dnl ') ######################################## ## ## Read the opendnssec configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`opendnssec_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_read_config'($*)) dnl gen_require(` type opendnssec_conf_t; ') files_search_etc($1) allow $1 opendnssec_conf_t:dir list_dir_perms; allow $1 opendnssec_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_read_config'($*)) dnl ') ######################################## ## ## Read the opendnssec configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`opendnssec_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_manage_config'($*)) dnl gen_require(` type opendnssec_conf_t; ') files_search_etc($1) allow $1 opendnssec_conf_t:dir manage_dir_perms; allow $1 opendnssec_conf_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_manage_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to ## read and write opendnssec /var files. ## ## ## ## Domain allowed access. ## ## # define(`opendnssec_manage_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_manage_var_files'($*)) dnl gen_require(` type opendnssec_var_t; ') files_search_var($1) files_search_var_lib($1) manage_files_pattern($1, opendnssec_var_t, opendnssec_var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_manage_var_files'($*)) dnl ') ######################################## ## ## Read opendnssec PID files. ## ## ## ## Domain allowed access. ## ## # define(`opendnssec_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_read_pid_files'($*)) dnl gen_require(` type opendnssec_var_run_t; ') files_search_pids($1) read_files_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_read_pid_files'($*)) dnl ') ######################################## ## ## Execute opendnssec server in the opendnssec domain. ## ## ## ## Domain allowed to transition. ## ## # define(`opendnssec_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_systemctl'($*)) dnl gen_require(` type opendnssec_t; type opendnssec_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 opendnssec_unit_file_t:file read_file_perms; allow $1 opendnssec_unit_file_t:service manage_service_perms; ps_process_pattern($1, opendnssec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an opendnssec environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`opendnssec_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_admin'($*)) dnl gen_require(` type opendnssec_t; type opendnssec_var_run_t; type opendnssec_unit_file_t; ') allow $1 opendnssec_t:process { signal_perms }; ps_process_pattern($1, opendnssec_t) tunable_policy(`deny_ptrace',`',` allow $1 opendnssec_t:process ptrace; ') files_search_pids($1) admin_pattern($1, opendnssec_var_run_t) opendnssec_systemctl($1) admin_pattern($1, opendnssec_unit_file_t) allow $1 opendnssec_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_admin'($*)) dnl ') ######################################## ## ## Transition to quota named content ## ## ## ## Domain allowed access. ## ## # define(`opendnssec_filetrans_etc_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_filetrans_etc_content'($*)) dnl gen_require(` type opendnssec_conf_t; ') files_etc_filetrans($1, opendnssec_conf_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_filetrans_etc_content'($*)) dnl ') ######################################## ## ## Connect to opendnssec over an unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`opendnssec_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opendnssec_stream_connect'($*)) dnl gen_require(` type opendnssec_t, opendnssec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, opendnssec_var_run_t, opendnssec_var_run_t, opendnssec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opendnssec_stream_connect'($*)) dnl ') ## Fortinet compatible SSL VPN daemons. ######################################## ## ## Transition to openfortivpn. ## ## ## ## Domain allowed to transition. ## ## # define(`openfortivpn_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_domtrans'($*)) dnl gen_require(` type openfortivpn_t, openfortivpn_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openfortivpn_exec_t, openfortivpn_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_domtrans'($*)) dnl ') ######################################## ## ## Allow send a signal to openfortivpn. ## ## ## ## Domain allowed access. ## ## # define(`openfortivpn_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_signal'($*)) dnl gen_require(` type openfortivpn_t; ') allow $1 openfortivpn_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_signal'($*)) dnl ') ######################################## ## ## Allow send signull to openfortivpn. ## ## ## ## Domain allowed access. ## ## # define(`openfortivpn_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_signull'($*)) dnl gen_require(` type openfortivpn_t; ') allow $1 openfortivpn_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_signull'($*)) dnl ') ######################################## ## ## Allow send sigkill to openfortivpn. ## ## ## ## Domain allowed access. ## ## # define(`openfortivpn_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_sigkill'($*)) dnl gen_require(` type openfortivpn_t; ') allow $1 openfortivpn_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_sigkill'($*)) dnl ') ######################################## ## ## Send and receive messages from ## openfortivpn over dbus. ## ## ## ## Domain allowed access. ## ## # define(`openfortivpn_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_dbus_chat'($*)) dnl gen_require(` type openfortivpn_t; class dbus send_msg; ') allow $1 openfortivpn_t:dbus send_msg; allow openfortivpn_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_dbus_chat'($*)) dnl ') ######################################## ## ## Read from and write to the openfortivpn devpts. ## ## ## ## Domain allowed access. ## ## # define(`openfortivpn_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openfortivpn_use_ptys'($*)) dnl gen_require(` type openfortivpn_devpts_t; ') allow $1 openfortivpn_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openfortivpn_use_ptys'($*)) dnl ') ## policy for openhpid ######################################## ## ## Transition to openhpid. ## ## ## ## Domain allowed to transition. ## ## # define(`openhpid_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_domtrans'($*)) dnl gen_require(` type openhpid_t, openhpid_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openhpid_exec_t, openhpid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_domtrans'($*)) dnl ') ######################################## ## ## Execute openhpid server in the openhpid domain. ## ## ## ## Domain allowed access. ## ## # define(`openhpid_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_initrc_domtrans'($*)) dnl gen_require(` type openhpid_initrc_exec_t; ') init_labeled_script_domtrans($1, openhpid_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search openhpid lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openhpid_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_search_lib'($*)) dnl gen_require(` type openhpid_var_lib_t; ') allow $1 openhpid_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_search_lib'($*)) dnl ') ######################################## ## ## Read openhpid lib files. ## ## ## ## Domain allowed access. ## ## # define(`openhpid_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_read_lib_files'($*)) dnl gen_require(` type openhpid_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_read_lib_files'($*)) dnl ') ######################################## ## ## Manage openhpid lib files. ## ## ## ## Domain allowed access. ## ## # define(`openhpid_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_manage_lib_files'($*)) dnl gen_require(` type openhpid_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage openhpid lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openhpid_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_manage_lib_dirs'($*)) dnl gen_require(` type openhpid_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an openhpid environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`openhpid_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openhpid_admin'($*)) dnl gen_require(` type openhpid_t; type openhpid_initrc_exec_t; type openhpid_var_lib_t; ') allow $1 openhpid_t:process { ptrace signal_perms }; ps_process_pattern($1, openhpid_t) openhpid_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 openhpid_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, openhpid_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openhpid_admin'($*)) dnl ') ## ## policy for openshift ######################################## ## ## Execute openshift server in the openshift domain. ## ## ## ## The type of the process performing this action. ## ## # define(`openshift_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_initrc_domtrans'($*)) dnl gen_require(` type openshift_initrc_t; type openshift_initrc_exec_t; ') domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_initrc_domtrans'($*)) dnl ') ####################################### ## ## Execute openshift server in the openshift domain. ## ## ## ## The type of the process performing this action. ## ## ## ## ## Role access to this domain. ## ## # define(`openshift_initrc_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_initrc_run'($*)) dnl gen_require(` type openshift_initrc_t; type openshift_initrc_exec_t; ') openshift_initrc_domtrans($1) role $2 types openshift_initrc_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_initrc_run'($*)) dnl ') ######################################## ## ## Send a null signal to openshift init scripts. ## ## ## ## Domain allowed access. ## ## # define(`openshift_initrc_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_initrc_signull'($*)) dnl gen_require(` type openshift_initrc_t; ') allow $1 openshift_initrc_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_initrc_signull'($*)) dnl ') ####################################### ## ## Send a signal to openshift init scripts. ## ## ## ## Domain allowed access. ## ## # define(`openshift_initrc_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_initrc_signal'($*)) dnl gen_require(` type openshift_initrc_t; ') allow $1 openshift_initrc_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_initrc_signal'($*)) dnl ') ######################################## ## ## Search openshift cache directories. ## ## ## ## Domain allowed access. ## ## # define(`openshift_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_search_cache'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_search_cache'($*)) dnl ') ######################################## ## ## Read openshift cache files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_read_cache_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## openshift cache files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_cache_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## openshift cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_cache_dirs'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Allow the specified domain to read openshift's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`openshift_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_read_log'($*)) dnl gen_require(` type openshift_log_t; ') logging_search_logs($1) read_files_pattern($1, openshift_log_t, openshift_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## openshift log files. ## ## ## ## Domain allowed to transition. ## ## # define(`openshift_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_append_log'($*)) dnl gen_require(` type openshift_log_t; ') logging_search_logs($1) append_files_pattern($1, openshift_log_t, openshift_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_append_log'($*)) dnl ') ######################################## ## ## Allow domain to manage openshift log files ## ## ## ## Domain to not audit. ## ## # define(`openshift_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_log'($*)) dnl gen_require(` type openshift_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, openshift_log_t, openshift_log_t) manage_files_pattern($1, openshift_log_t, openshift_log_t) manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_log'($*)) dnl ') ######################################## ## ## Search openshift lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openshift_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_search_lib'($*)) dnl gen_require(` type openshift_var_lib_t; ') search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_search_lib'($*)) dnl ') ######################################## ## ## Getattr openshift lib files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_getattr_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_getattr_lib'($*)) dnl gen_require(` type openshift_var_lib_t; ') getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_getattr_lib'($*)) dnl ') ######################################## ## ## Read openshift lib files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_read_lib_files'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_read_lib_files'($*)) dnl ') ######################################## ## ## Read openshift lib files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_append_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_append_lib_files'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_append_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## openshift lib files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_lib_files'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## openshift lib files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_lib_dirs'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Manage openshift lib content. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_content'($*)) dnl gen_require(` attribute openshift_file_type; ') files_search_var_lib($1) manage_dirs_pattern($1, openshift_file_type, openshift_file_type) manage_files_pattern($1, openshift_file_type, openshift_file_type) manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type) manage_sock_files_pattern($1, openshift_file_type, openshift_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_content'($*)) dnl ') ######################################## ## ## Relabel openshift library files ## ## ## ## Domain allowed access. ## ## # define(`openshift_relabelfrom_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_relabelfrom_lib'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) relabel_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t) relabel_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_relabelfrom_lib'($*)) dnl ') ####################################### ## ## Create private objects in the ## mail lib directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`openshift_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_lib_filetrans'($*)) dnl gen_require(` type openshift_var_lib_t; ') files_search_var_lib($1) filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_lib_filetrans'($*)) dnl ') ######################################## ## ## Read openshift PID files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_read_pid_files'($*)) dnl gen_require(` type openshift_var_run_t; ') files_search_pids($1) allow $1 openshift_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an openshift environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`openshift_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_admin'($*)) dnl gen_require(` attribute openshift_domain; type openshift_initrc_exec_t; type openshift_log_t; type openshift_var_lib_t; type openshift_var_run_t; ') allow $1 openshift_domain:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $1 openshift_domain:process ptrace; ') ps_process_pattern($1, openshift_domain) openshift_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 openshift_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, openshift_log_t) files_search_var_lib($1) admin_pattern($1, openshift_var_lib_t) files_search_pids($1) admin_pattern($1, openshift_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_admin'($*)) dnl ') ######################################## ## ## Make the specified type usable as a openshift domain. ## ## ## ## The prefix of the domain (e.g., openshift ## is the prefix for openshift_t). ## ## # define(`openshift_service_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_service_domain_template'($*)) dnl gen_require(` attribute openshift_domain; attribute openshift_user_domain; ') type $1_t; typeattribute $1_t openshift_domain, openshift_user_domain; domain_type($1_t) role system_r types $1_t; mcs_constrained($1_t) domain_user_exemption_target($1_t) auth_use_nsswitch($1_t) domain_subj_id_change_exemption($1_t) domain_obj_id_change_exemption($1_t) domain_dyntrans_type($1_t) kernel_read_system_state($1_t) logging_send_syslog_msg($1_t) type $1_app_t; typeattribute $1_app_t openshift_domain; domain_type($1_app_t) role system_r types $1_app_t; mcs_constrained($1_app_t) domain_user_exemption_target($1_app_t) domain_obj_id_change_exemption($1_app_t) domain_dyntrans_type($1_app_t) auth_use_nsswitch($1_app_t) kernel_read_system_state($1_app_t) logging_send_syslog_msg($1_app_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_service_domain_template'($*)) dnl ') ######################################## ## ## Make the specified type usable as a openshift domain. ## ## ## ## Type to be used as a openshift domain type. ## ## # define(`openshift_net_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_net_type'($*)) dnl gen_require(` attribute openshift_net_domain; ') typeattribute $1 openshift_net_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_net_type'($*)) dnl ') ######################################## ## ## Read and write inherited openshift files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_rw_inherited_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_rw_inherited_content'($*)) dnl gen_require(` attribute openshift_file_type; ') allow $1 openshift_file_type:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_rw_inherited_content'($*)) dnl ') ######################################## ## ## Manage openshift tmp files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_tmp_files'($*)) dnl gen_require(` type openshift_tmp_t; ') manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_tmp_files'($*)) dnl ') ######################################## ## ## Manage openshift tmp sockets. ## ## ## ## Domain allowed access. ## ## # define(`openshift_manage_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_manage_tmp_sockets'($*)) dnl gen_require(` type openshift_tmp_t; ') manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_manage_tmp_sockets'($*)) dnl ') ######################################## ## ## Mounton openshift tmp directory. ## ## ## ## Domain allowed access. ## ## # define(`openshift_mounton_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_mounton_tmp'($*)) dnl gen_require(` type openshift_tmp_t; ') allow $1 openshift_tmp_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_mounton_tmp'($*)) dnl ') ######################################## ## ## Dontaudit Read and write inherited script fifo files. ## ## ## ## Domain allowed access. ## ## # define(`openshift_dontaudit_rw_inherited_fifo_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_dontaudit_rw_inherited_fifo_files'($*)) dnl gen_require(` type openshift_initrc_t; type openshift_t; ') dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_dontaudit_rw_inherited_fifo_files'($*)) dnl ') ######################################## ## ## Allow calling app to transition to an openshift domain ## ## ## ## Domain allowed access ## ## ## # define(`openshift_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_transition'($*)) dnl gen_require(` attribute openshift_user_domain; ') allow $1 openshift_user_domain:process transition; dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh }; allow openshift_user_domain $1:fd use; allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms; allow openshift_user_domain $1:process sigchld; dontaudit $1 openshift_user_domain:socket_class_set { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_transition'($*)) dnl ') ######################################## ## ## Allow calling app to transition to an openshift domain ## ## ## ## Domain allowed access ## ## ## # define(`openshift_dyntransition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_dyntransition'($*)) dnl gen_require(` attribute openshift_domain; attribute openshift_user_domain; ') allow $1 openshift_user_domain:process dyntransition; dontaudit openshift_user_domain $1:key view; allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms }; allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms; allow $1 openshift_user_domain:process { rlimitinh signal }; dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_dyntransition'($*)) dnl ') ######################################## ## ## Execute openshift in the openshift domain, and ## allow the specified role the openshift domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`openshift_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openshift_run'($*)) dnl gen_require(` type openshift_initrc_exec_t; ') openshift_initrc_domtrans($1) role_transition $2 openshift_initrc_exec_t system_r; openshift_transition($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openshift_run'($*)) dnl ') ## Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB ######################################## ## ## Execute opensm in the opensm domin. ## ## ## ## Domain allowed to transition. ## ## # define(`opensm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_domtrans'($*)) dnl gen_require(` type opensm_t, opensm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, opensm_exec_t, opensm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_domtrans'($*)) dnl ') ######################################## ## ## Search opensm cache directories. ## ## ## ## Domain allowed access. ## ## # define(`opensm_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_search_cache'($*)) dnl gen_require(` type opensm_cache_t; ') allow $1 opensm_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_search_cache'($*)) dnl ') ######################################## ## ## Read opensm cache files. ## ## ## ## Domain allowed access. ## ## # define(`opensm_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_read_cache_files'($*)) dnl gen_require(` type opensm_cache_t; ') files_search_var($1) read_files_pattern($1, opensm_cache_t, opensm_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## opensm cache files. ## ## ## ## Domain allowed access. ## ## # define(`opensm_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_manage_cache_files'($*)) dnl gen_require(` type opensm_cache_t; ') files_search_var($1) manage_files_pattern($1, opensm_cache_t, opensm_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage opensm cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`opensm_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_manage_cache_dirs'($*)) dnl gen_require(` type opensm_cache_t; ') files_search_var($1) manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read opensm's log files. ## ## ## ## Domain allowed access. ## ## # define(`opensm_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_read_log'($*)) dnl gen_require(` type opensm_log_t; ') logging_search_logs($1) read_files_pattern($1, opensm_log_t, opensm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_read_log'($*)) dnl ') ######################################## ## ## Append to opensm log files. ## ## ## ## Domain allowed access. ## ## # define(`opensm_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_append_log'($*)) dnl gen_require(` type opensm_log_t; ') logging_search_logs($1) append_files_pattern($1, opensm_log_t, opensm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_append_log'($*)) dnl ') ######################################## ## ## Manage opensm log files ## ## ## ## Domain allowed access. ## ## # define(`opensm_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_manage_log'($*)) dnl gen_require(` type opensm_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, opensm_log_t, opensm_log_t) manage_files_pattern($1, opensm_log_t, opensm_log_t) manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_manage_log'($*)) dnl ') ######################################## ## ## Execute opensm server in the opensm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`opensm_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_systemctl'($*)) dnl gen_require(` type opensm_t; type opensm_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 opensm_unit_file_t:file read_file_perms; allow $1 opensm_unit_file_t:service manage_service_perms; ps_process_pattern($1, opensm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an opensm environment ## ## ## ## Domain allowed access. ## ## ## # define(`opensm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `opensm_admin'($*)) dnl gen_require(` type opensm_t; type opensm_cache_t; type opensm_log_t; type opensm_unit_file_t; ') allow $1 opensm_t:process { signal_perms }; ps_process_pattern($1, opensm_t) tunable_policy(`deny_ptrace',`',` allow $1 opensm_t:process ptrace; ') files_search_var($1) admin_pattern($1, opensm_cache_t) logging_search_logs($1) admin_pattern($1, opensm_log_t) opensm_systemctl($1) admin_pattern($1, opensm_unit_file_t) allow $1 opensm_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `opensm_admin'($*)) dnl ') ## full-featured SSL VPN solution. ######################################## ## ## Execute openvpn clients in the ## openvpn domain. ## ## ## ## Domain allowed to transition. ## ## # define(`openvpn_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_domtrans'($*)) dnl gen_require(` type openvpn_t, openvpn_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openvpn_exec_t, openvpn_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_domtrans'($*)) dnl ') ######################################## ## ## Execute openvpn clients in the ## caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`openvpn_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_exec'($*)) dnl gen_require(` type openvpn_exec_t; ') can_exec($1, openvpn_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_exec'($*)) dnl ') ######################################## ## ## Execute openvpn clients in the ## openvpn domain, and allow the ## specified role the openvpn domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`openvpn_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_run'($*)) dnl gen_require(` attribute_role openvpn_roles; ') openvpn_domtrans($1) roleattribute $2 openvpn_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_run'($*)) dnl ') ######################################## ## ## Send kill signals to openvpn. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_kill'($*)) dnl gen_require(` type openvpn_t; ') allow $1 openvpn_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_kill'($*)) dnl ') ######################################## ## ## Send generic signals to openvpn. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_signal'($*)) dnl gen_require(` type openvpn_t; ') allow $1 openvpn_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_signal'($*)) dnl ') ######################################## ## ## Send null signals to openvpn. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_signull'($*)) dnl gen_require(` type openvpn_t; ') allow $1 openvpn_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_signull'($*)) dnl ') ######################################## ## ## Read openvpn configuration content. ## ## ## ## Domain allowed access. ## ## ## # define(`openvpn_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_read_config'($*)) dnl gen_require(` type openvpn_etc_t; ') files_search_etc($1) allow $1 openvpn_etc_t:dir list_dir_perms; allow $1 openvpn_etc_t:file read_file_perms; allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_read_config'($*)) dnl ') #################################### ## ## Connect to openvpn over ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_stream_connect'($*)) dnl gen_require(` type openvpn_t, openvpn_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, openvpn_var_run_t, openvpn_var_run_t, openvpn_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_stream_connect'($*)) dnl ') ######################################## ## ## Search openvpn lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_search_lib'($*)) dnl gen_require(` type openvpn_var_lib_t; ') allow $1 openvpn_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_search_lib'($*)) dnl ') ######################################## ## ## Read and write to sopenvpn_image devices. ## ## ## ## Domain allowed access. ## ## # define(`openvpn_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_noatsecure'($*)) dnl gen_require(` type openvpn_t; ') allow $1 openvpn_t:process { rlimitinh siginh noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_noatsecure'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an openvpn environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`openvpn_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvpn_admin'($*)) dnl gen_require(` type openvpn_t, openvpn_etc_t, openvpn_var_log_t; type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; type openvpn_status_t; ') allow $1 openvpn_t:process signal_perms; ps_process_pattern($1, openvpn_t) tunable_policy(`deny_ptrace',`',` allow $1 openvpn_t:process ptrace; ') init_labeled_script_domtrans($1, openvpn_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 openvpn_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) logging_list_logs($1) admin_pattern($1, { openvpn_status_t openvpn_var_log_t }) files_list_pids($1) admin_pattern($1, openvpn_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvpn_admin'($*)) dnl ') ## policy for openvswitch ######################################## ## ## Execute TEMPLATE in the openvswitch domin. ## ## ## ## Domain allowed to transition. ## ## # define(`openvswitch_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_domtrans'($*)) dnl gen_require(` type openvswitch_t, openvswitch_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openvswitch_exec_t, openvswitch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_domtrans'($*)) dnl ') ######################################## ## ## Read openvswitch's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`openvswitch_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_read_log'($*)) dnl gen_require(` type openvswitch_log_t; ') logging_search_logs($1) read_files_pattern($1, openvswitch_log_t, openvswitch_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_read_log'($*)) dnl ') ######################################## ## ## Append to openvswitch log files. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_append_log'($*)) dnl gen_require(` type openvswitch_log_t; ') logging_search_logs($1) append_files_pattern($1, openvswitch_log_t, openvswitch_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_append_log'($*)) dnl ') ######################################## ## ## Manage openvswitch log files ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_manage_log'($*)) dnl gen_require(` type openvswitch_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t) manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t) manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_manage_log'($*)) dnl ') ######################################## ## ## Search openvswitch lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_search_lib'($*)) dnl gen_require(` type openvswitch_var_lib_t; ') allow $1 openvswitch_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_search_lib'($*)) dnl ') ######################################## ## ## Read openvswitch lib files. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_read_lib_files'($*)) dnl gen_require(` type openvswitch_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_read_lib_files'($*)) dnl ') ######################################## ## ## Manage openvswitch lib files. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_manage_lib_files'($*)) dnl gen_require(` type openvswitch_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage openvswitch lib directories. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_manage_lib_dirs'($*)) dnl gen_require(` type openvswitch_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read openvswitch PID files. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_read_pid_files'($*)) dnl gen_require(` type openvswitch_var_run_t; ') files_search_pids($1) read_files_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_read_pid_files'($*)) dnl ') ######################################## ## ## Allow stream connect to openvswitch. ## ## ## ## Domain allowed access. ## ## # define(`openvswitch_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_stream_connect'($*)) dnl gen_require(` type openvswitch_t, openvswitch_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_stream_connect'($*)) dnl ') ######################################## ## ## Execute openvswitch server in the openvswitch domain. ## ## ## ## Domain allowed to transition. ## ## # define(`openvswitch_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_systemctl'($*)) dnl gen_require(` type openvswitch_t; type openvswitch_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 openvswitch_unit_file_t:file read_file_perms; allow $1 openvswitch_unit_file_t:service manage_service_perms; ps_process_pattern($1, openvswitch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an openvswitch environment ## ## ## ## Domain allowed access. ## ## ## # define(`openvswitch_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openvswitch_admin'($*)) dnl gen_require(` type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t; type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t; ') allow $1 openvswitch_t:process { ptrace signal_perms }; ps_process_pattern($1, openvswitch_t) logging_search_logs($1) admin_pattern($1, openvswitch_rw_t) logging_search_logs($1) admin_pattern($1, openvswitch_log_t) files_search_var_lib($1) admin_pattern($1, openvswitch_var_lib_t) files_search_pids($1) admin_pattern($1, openvswitch_var_run_t) openvswitch_systemctl($1) admin_pattern($1, openvswitch_unit_file_t) allow $1 openvswitch_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openvswitch_admin'($*)) dnl ') ## WS-Management Server ######################################## ## ## Execute openwsman in the openwsman domin. ## ## ## ## Domain allowed to transition. ## ## # define(`openwsman_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openwsman_domtrans'($*)) dnl gen_require(` type openwsman_t, openwsman_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, openwsman_exec_t, openwsman_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openwsman_domtrans'($*)) dnl ') ######################################## ## ## Execute openwsman server in the openwsman domain. ## ## ## ## Domain allowed to transition. ## ## # define(`openwsman_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openwsman_systemctl'($*)) dnl gen_require(` type openwsman_t; type openwsman_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 openwsman_unit_file_t:file read_file_perms; allow $1 openwsman_unit_file_t:service manage_service_perms; ps_process_pattern($1, openwsman_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openwsman_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an openwsman environment ## ## ## ## Domain allowed access. ## ## ## # define(`openwsman_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `openwsman_admin'($*)) dnl gen_require(` type openwsman_t; type openwsman_unit_file_t; ') allow $1 openwsman_t:process { signal_perms }; ps_process_pattern($1, openwsman_t) tunable_policy(`deny_ptrace',`',` allow $1 openwsman_t:process ptrace; ') openwsman_systemctl($1) admin_pattern($1, openwsman_unit_file_t) allow $1 openwsman_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `openwsman_admin'($*)) dnl ') ## policy for oracleasm ######################################## ## ## Transition to oracleasm. ## ## ## ## Domain allowed to transition. ## ## # define(`oracleasm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oracleasm_domtrans'($*)) dnl gen_require(` type oracleasm_t, oracleasm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, oracleasm_exec_t, oracleasm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oracleasm_domtrans'($*)) dnl ') ######################################## ## ## Execute oracleasm server in the oracleasm domain. ## ## ## ## Domain allowed access. ## ## # define(`oracleasm_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oracleasm_initrc_domtrans'($*)) dnl gen_require(` type oracleasm_initrc_exec_t; ') init_labeled_script_domtrans($1, oracleasm_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oracleasm_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an oracleasm environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`oracleasm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `oracleasm_admin'($*)) dnl gen_require(` type oracleasm_t; type oracleasm_initrc_exec_t; ') allow $1 oracleasm_t:process { ptrace signal_perms }; ps_process_pattern($1, oracleasm_t) oracleasm_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 oracleasm_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `oracleasm_admin'($*)) dnl ') ## Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. ######################################## ## ## Execute osad in the osad domin. ## ## ## ## Domain allowed to transition. ## ## # define(`osad_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_domtrans'($*)) dnl gen_require(` type osad_t, osad_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, osad_exec_t, osad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_domtrans'($*)) dnl ') ######################################## ## ## Execute osad server in the osad domain. ## ## ## ## Domain allowed access. ## ## # define(`osad_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_initrc_domtrans'($*)) dnl gen_require(` type osad_initrc_exec_t; ') init_labeled_script_domtrans($1, osad_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read osad's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`osad_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_read_log'($*)) dnl gen_require(` type osad_log_t; ') logging_search_logs($1) read_files_pattern($1, osad_log_t, osad_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_read_log'($*)) dnl ') ######################################## ## ## Append to osad log files. ## ## ## ## Domain allowed access. ## ## # define(`osad_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_append_log'($*)) dnl gen_require(` type osad_log_t; ') logging_search_logs($1) append_files_pattern($1, osad_log_t, osad_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_append_log'($*)) dnl ') ######################################## ## ## Manage osad log files ## ## ## ## Domain allowed access. ## ## # define(`osad_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_manage_log'($*)) dnl gen_require(` type osad_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, osad_log_t, osad_log_t) manage_files_pattern($1, osad_log_t, osad_log_t) manage_lnk_files_pattern($1, osad_log_t, osad_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_manage_log'($*)) dnl ') ######################################## ## ## Read osad PID files. ## ## ## ## Domain allowed access. ## ## # define(`osad_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_read_pid_files'($*)) dnl gen_require(` type osad_var_run_t; ') files_search_pids($1) read_files_pattern($1, osad_var_run_t, osad_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an osad environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`osad_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `osad_admin'($*)) dnl gen_require(` type osad_t; type osad_initrc_exec_t; type osad_log_t; type osad_var_run_t; ') allow $1 osad_t:process { signal_perms }; ps_process_pattern($1, osad_t) tunable_policy(`deny_ptrace',`',` allow $1 osad_t:process ptrace; ') osad_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 osad_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, osad_log_t) files_search_pids($1) admin_pattern($1, osad_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `osad_admin'($*)) dnl ') ## >A scalable high-availability cluster resource manager. ######################################## ## ## Transition to pacemaker. ## ## ## ## Domain allowed to transition. ## ## # define(`pacemaker_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_domtrans'($*)) dnl gen_require(` type pacemaker_t, pacemaker_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pacemaker_exec_t, pacemaker_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_domtrans'($*)) dnl ') ######################################## ## ## Execute pacemaker server in the pacemaker domain. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_initrc_domtrans'($*)) dnl gen_require(` type pacemaker_initrc_exec_t; ') init_labeled_script_domtrans($1, pacemaker_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search pacemaker lib directories. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_search_lib'($*)) dnl gen_require(` type pacemaker_var_lib_t; ') allow $1 pacemaker_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_search_lib'($*)) dnl ') ######################################## ## ## Read pacemaker lib files. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_read_lib_files'($*)) dnl gen_require(` type pacemaker_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_read_lib_files'($*)) dnl ') ######################################## ## ## Manage pacemaker lib files. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_manage_lib_files'($*)) dnl gen_require(` type pacemaker_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage pacemaker lib directories. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_manage_lib_dirs'($*)) dnl gen_require(` type pacemaker_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read pacemaker PID files. ## ## ## ## Domain allowed access. ## ## # define(`pacemaker_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_read_pid_files'($*)) dnl gen_require(` type pacemaker_var_run_t; ') files_search_pids($1) allow $1 pacemaker_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_read_pid_files'($*)) dnl ') ######################################## ## ## Execute pacemaker server in the pacemaker domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pacemaker_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_systemctl'($*)) dnl gen_require(` type pacemaker_t; type pacemaker_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 pacemaker_unit_file_t:file read_file_perms; allow $1 pacemaker_unit_file_t:service manage_service_perms; ps_process_pattern($1, pacemaker_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an pacemaker environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pacemaker_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pacemaker_admin'($*)) dnl gen_require(` type pacemaker_t; type pacemaker_initrc_exec_t; type pacemaker_var_lib_t; type pacemaker_var_run_t; type pacemaker_unit_file_t; ') allow $1 pacemaker_t:process { ptrace signal_perms }; ps_process_pattern($1, pacemaker_t) pacemaker_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pacemaker_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, pacemaker_var_lib_t) files_search_pids($1) admin_pattern($1, pacemaker_var_run_t) pacemaker_systemctl($1) admin_pattern($1, pacemaker_unit_file_t) allow $1 pacemaker_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pacemaker_admin'($*)) dnl ') ## Passive Asset Detection System. ######################################## ## ## All of the rules required to ## administrate an pads environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pads_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pads_admin'($*)) dnl gen_require(` type pads_t, pads_config_t, pads_var_run_t; type pads_initrc_exec_t; ') allow $1 pads_t:process signal_perms; ps_process_pattern($1, pads_t) tunable_policy(`deny_ptrace',`',` allow $1 pads_t:process ptrace; ') init_labeled_script_domtrans($1, pads_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pads_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, pads_var_run_t) files_search_etc($1) admin_pattern($1, pads_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pads_admin'($*)) dnl ') ## Ruby on rails deployment for Apache and Nginx servers. ###################################### ## ## Execute passenger in the passenger domain. ## ## ## ## Domain allowed to transition. ## ## # define(`passenger_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_domtrans'($*)) dnl gen_require(` type passenger_t, passenger_exec_t; ') domtrans_pattern($1, passenger_exec_t, passenger_t) allow passenger_t $1:unix_stream_socket { accept getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_domtrans'($*)) dnl ') ###################################### ## ## Execute passenger in the current domain. ## ## ## ## Domain allowed to transition. ## ## # define(`passenger_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_exec'($*)) dnl gen_require(` type passenger_exec_t; ') can_exec($1, passenger_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_exec'($*)) dnl ') ####################################### ## ## Getattr passenger log files ## ## ## ## Domain allowed access. ## ## # define(`passenger_getattr_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_getattr_log_files'($*)) dnl gen_require(` type passenger_log_t; ') getattr_files_pattern($1, passenger_log_t, passenger_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_getattr_log_files'($*)) dnl ') ######################################## ## ## Read passenger lib files ## ## ## ## Domain allowed access. ## ## # define(`passenger_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_read_lib_files'($*)) dnl gen_require(` type passenger_var_lib_t; ') read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_read_lib_files'($*)) dnl ') ######################################## ## ## Manage passenger lib files ## ## ## ## Domain allowed access. ## ## # define(`passenger_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_manage_lib_files'($*)) dnl gen_require(` type passenger_var_lib_t; ') manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t) manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_manage_lib_files'($*)) dnl ') ##################################### ## ## Manage passenger var_run content. ## ## ## ## Domain allowed access. ## ## # define(`passenger_manage_pid_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_manage_pid_content'($*)) dnl gen_require(` type passenger_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t) manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_manage_pid_content'($*)) dnl ') ######################################## ## ## Connect to passenger unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`passenger_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_stream_connect'($*)) dnl gen_require(` type passenger_t; type passenger_tmp_t; type passenger_var_run_t; ') stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t) stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_stream_connect'($*)) dnl ') ####################################### ## ## Allow to manage passenger tmp files/dirs. ## ## ## ## Domain allowed access. ## ## # define(`passenger_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_manage_tmp_files'($*)) dnl gen_require(` type passenger_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t) manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_manage_tmp_files'($*)) dnl ') ######################################## ## ## Send kill signals to passenger. ## ## ## ## Domain allowed access. ## ## # define(`passenger_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `passenger_kill'($*)) dnl gen_require(` type passenger_t; ') allow $1 passenger_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `passenger_kill'($*)) dnl ') ## PCMCIA card management services. ######################################## ## ## PCMCIA stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`pcmcia_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_stub'($*)) dnl gen_require(` type cardmgr_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_stub'($*)) dnl ') ######################################## ## ## Execute cardmgr in the cardmgr domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pcmcia_domtrans_cardmgr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardmgr'($*)) dnl gen_require(` type cardmgr_t, cardmgr_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cardmgr_exec_t, cardmgr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardmgr'($*)) dnl ') ######################################## ## ## Inherit and use cardmgr file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`pcmcia_use_cardmgr_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_use_cardmgr_fds'($*)) dnl gen_require(` type cardmgr_t; ') allow $1 cardmgr_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_use_cardmgr_fds'($*)) dnl ') ######################################## ## ## Execute cardctl in the cardmgr domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pcmcia_domtrans_cardctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_domtrans_cardctl'($*)) dnl gen_require(` type cardmgr_t, cardctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cardctl_exec_t, cardmgr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_domtrans_cardctl'($*)) dnl ') ######################################## ## ## Execute cardctl in the cardmgr ## domain, and allow the specified ## role the cardmgr domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`pcmcia_run_cardctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_run_cardctl'($*)) dnl gen_require(` attribute_role cardmgr_roles; ') pcmcia_domtrans_cardctl($1) roleattribute $2 cardmgr_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_run_cardctl'($*)) dnl ') ######################################## ## ## Read cardmgr pid files. ## ## ## ## Domain allowed access. ## ## # define(`pcmcia_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_read_pid'($*)) dnl gen_require(` type cardmgr_var_run_t; ') files_search_pids($1) read_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_read_pid'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## cardmgr pid files. ## ## ## ## Domain allowed access. ## ## # define(`pcmcia_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid'($*)) dnl gen_require(` type cardmgr_var_run_t; ') files_search_pids($1) manage_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## cardmgr runtime character nodes. ## ## ## ## Domain allowed access. ## ## # define(`pcmcia_manage_pid_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcmcia_manage_pid_chr_files'($*)) dnl gen_require(` type cardmgr_var_run_t; ') files_search_pids($1) manage_chr_files_pattern($1, cardmgr_var_run_t, cardmgr_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcmcia_manage_pid_chr_files'($*)) dnl ') ## The pcp command summarizes the status of a Performance Co-Pilot (PCP) installation ###################################### ## ## Creates types and rules for a basic ## pcp daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`pcp_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_domain_template'($*)) dnl gen_require(` attribute pcp_domain; ') type pcp_$1_t, pcp_domain; type pcp_$1_exec_t; init_daemon_domain(pcp_$1_t, pcp_$1_exec_t) type pcp_$1_initrc_exec_t; init_script_file(pcp_$1_initrc_exec_t) auth_use_nsswitch(pcp_$1_t) optional_policy(` cron_system_entry(pcp_$1_t, pcp_$1_exec_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_domain_template'($*)) dnl ') ###################################### ## ## Allow domain to read pcp lib files ## ## ## ## Prefix for the domain. ## ## # define(`pcp_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_read_lib_files'($*)) dnl gen_require(` type pcp_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_read_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an pcp environment ## ## ## ## Domain allowed access. ## ## ## # define(`pcp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_admin'($*)) dnl gen_require(` type pcp_pmcd_t; type pcp_pmlogger_t; type pcp_pmproxy_t; type pcp_pmie_t; type pcp_var_run_t; ') allow $1 pcp_pmcd_t:process signal_perms; ps_process_pattern($1, pcp_pmcd_t) allow $1 pcp_pmlogger_t:process signal_perms; ps_process_pattern($1, pcp_pmlogger_t) allow $1 pcp_pmproxy_t:process signal_perms; ps_process_pattern($1, pcp_pmproxy_t) allow $1 pcp_pmie_t:process signal_perms; ps_process_pattern($1, pcp_pmie_t) tunable_policy(`deny_ptrace',`',` allow $1 pcp_pmcd_t:process ptrace; allow $1 pcp_pmlogger_t:process ptrace; allow $1 pcp_pmproxy_t:process ptrace; allow $1 pcp_pmie_t:process ptrace; ') files_search_pids($1) admin_pattern($1, pcp_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_admin'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute pcp_pmie ## in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pcp_pmie_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_pmie_exec'($*)) dnl gen_require(` type pcp_pmie_exec_t; ') corecmd_search_bin($1) can_exec($1, pcp_pmie_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_pmie_exec'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute pcp_pmlogger ## in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pcp_pmlogger_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_pmlogger_exec'($*)) dnl gen_require(` type pcp_pmlogger_exec_t; ') corecmd_search_bin($1) can_exec($1, pcp_pmlogger_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_pmlogger_exec'($*)) dnl ') ####################################### ## ## Transition to pcp named content ## ## ## ## Domain allowed access. ## ## # define(`pcp_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcp_filetrans_named_content'($*)) dnl gen_require(` type pcp_var_run_t; ') files_pid_filetrans($1, pcp_var_run_t, dir, "pcp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcp_filetrans_named_content'($*)) dnl ') ## PCSC smart card service. ######################################## ## ## Execute a domain transition to run pcscd. ## ## ## ## Domain allowed to transition. ## ## # define(`pcscd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_domtrans'($*)) dnl gen_require(` type pcscd_t, pcscd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pcscd_exec_t, pcscd_t) ps_process_pattern(pcscd_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_domtrans'($*)) dnl ') ######################################## ## ## Read pcscd pid files. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_read_pub_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_read_pub_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use pcscd_read_pid_files() instead.') pcscd_read_pid_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_read_pub_files'($*)) dnl ') ######################################## ## ## Read pcscd pid files. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_read_pid_files'($*)) dnl gen_require(` type pcscd_var_run_t; ') files_search_pids($1) read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## pcscd pid files. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_manage_pub_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_manage_pub_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_manage_pub_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## pcscd pid fifo files. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_manage_pub_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_manage_pub_pipes'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_manage_pub_pipes'($*)) dnl ') ######################################## ## ## Send signulls to pcscd processes. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_signull'($*)) dnl gen_require(` type pcscd_t; ') allow $1 pcscd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_signull'($*)) dnl ') ######################################## ## ## Connect to pcscd over an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pcscd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_stream_connect'($*)) dnl gen_require(` type pcscd_t, pcscd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, pcscd_var_run_t, pcscd_var_run_t, pcscd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an pcscd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pcscd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pcscd_admin'($*)) dnl gen_require(` type pcscd_t, pcscd_initrc_exec_t, pcscd_var_run_t; ') allow $1 pcscd_t:process { ptrace signal_perms }; ps_process_pattern($1, pcscd_t) init_labeled_script_domtrans($1, pcscd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pcscd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, pcscd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pcscd_admin'($*)) dnl ') ## PowerDNS DNS server. ######################################## ## ## Execute pdns in the pdns domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pdns_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pdns_domtrans'($*)) dnl gen_require(` type pdns_t, pdns_exec_t; ') domtrans_pattern($1, pdns_exec_t, pdns_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pdns_domtrans'($*)) dnl ') ######################################## ## ## Execute pdns_control in the pdns_control domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pdns_domtrans_pdns_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pdns_domtrans_pdns_control'($*)) dnl gen_require(` type pdns_control_t, pdns_control_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pdns_control_exec_t, pdns_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pdns_domtrans_pdns_control'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## pdns configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`pdns_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pdns_read_config'($*)) dnl gen_require(` type pdns_conf_t; ') files_search_etc($1) allow $1 pdns_conf_t:dir list_dir_perms; read_files_pattern($1, pdns_conf_t, pdns_conf_t) read_lnk_files_pattern($1, pdns_conf_t, pdns_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pdns_read_config'($*)) dnl ') ######################################## ## ## Connect to pdns over an unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pdns_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pdns_stream_connect'($*)) dnl gen_require(` type pdns_t, pdns_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, pdns_var_run_t, pdns_var_run_t, pdns_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pdns_stream_connect'($*)) dnl ') ## The Open Group Pegasus CIM/WBEM Server. ###################################### ## ## Creates types and rules for a basic ## openlmi init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`pegasus_openlmi_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pegasus_openlmi_domain_template'($*)) dnl gen_require(` attribute pegasus_openlmi_domain; type pegasus_t; ') ############################## # # Declarations # type pegasus_openlmi_$1_t, pegasus_openlmi_domain; type pegasus_openlmi_$1_exec_t; init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t) ############################## # # Local policy # domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t) allow pegasus_t pegasus_openlmi_$1_exec_t:file ioctl; kernel_read_system_state(pegasus_openlmi_$1_t) logging_send_syslog_msg(pegasus_openlmi_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pegasus_openlmi_domain_template'($*)) dnl ') ######################################## ## ## Connect to pegasus over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pegasus_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pegasus_stream_connect'($*)) dnl gen_require(` type pegasus_t, pegasus_var_run_t, pegasus_tmp_t; ') files_search_pids($1) stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t) stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pegasus_stream_connect'($*)) dnl ') ## Perdition POP and IMAP proxy. ######################################## ## ## Connect to perdition over a TCP socket (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`perdition_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `perdition_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `perdition_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an perdition environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`perdition_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `perdition_admin'($*)) dnl gen_require(` type perdition_t, perdition_initrc_exec_t, perdition_etc_t; type perdition_var_run_t; ') allow $1 perdition_t:process { ptrace signal_perms }; ps_process_pattern($1, perdition_t) init_labeled_script_domtrans($1, perdition_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 perdition_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, perdition_etc_t) files_search_pids($1) admin_pattern($1, perdition_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `perdition_admin'($*)) dnl ') ## pesign utility for signing UEFI binaries as well as other associated tools ######################################## ## ## Execute TEMPLATE in the pesign domin. ## ## ## ## Domain allowed to transition. ## ## # define(`pesign_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pesign_domtrans'($*)) dnl gen_require(` type pesign_t, pesign_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pesign_exec_t, pesign_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pesign_domtrans'($*)) dnl ') ######################################## ## ## Read pesign PID files. ## ## ## ## Domain allowed access. ## ## # define(`pesign_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pesign_read_pid_files'($*)) dnl gen_require(` type pesign_var_run_t; ') files_search_pids($1) read_files_pattern($1, pesign_var_run_t, pesign_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pesign_read_pid_files'($*)) dnl ') ######################################## ## ## Execute pesign server in the pesign domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pesign_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pesign_systemctl'($*)) dnl gen_require(` type pesign_t; type pesign_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 pesign_unit_file_t:file read_file_perms; allow $1 pesign_unit_file_t:service manage_service_perms; ps_process_pattern($1, pesign_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pesign_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an pesign environment ## ## ## ## Domain allowed access. ## ## ## # define(`pesign_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pesign_admin'($*)) dnl gen_require(` type pesign_t; type pesign_var_run_t; type pesign_unit_file_t; ') allow $1 pesign_t:process { ptrace signal_perms }; ps_process_pattern($1, pesign_t) files_search_pids($1) admin_pattern($1, pesign_var_run_t) pesign_systemctl($1) admin_pattern($1, pesign_unit_file_t) allow $1 pesign_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pesign_admin'($*)) dnl ') ## Pingd of the Whatsup cluster node up/down detection utility. ######################################## ## ## Execute a domain transition to run pingd. ## ## ## ## Domain allowed to transition. ## ## # define(`pingd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pingd_domtrans'($*)) dnl gen_require(` type pingd_t, pingd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pingd_exec_t, pingd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pingd_domtrans'($*)) dnl ') ####################################### ## ## Read pingd etc configuration files. ## ## ## ## Domain allowed access. ## ## # define(`pingd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pingd_read_config'($*)) dnl gen_require(` type pingd_etc_t; ') files_search_etc($1) allow $1 pingd_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pingd_read_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## pingd etc configuration files. ## ## ## ## Domain allowed access. ## ## # define(`pingd_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pingd_manage_config'($*)) dnl gen_require(` type pingd_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t) manage_files_pattern($1, pingd_etc_t, pingd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pingd_manage_config'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an pingd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pingd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pingd_admin'($*)) dnl gen_require(` type pingd_t, pingd_etc_t, pingd_modules_t; type pingd_initrc_exec_t; ') allow $1 pingd_t:process signal_perms; ps_process_pattern($1, pingd_t) tunable_policy(`deny_ptrace',`',` allow $1 pingd_t:process ptrace; ') init_labeled_script_domtrans($1, pingd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pingd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, pingd_etc_t) files_list_usr($1) admin_pattern($1, pingd_modules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pingd_admin'($*)) dnl ') ## policy for piranha ####################################### ## ## Creates types and rules for a basic ## cluster init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`piranha_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_domain_template'($*)) dnl gen_require(` attribute piranha_domain; ') ############################## # # piranha_$1_t declarations # type piranha_$1_t, piranha_domain; type piranha_$1_exec_t; init_daemon_domain(piranha_$1_t, piranha_$1_exec_t) # tmpfs files type piranha_$1_tmpfs_t, piranha_tmpfs; files_tmpfs_file(piranha_$1_tmpfs_t) # pid files type piranha_$1_var_run_t; files_pid_file(piranha_$1_var_run_t) ############################## # # piranha_$1_t local policy # manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t) fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file }) manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t) files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file }) kernel_read_system_state(piranha_$1_t) auth_use_nsswitch(piranha_$1_t) logging_send_syslog_msg(piranha_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_domain_template'($*)) dnl ') ######################################## ## ## Execute a domain transition to run fos. ## ## ## ## Domain allowed to transition. ## ## # define(`piranha_domtrans_fos',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_domtrans_fos'($*)) dnl gen_require(` type piranha_fos_t, piranha_fos_exec_t; ') domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_domtrans_fos'($*)) dnl ') ####################################### ## ## Execute a domain transition to run lvsd. ## ## ## ## Domain allowed to transition. ## ## # define(`piranha_domtrans_lvs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_domtrans_lvs'($*)) dnl gen_require(` type piranha_lvs_t, piranha_lvs_exec_t; ') domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_domtrans_lvs'($*)) dnl ') ####################################### ## ## Execute a domain transition to run pulse. ## ## ## ## Domain allowed to transition. ## ## # define(`piranha_domtrans_pulse',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_domtrans_pulse'($*)) dnl gen_require(` type piranha_pulse_t, piranha_pulse_exec_t; ') domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_domtrans_pulse'($*)) dnl ') ####################################### ## ## Execute pulse server in the pulse domain. ## ## ## ## Domain allowed to transition. ## ## # define(`piranha_pulse_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_pulse_initrc_domtrans'($*)) dnl gen_require(` type piranha_pulse_initrc_exec_t; ') init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_pulse_initrc_domtrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to read piranha's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`piranha_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_read_log'($*)) dnl gen_require(` type piranha_log_t; ') logging_search_logs($1) read_files_pattern($1, piranha_log_t, piranha_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## piranha log files. ## ## ## ## Domain allowed access. ## ## # define(`piranha_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_append_log'($*)) dnl gen_require(` type piranha_log_t; ') logging_search_logs($1) append_files_pattern($1, piranha_log_t, piranha_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_append_log'($*)) dnl ') ######################################## ## ## Allow domain to manage piranha log files ## ## ## ## Domain allowed access. ## ## # define(`piranha_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `piranha_manage_log'($*)) dnl gen_require(` type piranha_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, piranha_log_t, piranha_log_t) manage_files_pattern($1, piranha_log_t, piranha_log_t) manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `piranha_manage_log'($*)) dnl ') ## Implementations of the Cryptoki specification. ######################################## ## ## Read pkcs lock files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_read_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_read_lock'($*)) dnl gen_require(` type pkcs_slotd_lock_t; ') files_search_locks($1) list_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) read_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_read_lock'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## pkcs lock files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_manage_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_manage_lock'($*)) dnl gen_require(` type pkcs_slotd_lock_t; ') files_search_locks($1) manage_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) manage_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_manage_lock'($*)) dnl ') ######################################## ## ## Read and write pkcs Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_rw_shm'($*)) dnl gen_require(` type pkcs_slotd_t; ') allow $1 pkcs_slotd_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_rw_shm'($*)) dnl ') ######################################## ## ## Connect to pkcs using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_stream_connect'($*)) dnl gen_require(` type pkcs_slotd_t, pkcs_slotd_var_run_t; ') stream_connect_pattern($1, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t, pkcs_slotd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_stream_connect'($*)) dnl ') ######################################## ## ## Manage pkcs var_lib files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_manage_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_manage_var_lib'($*)) dnl gen_require(` type pkcs_slotd_var_lib_t; ') manage_dirs_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) manage_files_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_manage_var_lib'($*)) dnl ') ######################################## ## ## Get attributes of pkcs executable files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_getattr_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_getattr_exec_files'($*)) dnl gen_require(` type pkcs_slotd_exec_t; ') allow $1 pkcs_slotd_exec_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_getattr_exec_files'($*)) dnl ') ######################################## ## ## Create and manage objects in the tmpfs directories ## with a private type. ## ## ## ## Domain allowed access. ## ## # define(`pkcs_tmpfs_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_tmpfs_filetrans'($*)) dnl gen_require(` type pkcs_slotd_tmpfs_t; ') allow $1 pkcs_slotd_tmpfs_t:file map; manage_files_pattern($1, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t) fs_tmpfs_filetrans($1, pkcs_slotd_tmpfs_t, { file dir }) fs_manage_tmpfs_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_tmpfs_filetrans'($*)) dnl ') ######################################## ## ## Use opencryptoki services ## ## ## ## Domain allowed access. ## ## # define(`pkcs_use_opencryptoki',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_use_opencryptoki'($*)) dnl gen_require(` type pkcs_slotd_t; ') allow $1 self:capability fsetid; allow pkcs_slotd_t $1:process signull; kernel_search_proc($1) ps_process_pattern(pkcs_slotd_t, $1) corenet_tcp_connect_tcs_port($1) dev_rw_crypto($1) pkcs_getattr_exec_files($1) pkcs_manage_lock($1) pkcs_rw_shm($1) pkcs_stream_connect($1) pkcs_manage_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_use_opencryptoki'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an pkcs slotd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pkcs_admin_slotd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs_admin_slotd'($*)) dnl gen_require(` type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t, pkcs_slotd_lock_t; type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t; ') allow $1 pkcs_slotd_t:process { ptrace signal_perms }; ps_process_pattern($1, pkcs_slotd_t) init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pkcs_slotd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, pkcs_slotd_var_lib_t) files_search_locks($1) admin_pattern($1, pkcs_slotd_lock_t) files_search_pids($1) admin_pattern($1, pkcs_slotd_var_run_t) files_search_tmp($1) admin_pattern($1, pkcs_slotd_tmp_t) fs_search_tmpfs($1) admin_pattern($1, pkcs_slotd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs_admin_slotd'($*)) dnl ') ## pkcs11proxyd-softhsm-ctl - manage the isolated PKCS #11 daemon with softhsm ######################################## ## ## Execute pkcs11proxyd_exec_t in the pkcs11proxyd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pkcs11proxyd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_domtrans'($*)) dnl gen_require(` type pkcs11proxyd_t, pkcs11proxyd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pkcs11proxyd_exec_t, pkcs11proxyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_domtrans'($*)) dnl ') ###################################### ## ## Execute pkcs11proxyd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_exec'($*)) dnl gen_require(` type pkcs11proxyd_exec_t; ') corecmd_search_bin($1) can_exec($1, pkcs11proxyd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_exec'($*)) dnl ') ######################################## ## ## Search pkcs11proxyd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_search_lib'($*)) dnl gen_require(` type pkcs11proxyd_var_lib_t; ') allow $1 pkcs11proxyd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_search_lib'($*)) dnl ') ######################################## ## ## Read pkcs11proxyd lib files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_read_lib_files'($*)) dnl gen_require(` type pkcs11proxyd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage pkcs11proxyd lib files. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_manage_lib_files'($*)) dnl gen_require(` type pkcs11proxyd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage pkcs11proxyd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_manage_lib_dirs'($*)) dnl gen_require(` type pkcs11proxyd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, pkcs11proxyd_var_lib_t, pkcs11proxyd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an pkcs11proxyd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pkcs11proxyd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_admin'($*)) dnl gen_require(` type pkcs11proxyd_t; type pkcs11proxyd_var_lib_t; ') allow $1 pkcs11proxyd_t:process { signal_perms }; ps_process_pattern($1, pkcs11proxyd_t) tunable_policy(`deny_ptrace',`',` allow $1 pkcs11proxyd_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, pkcs11proxyd_var_lib_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_admin'($*)) dnl ') ######################################## ## ## Connect to pkcs11proxyd over an unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pkcs11proxyd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pkcs11proxyd_stream_connect'($*)) dnl gen_require(` type pkcs11proxyd_t, pkcs11proxyd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, pkcs11proxyd_var_run_t, pkcs11proxyd_var_run_t, pkcs11proxyd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pkcs11proxyd_stream_connect'($*)) dnl ') ## policy for pki ######################################## ## ## Allow read and write pki cert files. ## ## ## ## Domain allowed access. ## ## # define(`pki_rw_tomcat_cert',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_rw_tomcat_cert'($*)) dnl gen_require(` type pki_tomcat_cert_t; type pki_tomcat_etc_rw_t; ') allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms; rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_rw_tomcat_cert'($*)) dnl ') ######################################## ## ## Allow read and write pki cert files. ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_tomcat_cert',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_cert'($*)) dnl gen_require(` type pki_tomcat_cert_t; type pki_tomcat_etc_rw_t; ') allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms; manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_cert'($*)) dnl ') ######################################## ## ## Allow read and write pki cert files. ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_tomcat_etc_rw',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_etc_rw'($*)) dnl gen_require(` type pki_tomcat_etc_rw_t; ') manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_etc_rw'($*)) dnl ') ######################################## ## ## Allow domain to read pki cert files. ## ## ## ## Domain allowed access. ## ## # define(`pki_read_tomcat_cert',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_cert'($*)) dnl gen_require(` type pki_tomcat_cert_t; ') read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_read_tomcat_cert'($*)) dnl ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # define(`pki_apache_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_apache_template'($*)) dnl gen_require(` attribute pki_apache_domain; attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run; attribute pki_apache_executable, pki_apache_script, pki_apache_var_log; ') ######################################## # # Declarations # type $1_t, pki_apache_domain; type $1_exec_t, pki_apache_executable; domain_type($1_t) init_daemon_domain($1_t, $1_exec_t) type $1_script_exec_t, pki_apache_script; init_script_file($1_script_exec_t) type $1_etc_rw_t, pki_apache_config; files_type($1_etc_rw_t) type $1_var_run_t, pki_apache_var_run; files_pid_file($1_var_run_t) type $1_var_lib_t, pki_apache_var_lib; files_type($1_var_lib_t) type $1_log_t, pki_apache_var_log; logging_log_file($1_log_t) type $1_lock_t; files_lock_file($1_lock_t) type $1_tmp_t; files_tmpfs_file($1_tmp_t) ######################################## # # $1 local policy # files_read_etc_files($1_t) allow $1_t $1_etc_rw_t:lnk_file read; manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t,$1_var_run_t, { file dir }) manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) manage_dirs_pattern($1_t, $1_log_t, $1_log_t) manage_files_pattern($1_t, $1_log_t, $1_log_t) logging_log_filetrans($1_t, $1_log_t, { file dir } ) manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t) manage_files_pattern($1_t, $1_lock_t, $1_lock_t) manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t) files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file }) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) #talk to lunasa hsm logging_send_syslog_msg($1_t) kernel_read_kernel_sysctls($1_t) kernel_read_system_state($1_t) corenet_all_recvfrom_unlabeled($1_t) # need to resolve addresses? auth_use_nsswitch($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_apache_template'($*)) dnl ') ####################################### ## ## Send a null signal to pki apache domains. ## ## ## ## Domain allowed access. ## ## # define(`pki_apache_domain_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_apache_domain_signal'($*)) dnl gen_require(` attribute pki_apache_domain; ') allow $1 pki_apache_domain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_apache_domain_signal'($*)) dnl ') ####################################### ## ## Send a null signal to pki apache domains. ## ## ## ## Domain allowed access. ## ## # define(`pki_apache_domain_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_apache_domain_signull'($*)) dnl gen_require(` attribute pki_apache_domain; ') allow $1 pki_apache_domain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_apache_domain_signull'($*)) dnl ') ################################### ## ## Allow domain to read pki apache subsystem pid files ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_apache_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_apache_run'($*)) dnl gen_require(` attribute pki_apache_var_run; ') files_search_var_lib($1) read_files_pattern($1, pki_apache_var_run, pki_apache_var_run) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_apache_run'($*)) dnl ') #################################### ## ## Allow domain to manage pki apache subsystem lib files ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_apache_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_apache_lib'($*)) dnl gen_require(` attribute pki_apache_var_lib; ') files_search_var_lib($1) manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_apache_lib'($*)) dnl ') ################################## ## ## Dontaudit domain to write pki log files ## ## ## ## Domain allowed access. ## ## # define(`pki_search_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_search_log_dirs'($*)) dnl gen_require(` type pki_log_t; ') search_dirs_pattern($1, pki_log_t, pki_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_search_log_dirs'($*)) dnl ') ################################## ## ## Dontaudit domain to write pki log files ## ## ## ## Domain allowed access. ## ## # define(`pki_dontaudit_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_dontaudit_write_log'($*)) dnl gen_require(` type pki_log_t; ') dontaudit $1 pki_log_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_dontaudit_write_log'($*)) dnl ') ################################### ## ## Allow domain to manage pki apache subsystem log files ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_apache_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_apache_log_files'($*)) dnl gen_require(` attribute pki_apache_var_log; ') files_search_var_lib($1) manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_apache_log_files'($*)) dnl ') ################################## ## ## Allow domain to manage pki apache subsystem config files ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_apache_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_apache_config_files'($*)) dnl gen_require(` attribute pki_apache_config; ') files_search_var_lib($1) manage_files_pattern($1, pki_apache_config, pki_apache_config) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_apache_config_files'($*)) dnl ') ################################# ## ## Allow domain to read pki tomcat lib files. ## ## ## ## Domain allowed access. ## ## # define(`pki_read_tomcat_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_lib_files'($*)) dnl gen_require(` type pki_tomcat_var_lib_t; ') read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_read_tomcat_lib_files'($*)) dnl ') ################################# ## ## Allow domain to manage pki tomcat lib files. ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_tomcat_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_lib'($*)) dnl gen_require(` type pki_tomcat_var_lib_t; ') manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_lib'($*)) dnl ') ################################# ## ## Allow domain to manage pki tomcat lib files. ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_tomcat_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_log'($*)) dnl gen_require(` type pki_tomcat_log_t; ') manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t) manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_log'($*)) dnl ') ################################# ## ## Allow domain to read pki tomcat lib dirs ## ## ## ## Domain allowed access. ## ## # define(`pki_read_tomcat_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_read_tomcat_lib_dirs'($*)) dnl gen_require(` type pki_tomcat_var_lib_t; ') list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_read_tomcat_lib_dirs'($*)) dnl ') ######################################## ## ## Allow read pki_common_t files ## ## ## ## Domain allowed access. ## ## # define(`pki_read_common_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_read_common_files'($*)) dnl gen_require(` type pki_common_t; ') read_files_pattern($1, pki_common_t, pki_common_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_read_common_files'($*)) dnl ') ######################################## ## ## Allow execute pki_common_t files ## ## ## ## Domain allowed access. ## ## # define(`pki_exec_common_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_exec_common_files'($*)) dnl gen_require(` type pki_common_t; ') exec_files_pattern($1, pki_common_t, pki_common_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_exec_common_files'($*)) dnl ') ######################################## ## ## Allow read pki_common_t files ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_common_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_common_files'($*)) dnl gen_require(` type pki_common_t; ') manage_files_pattern($1, pki_common_t, pki_common_t) manage_dirs_pattern($1, pki_common_t, pki_common_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_common_files'($*)) dnl ') ######################################## ## ## Connect to pki over an unix ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pki_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_stream_connect'($*)) dnl gen_require(` type pki_tomcat_t, pki_common_t; ') files_search_pids($1) stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_stream_connect'($*)) dnl ') ######################################## ## ## Execute pki in the pkit_tomcat_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`pki_tomcat_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_tomcat_systemctl'($*)) dnl gen_require(` type pki_tomcat_t; type pki_tomcat_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 pki_tomcat_unit_file_t:file read_file_perms; allow $1 pki_tomcat_unit_file_t:service manage_service_perms; ps_process_pattern($1, pki_tomcat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_tomcat_systemctl'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## pki tomcat pid files. ## ## ## ## Domain allowed access. ## ## # define(`pki_manage_tomcat_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pki_manage_tomcat_pid'($*)) dnl gen_require(` type pki_tomcat_var_run_t; ') files_search_pids($1) manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pki_manage_tomcat_pid'($*)) dnl ') ## Plymouth graphical boot ######################################## ## ## Execute a domain transition to run plymouthd. ## ## ## ## Domain allowed to transition. ## ## # define(`plymouthd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans'($*)) dnl gen_require(` type plymouthd_t, plymouthd_exec_t; ') domtrans_pattern($1, plymouthd_exec_t, plymouthd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_domtrans'($*)) dnl ') ######################################## ## ## Execute the plymoth daemon in the current domain ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_exec'($*)) dnl gen_require(` type plymouthd_exec_t; ') can_exec($1, plymouthd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_exec'($*)) dnl ') ######################################## ## ## Allow domain to Stream socket connect ## to Plymouth daemon. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_stream_connect'($*)) dnl gen_require(` type plymouthd_t; ') allow $1 plymouthd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_stream_connect'($*)) dnl ') ######################################## ## ## Execute the plymoth command in the current domain ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_exec_plymouth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_exec_plymouth'($*)) dnl gen_require(` type plymouth_exec_t; ') can_exec($1, plymouth_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_exec_plymouth'($*)) dnl ') ######################################## ## ## Execute a domain transition to run plymouthd. ## ## ## ## Domain allowed to transition. ## ## # define(`plymouthd_domtrans_plymouth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_domtrans_plymouth'($*)) dnl gen_require(` type plymouth_t, plymouth_exec_t; ') domtrans_pattern($1, plymouth_exec_t, plymouth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_domtrans_plymouth'($*)) dnl ') ######################################## ## ## Search plymouthd spool directories. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_search_spool'($*)) dnl gen_require(` type plymouthd_spool_t; ') allow $1 plymouthd_spool_t:dir search_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_search_spool'($*)) dnl ') ######################################## ## ## Read plymouthd spool files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_read_spool_files'($*)) dnl gen_require(` type plymouthd_spool_t; ') files_search_spool($1) read_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_read_spool_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## plymouthd spool files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_manage_spool_files'($*)) dnl gen_require(` type plymouthd_spool_t; ') files_search_spool($1) manage_files_pattern($1, plymouthd_spool_t, plymouthd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_manage_spool_files'($*)) dnl ') ######################################## ## ## Search plymouthd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_search_lib'($*)) dnl gen_require(` type plymouthd_var_lib_t; ') allow $1 plymouthd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_search_lib'($*)) dnl ') ######################################## ## ## Read plymouthd lib files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_read_lib_files'($*)) dnl gen_require(` type plymouthd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## plymouthd lib files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_manage_lib_files'($*)) dnl gen_require(` type plymouthd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, plymouthd_var_lib_t, plymouthd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_manage_lib_files'($*)) dnl ') ######################################## ## ## Read plymouthd PID files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_read_pid_files'($*)) dnl gen_require(` type plymouthd_var_run_t; ') files_search_pids($1) allow $1 plymouthd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_read_pid_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## to plymouthd log files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_read_log'($*)) dnl gen_require(` type plymouthd_var_log_t; ') logging_search_logs($1) read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_read_log'($*)) dnl ') ##################################### ## ## Allow the specified domain to create plymouthd's log files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_create_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_create_log'($*)) dnl gen_require(` type plymouthd_var_log_t; ') logging_search_logs($1) create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_create_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage ## to plymouthd log files. ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_manage_log'($*)) dnl gen_require(` type plymouthd_var_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_manage_log'($*)) dnl ') ####################################### ## ## Allow domain to create boot.log ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_filetrans_named_content'($*)) dnl gen_require(` type plymouthd_var_log_t; ') logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an plymouthd environment ## ## ## ## Domain allowed access. ## ## # define(`plymouthd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `plymouthd_admin'($*)) dnl gen_require(` type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t; type plymouthd_var_run_t; ') allow $1 plymouthd_t:process signal_perms; ps_process_pattern($1, plymouthd_t) tunable_policy(`deny_ptrace',`',` allow $1 plymouthd_t:process ptrace; ') files_list_var_lib($1) admin_pattern($1, plymouthd_spool_t) admin_pattern($1, plymouthd_var_lib_t) files_list_pids($1) admin_pattern($1, plymouthd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `plymouthd_admin'($*)) dnl ') ## Podsleuth is a tool to get information about an Apple (TM) iPod (TM). ######################################## ## ## Execute a domain transition to run podsleuth. ## ## ## ## Domain allowed to transition. ## ## # define(`podsleuth_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `podsleuth_domtrans'($*)) dnl gen_require(` type podsleuth_t, podsleuth_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, podsleuth_exec_t, podsleuth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `podsleuth_domtrans'($*)) dnl ') ######################################## ## ## Execute podsleuth in the podsleuth ## domain, and allow the specified role ## the podsleuth domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`podsleuth_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `podsleuth_run'($*)) dnl gen_require(` attribute_role podsleuth_roles; ') podsleuth_domtrans($1) roleattribute $2 podsleuth_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `podsleuth_run'($*)) dnl ') ## Policy framework for controlling privileges for system-wide services. ######################################## ## ## Send and receive messages from ## policykit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`policykit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat'($*)) dnl gen_require(` type policykit_t; class dbus send_msg; ') ps_process_pattern(policykit_t, $1) allow $1 policykit_t:dbus send_msg; allow policykit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## policykit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`policykit_dbus_chat_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_dbus_chat_auth'($*)) dnl gen_require(` type policykit_auth_t; class dbus send_msg; ') ps_process_pattern(policykit_auth_t, $1) allow $1 policykit_auth_t:dbus send_msg; allow policykit_auth_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_dbus_chat_auth'($*)) dnl ') ######################################## ## ## Execute a domain transition to run polkit_auth. ## ## ## ## Domain allowed to transition. ## ## # define(`policykit_domtrans_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_domtrans_auth'($*)) dnl gen_require(` type policykit_auth_t, policykit_auth_exec_t; ') domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_domtrans_auth'($*)) dnl ') ######################################## ## ## Execute a policy_auth in the policy_auth domain, and ## allow the specified role the policy_auth domain, ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`policykit_run_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_run_auth'($*)) dnl gen_require(` type policykit_auth_t; ') policykit_domtrans_auth($1) role $2 types policykit_auth_t; allow $1 policykit_auth_t:process signal; ps_process_pattern(policykit_auth_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_run_auth'($*)) dnl ') ######################################## ## ## Execute a domain transition to run polkit_grant. ## ## ## ## Domain allowed to transition. ## ## # define(`policykit_domtrans_grant',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_domtrans_grant'($*)) dnl gen_require(` type policykit_grant_t, policykit_grant_exec_t; ') domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_domtrans_grant'($*)) dnl ') ######################################## ## ## Execute a policy_grant in the policy_grant domain, and ## allow the specified role the policy_grant domain, ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`policykit_run_grant',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_run_grant'($*)) dnl gen_require(` type policykit_grant_t; ') policykit_domtrans_grant($1) role $2 types policykit_grant_t; allow $1 policykit_grant_t:process signal; ps_process_pattern(policykit_grant_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_run_grant'($*)) dnl ') ######################################## ## ## read policykit reload files ## ## ## ## Domain allowed access. ## ## # define(`policykit_read_reload',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_read_reload'($*)) dnl gen_require(` type policykit_reload_t; ') files_search_var_lib($1) read_files_pattern($1, policykit_reload_t, policykit_reload_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_read_reload'($*)) dnl ') ######################################## ## ## rw policykit reload files ## ## ## ## Domain allowed access. ## ## # define(`policykit_rw_reload',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_rw_reload'($*)) dnl gen_require(` type policykit_reload_t; ') files_search_var_lib($1) rw_files_pattern($1, policykit_reload_t, policykit_reload_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_rw_reload'($*)) dnl ') ######################################## ## ## Execute a domain transition to run polkit_resolve. ## ## ## ## Domain allowed to transition. ## ## # define(`policykit_domtrans_resolve',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_domtrans_resolve'($*)) dnl gen_require(` type policykit_resolve_t, policykit_resolve_exec_t; ') domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t) ps_process_pattern(policykit_resolve_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_domtrans_resolve'($*)) dnl ') ######################################## ## ## Search policykit lib directories. ## ## ## ## Domain allowed access. ## ## # define(`policykit_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_search_lib'($*)) dnl gen_require(` type policykit_var_lib_t; ') allow $1 policykit_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_search_lib'($*)) dnl ') ######################################## ## ## read policykit lib files ## ## ## ## Domain allowed access. ## ## # define(`policykit_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_read_lib'($*)) dnl gen_require(` type policykit_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t) optional_policy(` # Broken placement cron_read_system_job_lib_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_read_lib'($*)) dnl ') ####################################### ## ## The per role template for the policykit module. ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`policykit_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_role'($*)) dnl policykit_run_auth($2, $1) policykit_run_grant($2, $1) policykit_read_lib($2) policykit_read_reload($2) policykit_dbus_chat($2) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_role'($*)) dnl ') ######################################## ## ## Send generic signal to policy_auth ## ## ## ## Domain allowed to transition. ## ## # define(`policykit_signal_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `policykit_signal_auth'($*)) dnl gen_require(` type policykit_auth_t; ') allow $1 policykit_auth_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `policykit_signal_auth'($*)) dnl ') ## Caching web proxy. ######################################## ## ## Role access for polipo session. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`polipo_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_role'($*)) dnl gen_require(` type polipo_session_t, polipo_exec_t; ') ######################################## # # Declarations # role $1 types polipo_session_t; ######################################## # # Policy # allow $2 polipo_session_t:process signal_perms; ps_process_pattern($2, polipo_session_t) tunable_policy(`deny_ptrace',`',` allow $2 polipo_session_t:process ptrace; ') tunable_policy(`polipo_session_users',` domtrans_pattern($2, polipo_exec_t, polipo_session_t) ',` can_exec($2, polipo_exec_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_role'($*)) dnl ') ######################################## ## ## Create configuration files in user ## home directories with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`polipo_named_filetrans_config_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_config_home_files'($*)) dnl gen_require(` type polipo_config_home_t; ') userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_config_home_files'($*)) dnl ') ######################################## ## ## Create cache directories in user ## home directories with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`polipo_named_filetrans_cache_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_cache_home_dirs'($*)) dnl gen_require(` type polipo_cache_home_t; ') userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_cache_home_dirs'($*)) dnl ') ######################################## ## ## Create configuration files in admin ## home directories with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`polipo_named_filetrans_admin_config_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_admin_config_home_files'($*)) dnl gen_require(` type polipo_config_home_t; ') userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_admin_config_home_files'($*)) dnl ') ######################################## ## ## Create cache directories in admin ## home directories with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`polipo_named_filetrans_admin_cache_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_admin_cache_home_dirs'($*)) dnl gen_require(` type polipo_cache_home_t; ') userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_admin_cache_home_dirs'($*)) dnl ') ######################################## ## ## Create log files with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`polipo_named_filetrans_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_named_filetrans_log_files'($*)) dnl gen_require(` type polipo_log_t; ') logging_log_named_filetrans($1, polipo_log_t, file, "polipo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_named_filetrans_log_files'($*)) dnl ') ######################################## ## ## Execute polipo server in the polipo domain. ## ## ## ## Domain allowed to transition. ## ## # define(`polipo_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_systemctl'($*)) dnl gen_require(` type polipo_t; type polipo_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 polipo_unit_file_t:file read_file_perms; allow $1 polipo_unit_file_t:service manage_service_perms; ps_process_pattern($1, polipo_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_systemctl'($*)) dnl ') ######################################## ## ## Administrate an polipo environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`polipo_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `polipo_admin'($*)) dnl gen_require(` type polipo_t, polipo_pid_t, polipo_cache_t; type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t; type polipo_unit_file_t; ') allow $1 polipo_t:process signal_perms; ps_process_pattern($1, polipo_t) tunable_policy(`deny_ptrace',`',` allow $1 polipo_t:process ptrace; ') init_labeled_script_domtrans($1, polipo_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 polipo_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, polipo_etc_t) logging_list_logs($1) admin_pattern($1, polipo_log_t) files_list_var($1) admin_pattern($1, polipo_cache_t) files_list_pids($1) admin_pattern($1, polipo_pid_t) polipo_systemctl($1) admin_pattern($1, polipo_unit_file_t) allow $1 polipo_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `polipo_admin'($*)) dnl ') ## Package Management System. ######################################## ## ## Execute emerge in the portage domain. ## ## ## ## Domain allowed to transition. ## ## # define(`portage_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_domtrans'($*)) dnl gen_require(` type portage_t, portage_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, portage_exec_t, portage_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_domtrans'($*)) dnl ') ######################################## ## ## Execute emerge in the portage domain, ## and allow the specified role the ## portage domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`portage_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_run'($*)) dnl gen_require(` attribute_role portage_roles; ') portage_domtrans($1) roleattribute $2 portage_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_run'($*)) dnl ') ######################################## ## ## Template for portage sandbox. ## ## ##

## Template for portage sandbox. Portage ## does all compiling in the sandbox. ##

##
## ## ## Domain Allowed Access ## ## # define(`portage_compile_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_compile_domain'($*)) dnl gen_require(` class dbus send_msg; type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; type portage_tmpfs_t; type portage_sandbox_t; ') allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search net_raw }; dontaudit $1 self:capability sys_chroot; allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate }; allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow $1 self:fd use; allow $1 self:fifo_file rw_fifo_file_perms; allow $1 self:shm create_shm_perms; allow $1 self:sem create_sem_perms; allow $1 self:msgq create_msgq_perms; allow $1 self:msg { send receive }; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 self:unix_dgram_socket sendto; allow $1 self:unix_stream_socket connectto; # really shouldnt need this allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; # misc networking stuff (esp needed for compiling perl): allow $1 self:rawip_socket { create ioctl }; # needed for merging dbus: allow $1 self:netlink_selinux_socket { bind create read }; allow $1 self:dbus send_msg; allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1, portage_devpts_t) # write compile logs allow $1 portage_log_t:dir setattr_dir_perms; allow $1 portage_log_t:file { write_file_perms setattr_file_perms }; # Support live ebuilds (-9999) manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) # run scripts out of the build directory can_exec(portage_sandbox_t, portage_tmp_t) manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t) manage_files_pattern($1, portage_tmp_t, portage_tmp_t) manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t) manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) # SELinux-enabled programs running in the sandbox allow $1 portage_tmp_t:file relabel_file_perms; manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) kernel_read_system_state($1) kernel_read_network_state($1) kernel_read_software_raid_state($1) kernel_getattr_core_if($1) kernel_getattr_message_if($1) kernel_read_kernel_sysctls($1) corecmd_exec_all_executables($1) # really shouldnt need this but some packages test # network access, such as during configure # also distcc--need to reinvestigate confining distcc client corenet_all_recvfrom_unlabeled($1) corenet_all_recvfrom_netlabel($1) corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_raw_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_raw_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) corenet_tcp_connect_all_reserved_ports($1) corenet_tcp_connect_distccd_port($1) corenet_tcp_connect_git_port($1) dev_read_sysfs($1) dev_read_rand($1) dev_read_urand($1) domain_use_interactive_fds($1) domain_dontaudit_read_all_domains_state($1) # SELinux-aware installs doing relabels in the sandbox domain_obj_id_change_exemption($1) files_exec_etc_files($1) files_exec_usr_src_files($1) fs_getattr_xattr_fs($1) fs_list_noxattr_fs($1) fs_read_noxattr_fs_files($1) fs_read_noxattr_fs_symlinks($1) fs_search_auto_mountpoints($1) selinux_validate_context($1) # needed for merging dbus: selinux_compute_access_vector($1) files_list_non_auth_dirs($1) files_read_non_auth_files($1) files_read_non_auth_symlinks($1) libs_exec_lib_files($1) # some config scripts use ldd libs_exec_ld_so($1) libs_exec_ldconfig($1) logging_send_syslog_msg($1) userdom_use_user_terminals($1) # SELinux-enabled programs running in the sandbox seutil_libselinux_linked($1) tunable_policy(`portage_use_nfs',` fs_getattr_nfs($1) fs_manage_nfs_dirs($1) fs_manage_nfs_files($1) fs_manage_nfs_symlinks($1) ') ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv optional_policy(` allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms }; allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms }; ') ') dnl end TODO popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_compile_domain'($*)) dnl ') ######################################## ## ## Execute tree management functions ## (fetching, layman, ...) in the ## portage fetch domain. ## ## ## ## Domain allowed to transition. ## ## # define(`portage_domtrans_fetch',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_domtrans_fetch'($*)) dnl gen_require(` type portage_fetch_t, portage_fetch_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_domtrans_fetch'($*)) dnl ') ######################################## ## ## Execute tree management functions ## (fetching, layman, ...) in the ## portage fetch domain, and allow ## the specified role the portage ## fetch domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`portage_run_fetch',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_run_fetch'($*)) dnl gen_require(` attribute_role portage_fetch_roles; ') portage_domtrans_fetch($1) roleattribute $2 portage_fetch_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_run_fetch'($*)) dnl ') ######################################## ## ## Execute gcc-config in the gcc config domain. ## ## ## ## Domain allowed to transition. ## ## # define(`portage_domtrans_gcc_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_domtrans_gcc_config'($*)) dnl gen_require(` type gcc_config_t, gcc_config_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gcc_config_exec_t, gcc_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_domtrans_gcc_config'($*)) dnl ') ######################################## ## ## Execute gcc-config in the gcc config ## domain, and allow the specified role ## the gcc_config domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`portage_run_gcc_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_run_gcc_config'($*)) dnl gen_require(` attribute_role gcc_config_roles; ') portage_domtrans_gcc_config($1) roleattribute $2 gcc_config_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_run_gcc_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## portage file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`portage_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_dontaudit_use_fds'($*)) dnl gen_require(` type portage_t; ') dontaudit $1 portage_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the ## portage temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`portage_dontaudit_search_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_dontaudit_search_tmp'($*)) dnl gen_require(` type portage_tmp_t; ') dontaudit $1 portage_tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_dontaudit_search_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## the portage temporary files. ## ## ## ## Domain to not audit. ## ## # define(`portage_dontaudit_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portage_dontaudit_rw_tmp_files'($*)) dnl gen_require(` type portage_tmp_t; ') dontaudit $1 portage_tmp_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portage_dontaudit_rw_tmp_files'($*)) dnl ') ## RPC port mapping service. ######################################## ## ## Execute portmap helper in the helper domain. ## ## ## ## Domain allowed to transition. ## ## # define(`portmap_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_domtrans_helper'($*)) dnl gen_require(` type portmap_helper_t, portmap_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, portmap_helper_exec_t, portmap_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute portmap helper in the helper ## domain, and allow the specified role ## the helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`portmap_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_run_helper'($*)) dnl gen_require(` attribute_role portmap_helper_roles; ') portmap_domtrans_helper($1) roleattribute $2 portmap_helper_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_run_helper'($*)) dnl ') ######################################## ## ## Send UDP network traffic to portmap. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`portmap_udp_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_udp_send'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_udp_send'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic from portmap. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`portmap_udp_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_udp_chat'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_udp_chat'($*)) dnl ') ######################################## ## ## Connect to portmap over a TCP socket (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`portmap_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an portmap environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`portmap_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portmap_admin'($*)) dnl gen_require(` type portmap_t, portmap_initrc_exec_t, portmap_helper_t; type portmap_var_run_t, portmap_tmp_t; ') allow $1 { portmap_t portmap_helper_t }:process { ptrace signal_perms }; ps_process_pattern($1, { portmap_t portmap_helper_t }) init_labeled_script_domtrans($1, portmap_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 portmap_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, portmap_var_run_t) files_search_tmp($1) admin_pattern($1, portmap_tmp_t) portmap_run_helper($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portmap_admin'($*)) dnl ') ## Reserve well-known ports in the RPC port range. ######################################## ## ## Execute a domain transition to run portreserve. ## ## ## ## Domain allowed to transition. ## ## # define(`portreserve_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portreserve_domtrans'($*)) dnl gen_require(` type portreserve_t, portreserve_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, portreserve_exec_t, portreserve_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portreserve_domtrans'($*)) dnl ') ####################################### ## ## Read portreserve configuration content. ## ## ## ## Domain allowed access. ## ## ## # define(`portreserve_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portreserve_read_config'($*)) dnl gen_require(` type portreserve_etc_t; ') files_search_etc($1) allow $1 portreserve_etc_t:dir list_dir_perms; allow $1 portreserve_etc_t:file read_file_perms; allow $1 portreserve_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portreserve_read_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## portreserve configuration content. ## ## ## ## Domain allowed access. ## ## # define(`portreserve_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portreserve_manage_config'($*)) dnl gen_require(` type portreserve_etc_t; ') files_search_etc($1) allow $1 portreserve_etc_t:dir manage_dir_perms; allow $1 portreserve_etc_t:file manage_file_perms; allow $1 portreserve_etc_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portreserve_manage_config'($*)) dnl ') ######################################## ## ## Execute portreserve init scripts in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`portreserve_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portreserve_initrc_domtrans'($*)) dnl gen_require(` type portreserve_initrc_exec_t; ') init_labeled_script_domtrans($1, portreserve_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portreserve_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an portreserve environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`portreserve_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portreserve_admin'($*)) dnl gen_require(` type portreserve_t, portreserve_etc_t, portreserve_var_run_t; type portreserve_initrc_exec_t; ') allow $1 portreserve_t:process signal_perms; ps_process_pattern($1, portreserve_t) tunable_policy(`deny_ptrace',`',` allow $1 portreserve_t:process ptrace; ') portreserve_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 portreserve_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, portreserve_etc_t) files_list_pids($1) admin_pattern($1, portreserve_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portreserve_admin'($*)) dnl ') ## Portslave terminal server software. ######################################## ## ## Execute portslave with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`portslave_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `portslave_domtrans'($*)) dnl gen_require(` type portslave_t, portslave_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, portslave_exec_t, portslave_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `portslave_domtrans'($*)) dnl ') ## Postfix email server ######################################## ## ## Postfix stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`postfix_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_stub'($*)) dnl gen_require(` type postfix_master_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_stub'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## postfix process domain. ## ## ## ## Prefix for the domain. ## ## # define(`postfix_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domain_template'($*)) dnl gen_require(` attribute postfix_domain; ') type postfix_$1_t, postfix_domain; type postfix_$1_exec_t; domain_type(postfix_$1_t) domain_entry_file(postfix_$1_t, postfix_$1_exec_t) role system_r types postfix_$1_t; kernel_read_system_state(postfix_$1_t) auth_use_nsswitch(postfix_$1_t) logging_send_syslog_msg(postfix_$1_t) can_exec(postfix_$1_t, postfix_$1_exec_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domain_template'($*)) dnl ') ######################################## ## ## Creates a postfix server process domain. ## ## ## ## Prefix of the domain. ## ## # define(`postfix_server_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_server_domain_template'($*)) dnl postfix_domain_template($1) type postfix_$1_tmp_t; files_tmp_file(postfix_$1_tmp_t) allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search }; allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; allow postfix_$1_t self:tcp_socket create_socket_perms; allow postfix_$1_t self:udp_socket create_socket_perms; manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t) files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir }) domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t) corenet_all_recvfrom_netlabel(postfix_$1_t) corenet_tcp_sendrecv_generic_if(postfix_$1_t) corenet_udp_sendrecv_generic_if(postfix_$1_t) corenet_tcp_sendrecv_generic_node(postfix_$1_t) corenet_udp_sendrecv_generic_node(postfix_$1_t) corenet_tcp_sendrecv_all_ports(postfix_$1_t) corenet_udp_sendrecv_all_ports(postfix_$1_t) corenet_tcp_bind_generic_node(postfix_$1_t) corenet_udp_bind_generic_node(postfix_$1_t) corenet_tcp_connect_all_ports(postfix_$1_t) corenet_sendrecv_all_client_packets(postfix_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_server_domain_template'($*)) dnl ') ######################################## ## ## Creates a process domain for programs ## that are ran by users. ## ## ## ## Prefix of the domain. ## ## # define(`postfix_user_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_user_domain_template'($*)) dnl gen_require(` attribute postfix_user_domains, postfix_user_domtrans; ') postfix_domain_template($1) typeattribute postfix_$1_t postfix_user_domains; allow postfix_$1_t self:capability { dac_read_search }; domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t) domain_use_interactive_fds(postfix_$1_t) application_domain(postfix_$1_t, postfix_$1_exec_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_user_domain_template'($*)) dnl ') ######################################## ## ## Read postfix configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`postfix_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_read_config'($*)) dnl gen_require(` type postfix_etc_t; ') read_files_pattern($1, postfix_etc_t, postfix_etc_t) list_dirs_pattern($1, postfix_etc_t, postfix_etc_t) read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_read_config'($*)) dnl ') ######################################## ## ## Create files with the specified type in ## the postfix configuration directories. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`postfix_config_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_config_filetrans'($*)) dnl gen_require(` type postfix_etc_t; ') files_search_etc($1) filetrans_pattern($1, postfix_etc_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_config_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write postfix local delivery ## TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`postfix_dontaudit_rw_local_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl gen_require(` type postfix_local_t; ') dontaudit $1 postfix_local_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_dontaudit_rw_local_tcp_sockets'($*)) dnl ') ######################################## ## ## Allow read/write postfix local pipes ## TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`postfix_rw_local_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_rw_local_pipes'($*)) dnl gen_require(` type postfix_local_t; ') allow $1 postfix_local_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_rw_local_pipes'($*)) dnl ') ####################################### ## ## Allow read/write postfix public pipes ## TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`postfix_rw_public_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_rw_public_pipes'($*)) dnl gen_require(` type postfix_public_t; ') allow $1 postfix_public_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_rw_public_pipes'($*)) dnl ') ######################################## ## ## Allow domain to read postfix local process state ## ## ## ## Domain allowed access. ## ## # define(`postfix_read_local_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_read_local_state'($*)) dnl gen_require(` type postfix_local_t; ') kernel_search_proc($1) ps_process_pattern($1, postfix_local_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_read_local_state'($*)) dnl ') ######################################## ## ## Allow domain to read postfix master process state ## ## ## ## Domain allowed access. ## ## # define(`postfix_read_master_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_read_master_state'($*)) dnl gen_require(` type postfix_master_t; ') kernel_search_proc($1) ps_process_pattern($1, postfix_master_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_read_master_state'($*)) dnl ') ######################################## ## ## Use postfix master process file ## file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`postfix_use_fds_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_use_fds_master'($*)) dnl gen_require(` type postfix_master_t; ') allow $1 postfix_master_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_use_fds_master'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## postfix master process file ## file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`postfix_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_dontaudit_use_fds'($*)) dnl gen_require(` type postfix_master_t; ') dontaudit $1 postfix_master_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Execute postfix_map in the postfix_map domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_map',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_map'($*)) dnl gen_require(` type postfix_map_t, postfix_map_exec_t; ') domtrans_pattern($1, postfix_map_exec_t, postfix_map_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_map'($*)) dnl ') ######################################## ## ## Execute postfix_map in the postfix_map domain, and ## allow the specified role the postfix_map domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`postfix_run_map',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_run_map'($*)) dnl gen_require(` type postfix_map_t; ') postfix_domtrans_map($1) role $2 types postfix_map_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_run_map'($*)) dnl ') ######################################## ## ## Execute the master postfix program in the ## postfix_master domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_master'($*)) dnl gen_require(` type postfix_master_t, postfix_master_exec_t; attribute postfix_domain; ') domtrans_pattern($1, postfix_master_exec_t, postfix_master_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_master'($*)) dnl ') ######################################## ## ## Execute the master postfix in the postfix master domain. ## ## ## ## Domain allowed access. ## ## # define(`postfix_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_initrc_domtrans'($*)) dnl gen_require(` type postfix_initrc_exec_t; ') init_labeled_script_domtrans($1, postfix_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute the master postfix program in the ## caller domain. ## ## ## ## Domain allowed access. ## ## # define(`postfix_exec_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_exec_master'($*)) dnl gen_require(` type postfix_master_exec_t; ') can_exec($1, postfix_master_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_exec_master'($*)) dnl ') ####################################### ## ## Connect to postfix master process using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`postfix_stream_connect_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_stream_connect_master'($*)) dnl gen_require(` type postfix_master_t, postfix_public_t; ') stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_stream_connect_master'($*)) dnl ') ######################################## ## ## Allow read/write postfix master pipes ## ## ## ## Domain allowed access. ## ## # define(`postfix_rw_inherited_master_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_rw_inherited_master_pipes'($*)) dnl gen_require(` type postfix_master_t; ') allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_rw_inherited_master_pipes'($*)) dnl ') ######################################## ## ## Execute the master postdrop in the ## postfix_postdrop domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_postdrop',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postdrop'($*)) dnl gen_require(` type postfix_postdrop_t, postfix_postdrop_exec_t; ') domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_postdrop'($*)) dnl ') ######################################## ## ## Execute the master postqueue in the ## postfix_postqueue domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_postqueue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postqueue'($*)) dnl gen_require(` type postfix_postqueue_t, postfix_postqueue_exec_t; ') domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_postqueue'($*)) dnl ') ######################################## ## ## Execute the master postqueue in the ## postfix_postdrop domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to be allowed the iptables domain. ## ## ## # define(`postfix_run_postqueue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_run_postqueue'($*)) dnl gen_require(` type postfix_postqueue_t; ') postfix_domtrans_postqueue($1) role $2 types postfix_postqueue_t; allow postfix_postqueue_t $1:unix_stream_socket { read write getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_run_postqueue'($*)) dnl ') ######################################## ## ## Execute postfix_postgqueue in the postfix_postgqueue domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_postgqueue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_postgqueue'($*)) dnl gen_require(` type postfix_postgqueue_t; type postfix_postgqueue_exec_t; ') domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_postgqueue'($*)) dnl ') ######################################## ## ## Execute postfix_postgqueue in the postfix_postgqueue domain, and ## allow the specified role the postfix_postgqueue domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`postfix_run_postgqueue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_run_postgqueue'($*)) dnl gen_require(` type postfix_postgqueue_t; ') postfix_domtrans_postgqueue($1) role $2 types postfix_postgqueue_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_run_postgqueue'($*)) dnl ') ####################################### ## ## Execute the master postqueue in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`postfix_exec_postqueue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_exec_postqueue'($*)) dnl gen_require(` type postfix_postqueue_exec_t; ') can_exec($1, postfix_postqueue_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_exec_postqueue'($*)) dnl ') ######################################## ## ## Create a named socket in a postfix private directory. ## ## ## ## Domain allowed access. ## ## # define(`postfix_create_private_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_create_private_sockets'($*)) dnl gen_require(` type postfix_private_t; ') allow $1 postfix_private_t:dir list_dir_perms; create_sock_files_pattern($1, postfix_private_t, postfix_private_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_create_private_sockets'($*)) dnl ') ######################################## ## ## manage named socket in a postfix private directory. ## ## ## ## Domain allowed access. ## ## # define(`postfix_manage_private_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_manage_private_sockets'($*)) dnl gen_require(` type postfix_private_t; ') allow $1 postfix_private_t:dir list_dir_perms; manage_sock_files_pattern($1, postfix_private_t, postfix_private_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_manage_private_sockets'($*)) dnl ') ######################################## ## ## Execute the master postfix program in the ## postfix_master domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postfix_domtrans_smtp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_smtp'($*)) dnl gen_require(` type postfix_smtp_t, postfix_smtp_exec_t; ') domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_smtp'($*)) dnl ') ######################################## ## ## Getattr postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # define(`postfix_getattr_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_getattr_spool_files'($*)) dnl gen_require(` attribute postfix_spool_type; ') files_search_spool($1) getattr_files_pattern($1, postfix_spool_type, postfix_spool_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_getattr_spool_files'($*)) dnl ') ######################################## ## ## Search postfix mail spool directories. ## ## ## ## Domain allowed access. ## ## # define(`postfix_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_search_spool'($*)) dnl gen_require(` attribute postfix_spool_type; ') allow $1 postfix_spool_type:dir search_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_search_spool'($*)) dnl ') ######################################## ## ## List postfix mail spool directories. ## ## ## ## Domain allowed access. ## ## # define(`postfix_list_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_list_spool'($*)) dnl gen_require(` attribute postfix_spool_type; ') allow $1 postfix_spool_type:dir list_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_list_spool'($*)) dnl ') ######################################## ## ## Read postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # define(`postfix_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_read_spool_files'($*)) dnl gen_require(` attribute postfix_spool_type; ') files_search_spool($1) read_files_pattern($1, postfix_spool_type, postfix_spool_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_read_spool_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete postfix mail spool files. ## ## ## ## Domain allowed access. ## ## # define(`postfix_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_files'($*)) dnl gen_require(` attribute postfix_spool_type; ') files_search_spool($1) manage_files_pattern($1, postfix_spool_type, postfix_spool_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_manage_spool_files'($*)) dnl ') ####################################### ## ## Read, write, and delete postfix maildrop spool files. ## ## ## ## Domain allowed access. ## ## # define(`postfix_rw_spool_maildrop_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_rw_spool_maildrop_files'($*)) dnl gen_require(` type postfix_spool_maildrop_t; ') files_search_spool($1) rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_rw_spool_maildrop_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete postfix maildrop spool files. ## ## ## ## Domain allowed access. ## ## # define(`postfix_manage_spool_maildrop_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_manage_spool_maildrop_files'($*)) dnl gen_require(` type postfix_spool_maildrop_t; ') files_search_spool($1) manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_manage_spool_maildrop_files'($*)) dnl ') ######################################## ## ## Execute postfix user mail programs ## in their respective domains. ## ## ## ## Domain allowed access. ## ## # define(`postfix_domtrans_user_mail_handler',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_domtrans_user_mail_handler'($*)) dnl gen_require(` attribute postfix_user_domtrans; ') typeattribute $1 postfix_user_domtrans; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_domtrans_user_mail_handler'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an postfix environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`postfix_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_admin'($*)) dnl gen_require(` attribute postfix_spool_type; type postfix_bounce_t, postfix_cleanup_t, postfix_local_t; type postfix_master_t, postfix_pickup_t, postfix_qmgr_t; type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t; type postfix_map_tmp_t, postfix_prng_t, postfix_public_t; type postfix_smtpd_t, postfix_var_run_t; ') allow $1 postfix_bounce_t:process signal_perms; ps_process_pattern($1, postfix_bounce_t) tunable_policy(`deny_ptrace',`',` allow $1 postfix_bounce_t:process ptrace; ') allow $1 postfix_cleanup_t:process signal_perms; ps_process_pattern($1, postfix_cleanup_t) tunable_policy(`deny_ptrace',`',` allow $1 postfix_cleanup_t:process ptrace; allow $1 postfix_local_t:process ptrace; allow $1 postfix_master_t:process ptrace; allow $1 postfix_pickup_t:process ptrace; allow $1 postfix_qmgr_t:process ptrace; allow $1 postfix_smtpd_t:process ptrace; ') allow $1 postfix_local_t:process signal_perms; ps_process_pattern($1, postfix_local_t) allow $1 postfix_master_t:process signal_perms; ps_process_pattern($1, postfix_master_t) allow $1 postfix_pickup_t:process signal_perms; ps_process_pattern($1, postfix_pickup_t) allow $1 postfix_qmgr_t:process signal_perms; ps_process_pattern($1, postfix_qmgr_t) allow $1 postfix_smtpd_t:process signal_perms; ps_process_pattern($1, postfix_smtpd_t) postfix_run_map($1, $2) postfix_run_postdrop($1, $2) postfix_run_postqueue($1, $2) postfix_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 postfix_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, postfix_data_t) files_list_etc($1) admin_pattern($1, postfix_etc_t) files_list_spool($1) admin_pattern($1, postfix_spool_type) admin_pattern($1, postfix_var_run_t) files_list_tmp($1) admin_pattern($1, postfix_map_tmp_t) admin_pattern($1, postfix_prng_t) admin_pattern($1, postfix_public_t) postfix_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_admin'($*)) dnl ') ######################################## ## ## Execute the master postdrop in the ## postfix_postdrop domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to be allowed the iptables domain. ## ## ## # define(`postfix_run_postdrop',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_run_postdrop'($*)) dnl gen_require(` type postfix_postdrop_t; ') postfix_domtrans_postdrop($1) role $2 types postfix_postdrop_t; allow $1 postfix_postdrop_t:process signal; allow postfix_postdrop_t $1:unix_stream_socket { read write getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_run_postdrop'($*)) dnl ') ######################################## ## ## Execute postfix exec in the users domain ## ## ## ## Domain allowed access. ## ## # define(`postfix_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_exec'($*)) dnl gen_require(` type postfix_exec_t; ') can_exec($1, postfix_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_exec'($*)) dnl ') ######################################## ## ## Transition to postfix named content ## ## ## ## Domain allowed access. ## ## # define(`postfix_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfix_filetrans_named_content'($*)) dnl gen_require(` type postfix_exec_t; type postfix_prng_t; ') postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script") postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfix_filetrans_named_content'($*)) dnl ') ## Postfix policy server. ######################################## ## ## All of the rules required to administrate ## an postfixpolicyd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`postfixpolicyd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postfixpolicyd_admin'($*)) dnl gen_require(` type postfix_policyd_t, postfix_policyd_conf_t; type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t; ') allow $1 postfix_policyd_t:process signal_perms; ps_process_pattern($1, postfix_policyd_t) tunable_policy(`deny_ptrace',`',` allow $1 postfix_policyd_t:process ptrace; ') init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 postfix_policyd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, postfix_policyd_conf_t) files_list_pids($1) admin_pattern($1, postfix_policyd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postfixpolicyd_admin'($*)) dnl ') ## Postfix grey-listing server. ######################################## ## ## Connect to postgrey using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`postgrey_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgrey_stream_connect'($*)) dnl gen_require(` type postgrey_var_run_t, postgrey_t, postgrey_spool_t; ') stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t) files_search_pids($1) files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgrey_stream_connect'($*)) dnl ') ######################################## ## ## Search spool directories. ## ## ## ## Domain allowed access. ## ## # define(`postgrey_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgrey_search_spool'($*)) dnl gen_require(` type postgrey_spool_t; ') files_search_spool($1) allow $1 postgrey_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgrey_search_spool'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an postgrey environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`postgrey_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgrey_admin'($*)) dnl gen_require(` type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t; type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t; ') allow $1 postgrey_t:process signal_perms; ps_process_pattern($1, postgrey_t) tunable_policy(`deny_ptrace',`',` allow $1 postgrey_t:process ptrace; ') init_labeled_script_domtrans($1, postgrey_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 postgrey_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, postgrey_etc_t) files_list_var_lib($1) admin_pattern($1, postgrey_var_lib_t) files_list_spool($1) admin_pattern($1, postgrey_spool_t) files_list_pids($1) admin_pattern($1, postgrey_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgrey_admin'($*)) dnl ') ## Point to Point Protocol daemon creates links in ppp networks ####################################### ## ## Create, read, write, and delete ## ppp home files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_manage_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_manage_home_files'($*)) dnl gen_require(` type ppp_home_t; ') userdom_search_user_home_dirs($1) allow $1 ppp_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_manage_home_files'($*)) dnl ') ####################################### ## ## Read ppp user home content files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_read_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_read_home_files'($*)) dnl gen_require(` type ppp_home_t; ') userdom_search_user_home_dirs($1) allow $1 ppp_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_read_home_files'($*)) dnl ') ####################################### ## ## Relabel ppp home files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_relabel_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_relabel_home_files'($*)) dnl gen_require(` type ppp_home_t; ') userdom_search_user_home_dirs($1) allow $1 ppp_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_relabel_home_files'($*)) dnl ') ####################################### ## ## Create objects in user home ## directories with the ppp home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`ppp_home_filetrans_ppp_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_home_filetrans_ppp_home'($*)) dnl gen_require(` type ppp_home_t; ') userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_home_filetrans_ppp_home'($*)) dnl ') ######################################## ## ## Inherit and use ppp file discriptors. ## ## ## ## Domain allowed access. ## ## # define(`ppp_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_use_fds'($*)) dnl gen_require(` type pppd_t; ') allow $1 pppd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit ## and use PPP file discriptors. ## ## ## ## Domain to not audit. ## ## # define(`ppp_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_dontaudit_use_fds'($*)) dnl gen_require(` type pppd_t; ') dontaudit $1 pppd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to PPP. ## ## ## ## Domain allowed access. ## ## # define(`ppp_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_sigchld'($*)) dnl gen_require(` type pppd_t; ') allow $1 pppd_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_sigchld'($*)) dnl ') ######################################## ## ## Send ppp a kill signal ## ## ## ## Domain allowed access. ## ## # define(`ppp_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_kill'($*)) dnl gen_require(` type pppd_t; ') allow $1 pppd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_kill'($*)) dnl ') ######################################## ## ## Send a generic signal to PPP. ## ## ## ## Domain allowed access. ## ## # define(`ppp_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_signal'($*)) dnl gen_require(` type pppd_t; ') allow $1 pppd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_signal'($*)) dnl ') ######################################## ## ## Send a generic signull to PPP. ## ## ## ## Domain allowed access. ## ## # define(`ppp_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_signull'($*)) dnl gen_require(` type pppd_t; ') allow $1 pppd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_signull'($*)) dnl ') ######################################## ## ## Execute domain in the ppp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ppp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_domtrans'($*)) dnl gen_require(` type pppd_t, pppd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pppd_exec_t, pppd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_domtrans'($*)) dnl ') ######################################## ## ## Conditionally execute ppp daemon on behalf of a user or staff type. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the ppp domain. ## ## ## # define(`ppp_run_cond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_run_cond'($*)) dnl gen_require(` attribute_role pppd_roles; ') roleattribute $2 pppd_roles; tunable_policy(`pppd_for_user',` ppp_domtrans($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_run_cond'($*)) dnl ') ######################################## ## ## Unconditionally execute ppp daemon on behalf of a user or staff type. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the ppp domain. ## ## ## # define(`ppp_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_run'($*)) dnl gen_require(` attribute_role pppd_roles; ') ppp_domtrans($1) roleattribute $2 pppd_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_run'($*)) dnl ') ######################################## ## ## Execute domain in the ppp caller. ## ## ## ## Domain allowed access. ## ## # define(`ppp_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_exec'($*)) dnl gen_require(` type pppd_exec_t; ') corecmd_search_bin($1) can_exec($1, pppd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_exec'($*)) dnl ') ######################################## ## ## Read ppp configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_read_config'($*)) dnl gen_require(` type pppd_etc_t; ') read_files_pattern($1, pppd_etc_t, pppd_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_read_config'($*)) dnl ') ######################################## ## ## Read PPP-writable configuration files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_read_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_read_rw_config'($*)) dnl gen_require(` type pppd_etc_t, pppd_etc_rw_t; ') allow $1 pppd_etc_t:dir list_dir_perms; allow $1 pppd_etc_rw_t:file read_file_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_read_rw_config'($*)) dnl ') ######################################## ## ## Read PPP secrets. ## ## ## ## Domain allowed access. ## ## # define(`ppp_read_secrets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_read_secrets'($*)) dnl gen_require(` type pppd_etc_t, pppd_secret_t; ') allow $1 pppd_etc_t:dir list_dir_perms; allow $1 pppd_secret_t:file read_file_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_read_secrets'($*)) dnl ') ######################################## ## ## Read PPP pid files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_read_pid_files'($*)) dnl gen_require(` type pppd_var_run_t; ') files_search_pids($1) read_files_pattern($1, pppd_var_run_t, pppd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete PPP pid files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_manage_pid_files'($*)) dnl gen_require(` type pppd_var_run_t; ') files_search_pids($1) manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_manage_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete PPP pid files. ## ## ## ## Domain allowed access. ## ## # define(`ppp_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_pid_filetrans'($*)) dnl gen_require(` type pppd_var_run_t; ') files_pid_filetrans($1, pppd_var_run_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_pid_filetrans'($*)) dnl ') ######################################## ## ## Execute ppp server in the ntpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ppp_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_initrc_domtrans'($*)) dnl gen_require(` type pppd_initrc_exec_t; ') init_labeled_script_domtrans($1, pppd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute pppd server in the pppd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ppp_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_systemctl'($*)) dnl gen_require(` type pppd_unit_file_t; type pppd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 pppd_unit_file_t:file read_file_perms; allow $1 pppd_unit_file_t:service manage_service_perms; ps_process_pattern($1, pppd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_systemctl'($*)) dnl ') ######################################## ## ## Transition to ppp named content ## ## ## ## Domain allowed access. ## ## # define(`ppp_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_filetrans_named_content'($*)) dnl gen_require(` type pppd_lock_t; ') files_lock_filetrans($1, pppd_lock_t, dir, "ppp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ppp environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ppp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ppp_admin'($*)) dnl gen_require(` type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t; type pppd_etc_t, pppd_secret_t, pppd_var_run_t; type pptp_t, pptp_log_t, pptp_var_run_t; type pppd_initrc_exec_t, pppd_etc_rw_t; type pppd_unit_file_t; ') allow $1 pppd_t:process signal_perms; ps_process_pattern($1, pppd_t) tunable_policy(`deny_ptrace',`',` allow $1 pppd_t:process ptrace; allow $1 pptp_t:process ptrace; ') allow $1 pptp_t:process signal_perms; ps_process_pattern($1, pptp_t) ppp_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 pppd_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, pppd_tmp_t) logging_list_logs($1) admin_pattern($1, pppd_log_t) files_list_locks($1) admin_pattern($1, pppd_lock_t) files_list_etc($1) admin_pattern($1, pppd_etc_t) admin_pattern($1, pppd_etc_rw_t) admin_pattern($1, pppd_secret_t) files_list_pids($1) admin_pattern($1, pppd_var_run_t) admin_pattern($1, pptp_log_t) admin_pattern($1, pptp_var_run_t) ppp_systemctl($1) admin_pattern($1, pppd_unit_file_t) allow $1 pppd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ppp_admin'($*)) dnl ') ## Prelink ELF shared library mappings. ######################################## ## ## Execute the prelink program in the prelink domain. ## ## ## ## Domain allowed to transition. ## ## # define(`prelink_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_domtrans'($*)) dnl gen_require(` type prelink_t, prelink_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, prelink_exec_t, prelink_t) ifdef(`hide_broken_symptoms', ` dontaudit prelink_t $1:socket_class_set { read write }; dontaudit prelink_t $1:fifo_file setattr; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_domtrans'($*)) dnl ') ######################################## ## ## Execute the prelink program in the current domain. ## ## ## ## Domain allowed access. ## ## # define(`prelink_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_exec'($*)) dnl gen_require(` type prelink_exec_t; ') corecmd_search_bin($1) can_exec($1, prelink_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_exec'($*)) dnl ') ######################################## ## ## Execute the prelink program in the prelink domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the prelink domain. ## ## ## # define(`prelink_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_run'($*)) dnl gen_require(` type prelink_t; ') prelink_domtrans($1) role $2 types prelink_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_run'($*)) dnl ') ######################################## ## ## Make the specified file type prelinkable. ## ## ## ## File type to be prelinked. ## ## # # cjp: added for misc non-entrypoint objects define(`prelink_object_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_object_file'($*)) dnl gen_require(` attribute prelink_object; ') typeattribute $1 prelink_object; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_object_file'($*)) dnl ') ######################################## ## ## Read the prelink cache. ## ## ## ## Domain allowed access. ## ## # define(`prelink_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_read_cache'($*)) dnl gen_require(` type prelink_cache_t; ') files_search_etc($1) allow $1 prelink_cache_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_read_cache'($*)) dnl ') ######################################## ## ## Delete the prelink cache. ## ## ## ## Domain allowed access. ## ## # define(`prelink_delete_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_delete_cache'($*)) dnl gen_require(` type prelink_cache_t; ') allow $1 prelink_cache_t:file unlink; files_rw_etc_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_delete_cache'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## prelink log files. ## ## ## ## Domain allowed access. ## ## # define(`prelink_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_manage_log'($*)) dnl gen_require(` type prelink_log_t; ') logging_search_logs($1) manage_files_pattern($1, prelink_log_t, prelink_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_manage_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## prelink var_lib files. ## ## ## ## Domain allowed access. ## ## # define(`prelink_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_manage_lib'($*)) dnl gen_require(` type prelink_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_manage_lib'($*)) dnl ') ######################################## ## ## Relabel from files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`prelink_relabelfrom_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_relabelfrom_lib'($*)) dnl gen_require(` type prelink_var_lib_t; ') files_search_var_lib($1) relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_relabelfrom_lib'($*)) dnl ') ######################################## ## ## Relabel from files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`prelink_relabel_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_relabel_lib'($*)) dnl gen_require(` type prelink_var_lib_t; ') files_search_var_lib($1) relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_relabel_lib'($*)) dnl ') ######################################## ## ## Transition to prelink named content ## ## ## ## Domain allowed access. ## ## # define(`prelink_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelink_filetrans_named_content'($*)) dnl gen_require(` type prelink_cache_t; ') files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelink_filetrans_named_content'($*)) dnl ') ## Prelude hybrid intrusion detection system ######################################## ## ## Execute a domain transition to run prelude. ## ## ## ## Domain allowed to transition. ## ## # define(`prelude_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_domtrans'($*)) dnl gen_require(` type prelude_t, prelude_exec_t; ') domtrans_pattern($1, prelude_exec_t, prelude_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run prelude_audisp. ## ## ## ## Domain allowed to transition. ## ## # define(`prelude_domtrans_audisp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_domtrans_audisp'($*)) dnl gen_require(` type prelude_audisp_t, prelude_audisp_exec_t; ') domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_domtrans_audisp'($*)) dnl ') ######################################## ## ## Signal the prelude_audisp domain. ## ## ## ## Domain allowed acccess. ## ## # define(`prelude_signal_audisp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_signal_audisp'($*)) dnl gen_require(` type prelude_audisp_t; ') allow $1 prelude_audisp_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_signal_audisp'($*)) dnl ') ######################################## ## ## Read the prelude spool files ## ## ## ## Domain allowed access. ## ## # define(`prelude_read_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_read_spool'($*)) dnl gen_require(` type prelude_spool_t; ') files_search_spool($1) read_files_pattern($1, prelude_spool_t, prelude_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_read_spool'($*)) dnl ') ######################################## ## ## Manage to prelude-manager spool files. ## ## ## ## Domain allowed access. ## ## # define(`prelude_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_manage_spool'($*)) dnl gen_require(` type prelude_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, prelude_spool_t, prelude_spool_t) manage_files_pattern($1, prelude_spool_t, prelude_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_manage_spool'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an prelude environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`prelude_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prelude_admin'($*)) dnl gen_require(` type prelude_t, prelude_spool_t, prelude_initrc_exec_t; type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t; type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t; type prelude_lml_t; ') allow $1 prelude_t:process signal_perms; ps_process_pattern($1, prelude_t) tunable_policy(`deny_ptrace',`',` allow $1 prelude_t:process ptrace; allow $1 prelude_audisp_t:process ptrace; allow $1 prelude_lml_t:process ptrace; ') allow $1 prelude_audisp_t:process signal_perms; ps_process_pattern($1, prelude_audisp_t) allow $1 prelude_lml_t:process signal_perms; ps_process_pattern($1, prelude_lml_t) init_labeled_script_domtrans($1, prelude_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 prelude_initrc_exec_t system_r; allow $2 system_r; files_list_spool($1) admin_pattern($1, prelude_spool_t) files_list_var_lib($1) admin_pattern($1, prelude_var_lib_t) files_list_pids($1) admin_pattern($1, prelude_var_run_t) admin_pattern($1, prelude_audisp_var_run_t) admin_pattern($1, prelude_lml_var_run_t) files_list_tmp($1) admin_pattern($1, prelude_lml_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prelude_admin'($*)) dnl ') ## Privacy enhancing web proxy. ######################################## ## ## All of the rules required to ## administrate an privoxy environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`privoxy_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `privoxy_admin'($*)) dnl gen_require(` type privoxy_t, privoxy_log_t, privoxy_initrc_exec_t; type privoxy_etc_rw_t, privoxy_var_run_t; ') allow $1 privoxy_t:process signal_perms; ps_process_pattern($1, privoxy_t) tunable_policy(`deny_ptrace',`',` allow $1 privoxy_t:process ptrace; ') init_labeled_script_domtrans($1, privoxy_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 privoxy_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, privoxy_log_t) files_list_etc($1) admin_pattern($1, privoxy_etc_rw_t) files_list_pids($1) admin_pattern($1, privoxy_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `privoxy_admin'($*)) dnl ') ## Procmail mail delivery agent ######################################## ## ## Execute procmail with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`procmail_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `procmail_domtrans'($*)) dnl gen_require(` type procmail_exec_t, procmail_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, procmail_exec_t, procmail_t) allow $1 procmail_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `procmail_domtrans'($*)) dnl ') ######################################## ## ## Execute procmail in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`procmail_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `procmail_exec'($*)) dnl gen_require(` type procmail_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, procmail_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `procmail_exec'($*)) dnl ') ######################################## ## ## Read procmail tmp files. ## ## ## ## Domain allowed access. ## ## # define(`procmail_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `procmail_read_tmp_files'($*)) dnl gen_require(` type procmail_tmp_t; ') files_search_tmp($1) allow $1 procmail_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `procmail_read_tmp_files'($*)) dnl ') ######################################## ## ## Read/write procmail tmp files. ## ## ## ## Domain allowed access. ## ## # define(`procmail_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `procmail_rw_tmp_files'($*)) dnl gen_require(` type procmail_tmp_t; ') files_search_tmp($1) rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `procmail_rw_tmp_files'($*)) dnl ') ######################################## ## ## Read procmail home directory content ## ## ## ## Domain allowed access. ## ## # define(`procmail_read_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `procmail_read_home_files'($*)) dnl gen_require(` type procmail_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, procmail_home_t, procmail_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `procmail_read_home_files'($*)) dnl ') ## policy for prosody ######################################## ## ## Execute TEMPLATE in the prosody domin. ## ## ## ## Domain allowed to transition. ## ## # define(`prosody_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_domtrans'($*)) dnl gen_require(` type prosody_t, prosody_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, prosody_exec_t, prosody_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_domtrans'($*)) dnl ') ######################################## ## ## Search prosody lib directories. ## ## ## ## Domain allowed access. ## ## # define(`prosody_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_search_lib'($*)) dnl gen_require(` type prosody_var_lib_t; ') allow $1 prosody_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_search_lib'($*)) dnl ') ######################################## ## ## Read prosody lib files. ## ## ## ## Domain allowed access. ## ## # define(`prosody_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_read_lib_files'($*)) dnl gen_require(` type prosody_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_read_lib_files'($*)) dnl ') ######################################## ## ## Manage prosody lib files. ## ## ## ## Domain allowed access. ## ## # define(`prosody_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_manage_lib_files'($*)) dnl gen_require(` type prosody_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage prosody lib directories. ## ## ## ## Domain allowed access. ## ## # define(`prosody_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_manage_lib_dirs'($*)) dnl gen_require(` type prosody_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read prosody PID files. ## ## ## ## Domain allowed access. ## ## # define(`prosody_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_read_pid_files'($*)) dnl gen_require(` type prosody_var_run_t; ') files_search_pids($1) read_files_pattern($1, prosody_var_run_t, prosody_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_read_pid_files'($*)) dnl ') ######################################## ## ## Execute prosody server in the prosody domain. ## ## ## ## Domain allowed to transition. ## ## # define(`prosody_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_systemctl'($*)) dnl gen_require(` type prosody_t; type prosody_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 prosody_unit_file_t:file read_file_perms; allow $1 prosody_unit_file_t:service manage_service_perms; ps_process_pattern($1, prosody_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_systemctl'($*)) dnl ') ######################################## ## ## Execute prosody in the prosody domain, and ## allow the specified role the prosody domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the prosody domain. ## ## # define(`prosody_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_run'($*)) dnl gen_require(` type prosody_t; attribute_role prosody_roles; ') prosody_domtrans($1) roleattribute $2 prosody_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_run'($*)) dnl ') ###################################### ## ## Connect to prosody with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`prosody_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_stream_connect'($*)) dnl gen_require(` type prosody_t, prosody_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, prosody_var_run_t, prosody_var_run_t, prosody_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_stream_connect'($*)) dnl ') ######################################## ## ## Role access for prosody ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`prosody_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_role'($*)) dnl gen_require(` type prosody_t; attribute_role prosody_roles; ') roleattribute $1 prosody_roles; prosody_domtrans($2) ps_process_pattern($2, prosody_t) allow $2 prosody_t:process { signull signal sigkill }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_role'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an prosody environment ## ## ## ## Domain allowed access. ## ## ## # define(`prosody_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `prosody_admin'($*)) dnl gen_require(` type prosody_t; type prosody_var_lib_t; type prosody_var_run_t; type prosody_unit_file_t; ') allow $1 prosody_t:process { ptrace signal_perms }; ps_process_pattern($1, prosody_t) files_search_var_lib($1) admin_pattern($1, prosody_var_lib_t) files_search_pids($1) admin_pattern($1, prosody_var_run_t) prosody_systemctl($1) admin_pattern($1, prosody_unit_file_t) allow $1 prosody_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `prosody_admin'($*)) dnl ') ## Intrusion Detection and Log Analysis with iptables. ######################################## ## ## Execute a domain transition to run psad. ## ## ## ## Domain allowed to transition. ## ## # define(`psad_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_domtrans'($*)) dnl gen_require(` type psad_t, psad_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, psad_exec_t, psad_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_domtrans'($*)) dnl ') ######################################## ## ## Send generic signals to psad. ## ## ## ## Domain allowed access. ## ## # define(`psad_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_signal'($*)) dnl gen_require(` type psad_t; ') allow $1 psad_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_signal'($*)) dnl ') ####################################### ## ## Send null signals to psad. ## ## ## ## Domain allowed access. ## ## # define(`psad_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_signull'($*)) dnl gen_require(` type psad_t; ') allow $1 psad_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_signull'($*)) dnl ') ######################################## ## ## Read psad configuration content. ## ## ## ## Domain allowed access. ## ## # define(`psad_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_read_config'($*)) dnl gen_require(` type psad_etc_t; ') files_search_etc($1) allow $1 psad_etc_t:dir list_dir_perms; allow $1 psad_etc_t:file read_file_perms; allow $1 psad_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_read_config'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## psad configuration content. ## ## ## ## Domain allowed access. ## ## # define(`psad_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_manage_config'($*)) dnl gen_require(` type psad_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, psad_etc_t, psad_etc_t) manage_files_pattern($1, psad_etc_t, psad_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_manage_config'($*)) dnl ') ######################################## ## ## Read psad pid files. ## ## ## ## Domain allowed access. ## ## # define(`psad_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_read_pid_files'($*)) dnl gen_require(` type psad_var_run_t; ') files_search_pids($1) read_files_pattern($1, psad_var_run_t, psad_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_read_pid_files'($*)) dnl ') ######################################## ## ## Read and write psad PID files. ## ## ## ## Domain allowed access. ## ## # define(`psad_rw_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_rw_pid_files'($*)) dnl gen_require(` type psad_var_run_t; ') files_search_pids($1) rw_files_pattern($1, psad_var_run_t, psad_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_rw_pid_files'($*)) dnl ') ######################################## ## ## Read psad log content. ## ## ## ## Domain allowed access. ## ## ## # define(`psad_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_read_log'($*)) dnl gen_require(` type psad_var_log_t; ') logging_search_logs($1) allow $1 psad_var_log_t:dir list_dir_perms; allow $1 psad_var_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_read_log'($*)) dnl ') ######################################## ## ## Append psad log files. ## ## ## ## Domain allowed access. ## ## ## # define(`psad_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_append_log'($*)) dnl gen_require(` type psad_var_log_t; ') logging_search_logs($1) append_files_pattern($1, psad_var_log_t, psad_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_append_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to write to psad's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`psad_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_write_log'($*)) dnl gen_require(` type psad_var_log_t; ') logging_search_logs($1) write_files_pattern($1, psad_var_log_t, psad_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_write_log'($*)) dnl ') ####################################### ## ## Allow the specified domain to setattr to psad's log files. ## ## ## ## Domain allowed access. ## ## # define(`psad_setattr_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_setattr_log'($*)) dnl gen_require(` type psad_var_log_t; ') logging_search_logs($1) setattr_files_pattern($1, psad_var_log_t, psad_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_setattr_log'($*)) dnl ') ######################################## ## ## Read and write psad fifo files. ## ## ## ## Domain allowed access. ## ## # define(`psad_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_rw_fifo_file'($*)) dnl gen_require(` type psad_var_lib_t; ') files_search_var_lib($1) rw_fifo_files_pattern($1, psad_var_lib_t, psad_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_rw_fifo_file'($*)) dnl ') ####################################### ## ## Allow setattr to psad fifo files. ## ## ## ## Domain allowed access. ## ## # define(`psad_setattr_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_setattr_fifo_file'($*)) dnl gen_require(` type psad_t, psad_var_lib_t; ') files_search_var_lib($1) allow $1 psad_var_lib_t:fifo_file setattr; search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_setattr_fifo_file'($*)) dnl ') ####################################### ## ## Allow search to psad lib files. ## ## ## ## Domain allowed access. ## ## # define(`psad_search_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_search_lib_files'($*)) dnl gen_require(` type psad_t, psad_var_lib_t; ') files_search_var_lib($1) search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_search_lib_files'($*)) dnl ') ####################################### ## ## Read and write psad temporary files. ## ## ## ## Domain allowed access. ## ## # define(`psad_rw_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_rw_tmp_files'($*)) dnl gen_require(` type psad_tmp_t; ') files_search_tmp($1) rw_files_pattern($1, psad_tmp_t, psad_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_rw_tmp_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an psad environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`psad_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `psad_admin'($*)) dnl gen_require(` type psad_t, psad_var_run_t, psad_var_log_t; type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t; type psad_tmp_t; ') allow $1 psad_t:process signal_perms; ps_process_pattern($1, psad_t) tunable_policy(`deny_ptrace',`',` allow $1 psad_t:process ptrace; ') init_labeled_script_domtrans($1, psad_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 psad_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, psad_etc_t) files_list_pids($1) admin_pattern($1, psad_var_run_t) logging_list_logs($1) admin_pattern($1, psad_var_log_t) files_list_var_lib($1) admin_pattern($1, psad_var_lib_t) files_list_tmp($1) admin_pattern($1, psad_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `psad_admin'($*)) dnl ') ## helper function for grantpt(3), changes ownship and permissions of pseudotty. ######################################## ## ## Execute a domain transition to run ptchown. ## ## ## ## Domain allowed to transition. ## ## # define(`ptchown_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ptchown_domtrans'($*)) dnl gen_require(` type ptchown_t, ptchown_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ptchown_exec_t, ptchown_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ptchown_domtrans'($*)) dnl ') ####################################### ## ## Execute ptchown in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ptchown_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ptchown_exec'($*)) dnl gen_require(` type ptchown_exec_t; ') corecmd_search_bin($1) can_exec($1, ptchown_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ptchown_exec'($*)) dnl ') ######################################## ## ## Execute ptchown in the ptchown ## domain, and allow the specified ## role the ptchown domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`ptchown_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ptchown_run'($*)) dnl gen_require(` attribute_role ptchown_roles; ') ptchown_domtrans($1) roleattribute $2 ptchown_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ptchown_run'($*)) dnl ') ## publicfile supplies files to the public through HTTP and FTP. ## Pulseaudio network sound server. ######################################## ## ## Role access for pulseaudio ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`pulseaudio_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_role'($*)) dnl gen_require(` attribute pulseaudio_tmpfsfile; type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t; class dbus { acquire_svc send_msg }; ') role $1 types pulseaudio_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) ps_process_pattern($2, pulseaudio_t) allow pulseaudio_t $2:process { signal signull }; allow $2 pulseaudio_t:process { signal signull sigkill }; allow $2 pulseaudio_t:process2 nnp_transition; ps_process_pattern(pulseaudio_t, $2) allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; userdom_manage_tmp_role($1, pulseaudio_t) allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_role'($*)) dnl ') ######################################## ## ## Execute a domain transition to run pulseaudio. ## ## ## ## Domain allowed to transition. ## ## # define(`pulseaudio_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_domtrans'($*)) dnl gen_require(` attribute pulseaudio_client; type pulseaudio_t, pulseaudio_exec_t; ') typeattribute $1 pulseaudio_client; corecmd_search_bin($1) domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_domtrans'($*)) dnl ') ######################################## ## ## Execute pulseaudio in the pulseaudio domain, and ## allow the specified role the pulseaudio domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`pulseaudio_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_run'($*)) dnl gen_require(` type pulseaudio_t; ') pulseaudio_domtrans($1) role $2 types pulseaudio_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_run'($*)) dnl ') ######################################## ## ## Execute a pulseaudio in the current domain. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_exec'($*)) dnl gen_require(` type pulseaudio_exec_t; ') can_exec($1, pulseaudio_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_exec'($*)) dnl ') ######################################## ## ## Do not audit to execute a pulseaudio. ## ## ## ## Domain to not audit. ## ## # define(`pulseaudio_dontaudit_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_dontaudit_exec'($*)) dnl gen_require(` type pulseaudio_exec_t; ') dontaudit $1 pulseaudio_exec_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_dontaudit_exec'($*)) dnl ') ######################################## ## ## Send signull signal to pulseaudio ## processes. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_signull'($*)) dnl gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_signull'($*)) dnl ') ##################################### ## ## Connect to pulseaudio over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_stream_connect'($*)) dnl gen_require(` type pulseaudio_t, pulseaudio_var_run_t; type pulseaudio_home_t; ') files_search_pids($1) allow $1 pulseaudio_t:process signull; allow pulseaudio_t $1:process signull; allow $1 pulseaudio_t:unix_stream_socket create_stream_socket_perms; stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_stream_connect'($*)) dnl ') ######################################## ## ## Send and receive messages from ## pulseaudio over dbus. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_dbus_chat'($*)) dnl gen_require(` type pulseaudio_t; class dbus send_msg; ') allow $1 pulseaudio_t:dbus send_msg; allow pulseaudio_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_dbus_chat'($*)) dnl ') ######################################## ## ## Set the attributes of the pulseaudio homedir. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_setattr_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_setattr_home_dir'($*)) dnl gen_require(` type pulseaudio_home_t; ') allow $1 pulseaudio_home_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_setattr_home_dir'($*)) dnl ') ######################################## ## ## Read pulseaudio homedir files. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_read_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_read_home_files'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_read_home_files'($*)) dnl ') ######################################## ## ## Read and write Pulse Audio files. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_rw_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_rw_home_files'($*)) dnl gen_require(` type pulseaudio_home_t; ') rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_rw_home_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directories. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_manage_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_dirs'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directory files. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_manage_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_files'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) pulseaudio_filetrans_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directory symlinks. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_manage_home_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_manage_home_symlinks'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_manage_home_symlinks'($*)) dnl ') ######################################## ## ## Create pulseaudio content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_filetrans_home_content'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") optional_policy(` gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_filetrans_home_content'($*)) dnl ') ######################################## ## ## Create pulseaudio content in the admin home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_filetrans_admin_home_content'($*)) dnl gen_require(` type pulseaudio_home_t; ') userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_filetrans_admin_home_content'($*)) dnl ') ####################################### ## ## Make the specified tmpfs file type ## pulseaudio tmpfs content. ## ## ## ## File type to make pulseaudio tmpfs content. ## ## # define(`pulseaudio_tmpfs_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_tmpfs_content'($*)) dnl gen_require(` attribute pulseaudio_tmpfsfile; ') typeattribute $1 pulseaudio_tmpfsfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_tmpfs_content'($*)) dnl ') ######################################## ## ## Allow the domain to read pulseaudio state files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`pulseaudio_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pulseaudio_read_state'($*)) dnl gen_require(` type pulseaudio_t; ') kernel_search_proc($1) ps_process_pattern($1, pulseaudio_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pulseaudio_read_state'($*)) dnl ') ## Puppet client daemon ## ##

## Puppet is a configuration management system written in Ruby. ## The client daemon is responsible for periodically requesting the ## desired system state from the server and ensuring the state of ## the client system matches. ##

##
######################################## ## ## Execute puppet_master in the puppet_master ## domain. ## ## ## ## Domain allowed to transition. ## ## # define(`puppet_domtrans_master',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_domtrans_master'($*)) dnl gen_require(` type puppetmaster_t, puppetmaster_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_domtrans_master'($*)) dnl ') ######################################## ## ## Execute puppet in the puppet ## domain. ## ## ## ## Domain allowed to transition. ## ## # define(`puppet_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_domtrans'($*)) dnl gen_require(` type puppet_t, puppet_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, puppet_exec_t, puppet_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_domtrans'($*)) dnl ') ######################################## ## ## Execute puppetca in the puppetca ## domain. ## ## ## ## Domain allowed to transition. ## ## # define(`puppet_domtrans_puppetca',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_domtrans_puppetca'($*)) dnl gen_require(` type puppetca_t, puppetca_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, puppetca_exec_t, puppetca_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_domtrans_puppetca'($*)) dnl ') ##################################### ## ## Execute puppet in the puppet ## domain and allow the specified ## role the puppetca domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`puppet_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_run'($*)) dnl gen_require(` type puppet_t, puppet_exec_t; ') puppet_domtrans($1) role $2 types puppet_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_run'($*)) dnl ') ##################################### ## ## Execute puppetca in the puppetca ## domain and allow the specified ## role the puppetca domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`puppet_run_puppetca',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_run_puppetca'($*)) dnl gen_require(` type puppetca_t, puppetca_exec_t; ') puppet_domtrans_puppetca($1) role $2 types puppetca_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_run_puppetca'($*)) dnl ') ################################################ ## ## Read / Write to Puppet temp files. Puppet uses ## some system binaries (groupadd, etc) that run in ## a non-puppet domain and redirects output into temp ## files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_rw_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_rw_tmp'($*)) dnl gen_require(` type puppet_tmp_t; ') allow $1 puppet_tmp_t:file rw_inherited_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_rw_tmp'($*)) dnl ') ################################################ ## ## Read Puppet lib files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_read_lib'($*)) dnl gen_require(` type puppet_var_lib_t; ') read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_read_lib'($*)) dnl ') ############################################### ## ## Manage Puppet lib files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_manage_lib'($*)) dnl gen_require(` type puppet_var_lib_t; ') manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_manage_lib'($*)) dnl ') ###################################### ## ## Allow the specified domain to search puppet's log files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_search_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_search_log'($*)) dnl gen_require(` type puppet_log_t; ') logging_search_logs($1) allow $1 puppet_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_search_log'($*)) dnl ') ##################################### ## ## Allow the specified domain to read puppet's log files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_read_log'($*)) dnl gen_require(` type puppet_log_t; ') logging_search_logs($1) read_files_pattern($1, puppet_log_t, puppet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_read_log'($*)) dnl ') ##################################### ## ## Allow the specified domain to create puppet's log files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_create_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_create_log'($*)) dnl gen_require(` type puppet_log_t; ') logging_search_logs($1) create_files_pattern($1, puppet_log_t, puppet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_create_log'($*)) dnl ') #################################### ## ## Allow the specified domain to append puppet's log files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_append_log'($*)) dnl gen_require(` type puppet_log_t; ') logging_search_logs($1) append_files_pattern($1, puppet_log_t, puppet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_append_log'($*)) dnl ') #################################### ## ## Allow the specified domain to manage puppet's log files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_manage_log'($*)) dnl gen_require(` type puppet_log_t; ') logging_search_logs($1) manage_files_pattern($1, puppet_log_t, puppet_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_manage_log'($*)) dnl ') #################################### ## ## Allow the specified domain to read puppet's config files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_read_config'($*)) dnl gen_require(` type puppet_etc_t; ') files_search_etc($1) list_dirs_pattern($1, puppet_etc_t, puppet_etc_t) read_files_pattern($1, puppet_etc_t, puppet_etc_t) read_lnk_files_pattern($1, puppet_etc_t, puppet_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_read_config'($*)) dnl ') ##################################### ## ## Allow the specified domain to search puppet's pid files. ## ## ## ## Domain allowed access. ## ## # define(`puppet_search_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `puppet_search_pid'($*)) dnl gen_require(` type puppet_var_run_t; ') files_search_pids($1) allow $1 puppet_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `puppet_search_pid'($*)) dnl ') ## policy for pwauth ######################################## ## ## Transition to pwauth. ## ## ## ## Domain allowed to transition. ## ## # define(`pwauth_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pwauth_domtrans'($*)) dnl gen_require(` type pwauth_t, pwauth_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, pwauth_exec_t, pwauth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pwauth_domtrans'($*)) dnl ') ######################################## ## ## Execute pwauth in the pwauth domain, and ## allow the specified role the pwauth domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the pwauth domain. ## ## # define(`pwauth_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pwauth_run'($*)) dnl gen_require(` type pwauth_t; ') pwauth_domtrans($1) role $2 types pwauth_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pwauth_run'($*)) dnl ') ######################################## ## ## Role access for pwauth ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`pwauth_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pwauth_role'($*)) dnl gen_require(` type pwauth_t; ') role $1 types pwauth_t; pwauth_domtrans($2) ps_process_pattern($2, pwauth_t) allow $2 pwauth_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pwauth_role'($*)) dnl ') ## Server for the PXE network boot protocol. ######################################## ## ## All of the rules required to ## administrate an pxe environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`pxe_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pxe_admin'($*)) dnl gen_require(` type pxe_t, pxe_initrc_exec_t, pxe_log_t; type pxe_var_run_t; ') allow $1 pxe_t:process { ptrace signal_perms }; ps_process_pattern($1, pxe_t) init_labeled_script_domtrans($1, pxe_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pxe_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, pxe_log_t) files_search_pids($1) admin_pattern($1, pxe_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pxe_admin'($*)) dnl ') ## Pyzor is a distributed, collaborative spam detection and filtering network. ######################################## ## ## Role access for pyzor ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`pyzor_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pyzor_role'($*)) dnl gen_require(` type pyzor_t, pyzor_exec_t; type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t; ') role $1 types pyzor_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, pyzor_exec_t, pyzor_t) # allow ps to show pyzor and allow the user to kill it ps_process_pattern($2, pyzor_t) allow $2 pyzor_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 pyzor_t:process ptrace; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pyzor_role'($*)) dnl ') ######################################## ## ## Send generic signals to pyzor ## ## ## ## Domain allowed access. ## ## # define(`pyzor_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pyzor_signal'($*)) dnl gen_require(` type pyzor_t; ') allow $1 pyzor_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pyzor_signal'($*)) dnl ') ######################################## ## ## Execute pyzor with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`pyzor_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pyzor_domtrans'($*)) dnl gen_require(` type pyzor_exec_t, pyzor_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, pyzor_exec_t, pyzor_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pyzor_domtrans'($*)) dnl ') ######################################## ## ## Execute pyzor in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`pyzor_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pyzor_exec'($*)) dnl gen_require(` type pyzor_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, pyzor_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pyzor_exec'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an pyzor environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the pyzor domain. ## ## ## # define(`pyzor_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `pyzor_admin'($*)) dnl gen_require(` type pyzord_t, pyzor_tmp_t, pyzord_log_t; type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t; ') allow $1 pyzord_t:process signal_perms; ps_process_pattern($1, pyzord_t) tunable_policy(`deny_ptrace',`',` allow $1 pyzord_t:process ptrace; ') init_labeled_script_domtrans($1, pyzord_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 pyzord_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, pyzor_tmp_t) logging_list_logs($1) admin_pattern($1, pyzord_log_t) files_list_etc($1) admin_pattern($1, pyzor_etc_t) files_list_var_lib($1) admin_pattern($1, pyzor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `pyzor_admin'($*)) dnl ') ## QEMU machine emulator and virtualizer ######################################## ## ## Creates types and rules for a basic ## qemu process domain. ## ## ## ## Prefix for the domain. ## ## # define(`qemu_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_domain_template'($*)) dnl ############################## # # Local Policy # type $1_t; domain_type($1_t) type $1_tmp_t; files_tmp_file($1_tmp_t) type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) ############################## # # Local Policy # allow $1_t self:capability { dac_read_search }; allow $1_t self:process { execstack execmem signal getsched }; allow $1_t self:fifo_file rw_file_perms; allow $1_t self:shm create_shm_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:tun_socket create; manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file dir }) manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { file dir }) kernel_read_system_state($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_tcp_bind_generic_node($1_t) corenet_tcp_bind_vnc_port($1_t) corenet_rw_tun_tap_dev($1_t) # dev_rw_kvm($1_t) domain_use_interactive_fds($1_t) files_read_etc_files($1_t) files_read_usr_files($1_t) files_read_var_files($1_t) files_search_all($1_t) storage_raw_write_removable_device($1_t) storage_raw_read_removable_device($1_t) term_use_ptmx($1_t) term_getattr_pty_fs($1_t) term_use_generic_ptys($1_t) sysnet_read_config($1_t) userdom_use_inherited_user_terminals($1_t) userdom_attach_admin_tun_iface($1_t) optional_policy(` samba_domtrans_smbd($1_t) ') optional_policy(` virt_manage_images($1_t) virt_read_config($1_t) virt_read_lib_files($1_t) virt_attach_tun_iface($1_t) ') optional_policy(` xserver_stream_connect($1_t) xserver_read_xdm_tmp_files($1_t) xserver_read_xdm_pid($1_t) # xserver_xdm_rw_shm($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_domain_template'($*)) dnl ') ######################################## ## ## Execute a domain transition to run qemu. ## ## ## ## Domain allowed to transition. ## ## # define(`qemu_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_domtrans'($*)) dnl gen_require(` type qemu_t, qemu_exec_t; ') domtrans_pattern($1, qemu_exec_t, qemu_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_domtrans'($*)) dnl ') ######################################## ## ## Execute a qemu in the callers domain ## ## ## ## Domain allowed access. ## ## # define(`qemu_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_exec'($*)) dnl gen_require(` type qemu_exec_t; ') can_exec($1, qemu_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_exec'($*)) dnl ') ######################################## ## ## Execute qemu in the qemu domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the qemu domain. ## ## ## # define(`qemu_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_run'($*)) dnl gen_require(` type qemu_t; ') qemu_domtrans($1) role $2 types qemu_t; allow qemu_t $1:process signull; allow $1 qemu_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_run'($*)) dnl ') ######################################## ## ## Allow the domain to read state files in /proc. ## ## ## ## Domain to allow access. ## ## # define(`qemu_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_read_state'($*)) dnl gen_require(` type qemu_t; ') read_files_pattern($1, qemu_t, qemu_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_read_state'($*)) dnl ') ######################################## ## ## Set the schedule on qemu. ## ## ## ## Domain allowed access. ## ## # define(`qemu_setsched',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_setsched'($*)) dnl gen_require(` type qemu_t; ') allow $1 qemu_t:process setsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_setsched'($*)) dnl ') ######################################## ## ## Send a signal to qemu. ## ## ## ## Domain allowed access. ## ## # define(`qemu_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_signal'($*)) dnl gen_require(` type qemu_t; ') allow $1 qemu_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_signal'($*)) dnl ') ######################################## ## ## Send a sigill to qemu ## ## ## ## Domain allowed access. ## ## # define(`qemu_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_kill'($*)) dnl gen_require(` type qemu_t; ') allow $1 qemu_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_kill'($*)) dnl ') ######################################## ## ## Execute qemu_exec_t ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute qemu_exec_t ## in the specified domain. This allows ## the specified domain to qemu programs ## on these filesystems in the specified ## domain. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # define(`qemu_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_spec_domtrans'($*)) dnl gen_require(` type qemu_exec_t; ') read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t) domain_transition_pattern($1, qemu_exec_t, $2) domain_entry_file($2,qemu_exec_t) can_exec($1,qemu_exec_t) allow $2 $1:fd use; allow $2 $1:fifo_file rw_fifo_file_perms; allow $2 $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute qemu unconfined programs in the role. ## ## ## ## The role to allow the qemu unconfined domain. ## ## # define(`qemu_unconfined_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_unconfined_role'($*)) dnl gen_require(` type unconfined_qemu_t; type qemu_t; ') role $1 types unconfined_qemu_t; role $1 types qemu_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_unconfined_role'($*)) dnl ') ######################################## ## ## Manage qemu temporary dirs. ## ## ## ## Domain allowed access. ## ## # define(`qemu_manage_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_dirs'($*)) dnl gen_require(` type qemu_tmp_t; ') manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_dirs'($*)) dnl ') ######################################## ## ## Manage qemu temporary files. ## ## ## ## Domain allowed access. ## ## # define(`qemu_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_manage_tmp_files'($*)) dnl gen_require(` type qemu_tmp_t; ') manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_manage_tmp_files'($*)) dnl ') ######################################## ## ## Make qemu_exec_t an entrypoint for ## the specified domain. ## ## ## ## The domain for which qemu_exec_t is an entrypoint. ## ## # define(`qemu_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_entry_type'($*)) dnl gen_require(` type qemu_exec_t; ') domain_entry_file($1, qemu_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_entry_type'($*)) dnl ') ####################################### ## ## Getattr on qemu executable. ## ## ## ## Domain allowed to transition. ## ## # define(`qemu_getattr_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qemu_getattr_exec'($*)) dnl gen_require(` type qemu_exec_t; ') allow $1 qemu_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qemu_getattr_exec'($*)) dnl ') ## Qmail Mail Server ######################################## ## ## Template for qmail parent/sub-domain pairs ## ## ## ## The prefix of the child domain ## ## ## ## ## The name of the parent domain. ## ## # define(`qmail_child_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_child_domain_template'($*)) dnl type $1_t; domain_type($1_t) type $1_exec_t; domain_entry_file($1_t, $1_exec_t) domain_auto_trans($2, $1_exec_t, $1_t) role system_r types $1_t; allow $1_t self:process signal_perms; allow $1_t $2:fd use; allow $1_t $2:fifo_file rw_file_perms; allow $1_t $2:process sigchld; allow $1_t qmail_etc_t:dir list_dir_perms; allow $1_t qmail_etc_t:file read_file_perms; allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms; allow $1_t qmail_start_t:fd use; kernel_list_proc($2) kernel_read_proc_symlinks($2) corecmd_search_bin($1_t) files_search_var($1_t) fs_getattr_xattr_fs($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_child_domain_template'($*)) dnl ') ######################################## ## ## Transition to qmail_inject_t ## ## ## ## Domain allowed to transition. ## ## # define(`qmail_domtrans_inject',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_domtrans_inject'($*)) dnl gen_require(` type qmail_inject_t, qmail_inject_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t) ifdef(`distro_debian',` files_search_usr($1) ',` files_search_var($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_domtrans_inject'($*)) dnl ') ######################################## ## ## Transition to qmail_queue_t ## ## ## ## Domain allowed to transition. ## ## # define(`qmail_domtrans_queue',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_domtrans_queue'($*)) dnl gen_require(` type qmail_queue_t, qmail_queue_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t) ifdef(`distro_debian',` files_search_usr($1) ',` files_search_var($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_domtrans_queue'($*)) dnl ') ######################################## ## ## Read qmail configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`qmail_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_read_config'($*)) dnl gen_require(` type qmail_etc_t; ') allow $1 qmail_etc_t:dir list_dir_perms; allow $1 qmail_etc_t:file read_file_perms; allow $1 qmail_etc_t:lnk_file read_lnk_file_perms; files_search_var($1) ifdef(`distro_debian',` # handle /etc/qmail files_search_etc($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_read_config'($*)) dnl ') ######################################## ## ## Define the specified domain as a qmail-smtp service. ## Needed by antivirus/antispam filters. ## ## ## ## Domain allowed access ## ## ## ## ## The type associated with the process program. ## ## # define(`qmail_smtpd_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_smtpd_service_domain'($*)) dnl gen_require(` type qmail_smtpd_t; ') domtrans_pattern(qmail_smtpd_t, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_smtpd_service_domain'($*)) dnl ') ######################################## ## ## Create, read, write, and delete qmail ## spool directories. ## ## ## ## Domain allowed access. ## ## # define(`qmail_manage_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_manage_spool_dirs'($*)) dnl gen_require(` type qmail_spool_t; ') manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_manage_spool_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete qmail ## spool files. ## ## ## ## Domain allowed access. ## ## # define(`qmail_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_manage_spool_files'($*)) dnl gen_require(` type qmail_spool_t; ') manage_files_pattern($1, qmail_spool_t, qmail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_manage_spool_files'($*)) dnl ') ######################################## ## ## Read and write to qmail spool pipes. ## ## ## ## Domain to not audit. ## ## # define(`qmail_rw_spool_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qmail_rw_spool_pipes'($*)) dnl gen_require(` type qmail_spool_t; ') allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qmail_rw_spool_pipes'($*)) dnl ') ## policy for qpidd ######################################## ## ## Execute a domain transition to run qpidd. ## ## ## ## Domain allowed to transition. ## ## # define(`qpidd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_domtrans'($*)) dnl gen_require(` type qpidd_t, qpidd_exec_t; ') domtrans_pattern($1, qpidd_exec_t, qpidd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_domtrans'($*)) dnl ') ######################################## ## ## Execute qpidd server in the qpidd domain. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_initrc_domtrans'($*)) dnl gen_require(` type qpidd_initrc_exec_t; ') init_labeled_script_domtrans($1, qpidd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read qpidd PID files. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_read_pid_files'($*)) dnl gen_require(` type qpidd_var_run_t; ') files_search_pids($1) allow $1 qpidd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_read_pid_files'($*)) dnl ') ######################################## ## ## Manage qpidd var_run files. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_manage_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_manage_var_run'($*)) dnl gen_require(` type qpidd_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_manage_var_run'($*)) dnl ') ######################################## ## ## Search qpidd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_search_lib'($*)) dnl gen_require(` type qpidd_var_lib_t; ') allow $1 qpidd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_search_lib'($*)) dnl ') ######################################## ## ## Read qpidd lib files. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_read_lib_files'($*)) dnl gen_require(` type qpidd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## qpidd lib files. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_manage_lib_files'($*)) dnl gen_require(` type qpidd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage qpidd var_lib files. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_manage_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_manage_var_lib'($*)) dnl gen_require(` type qpidd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_manage_var_lib'($*)) dnl ') ##################################### ## ## Allow read and write access to qpidd semaphores. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_rw_semaphores'($*)) dnl gen_require(` type qpidd_t; ') allow $1 qpidd_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_rw_semaphores'($*)) dnl ') ####################################### ## ## Read and write to qpidd shared memory. ## ## ## ## Domain allowed access. ## ## # define(`qpidd_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_rw_shm'($*)) dnl gen_require(` type qpidd_t; type qpidd_tmpfs_t; ') allow $1 qpidd_t:shm rw_shm_perms; fs_search_tmpfs($1) manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_rw_shm'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an qpidd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`qpidd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `qpidd_admin'($*)) dnl gen_require(` type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t; type qpidd_var_run_t; ') allow $1 qpidd_t:process { signal_perms }; ps_process_pattern($1, qpidd_t) tunable_policy(`deny_ptrace',`',` allow $1 qpidd_t:process ptrace; ') qpidd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 qpidd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, qpidd_var_lib_t) files_search_pids($1) admin_pattern($1, qpidd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `qpidd_admin'($*)) dnl ') ## Virtual network service for Openstack. ######################################## ## ## Transition to neutron. ## ## ## ## Domain allowed to transition. ## ## # define(`neutron_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_domtrans'($*)) dnl gen_require(` type neutron_t, neutron_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, neutron_exec_t, neutron_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_domtrans'($*)) dnl ') ######################################## ## ## Allow read/write neutron pipes ## ## ## ## Domain allowed access. ## ## # define(`neutron_rw_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_rw_inherited_pipes'($*)) dnl gen_require(` type neutron_t; ') allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_rw_inherited_pipes'($*)) dnl ') ######################################## ## ## Send sigchld to neutron. ## ## ## ## Domain allowed access. ## ## # # define(`neutron_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_sigchld'($*)) dnl gen_require(` type neutron_t; ') allow $1 neutron_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_sigchld'($*)) dnl ') ######################################## ## ## Read neutron's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`neutron_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_read_log'($*)) dnl gen_require(` type neutron_log_t; ') logging_search_logs($1) read_files_pattern($1, neutron_log_t, neutron_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_read_log'($*)) dnl ') ######################################## ## ## Append to neutron log files. ## ## ## ## Domain allowed access. ## ## # define(`neutron_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_append_log'($*)) dnl gen_require(` type neutron_log_t; ') logging_search_logs($1) append_files_pattern($1, neutron_log_t, neutron_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_append_log'($*)) dnl ') ######################################## ## ## Manage neutron log files ## ## ## ## Domain allowed access. ## ## # define(`neutron_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_manage_log'($*)) dnl gen_require(` type neutron_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, neutron_log_t, neutron_log_t) manage_files_pattern($1, neutron_log_t, neutron_log_t) manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_manage_log'($*)) dnl ') ######################################## ## ## Search neutron lib directories. ## ## ## ## Domain allowed access. ## ## # define(`neutron_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_search_lib'($*)) dnl gen_require(` type neutron_var_lib_t; ') allow $1 neutron_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_search_lib'($*)) dnl ') ######################################## ## ## Read neutron lib files. ## ## ## ## Domain allowed access. ## ## # define(`neutron_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_read_lib_files'($*)) dnl gen_require(` type neutron_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_read_lib_files'($*)) dnl ') ######################################## ## ## Manage neutron lib files. ## ## ## ## Domain allowed access. ## ## # define(`neutron_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_manage_lib_files'($*)) dnl gen_require(` type neutron_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) manage_sock_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage neutron lib directories. ## ## ## ## Domain allowed access. ## ## # define(`neutron_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_manage_lib_dirs'($*)) dnl gen_require(` type neutron_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read and write neutron fifo files. ## ## ## ## Domain allowed access. ## ## # define(`neutron_rw_fifo_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_rw_fifo_file'($*)) dnl gen_require(` type neutron_t; ') allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_rw_fifo_file'($*)) dnl ') ##################################### ## ## Connect to neutron over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`neutron_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_stream_connect'($*)) dnl gen_require(` type neutron_t; type neutron_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_stream_connect'($*)) dnl ') ######################################## ## ## Execute neutron server in the neutron domain. ## ## ## ## Domain allowed to transition. ## ## # define(`neutron_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_systemctl'($*)) dnl gen_require(` type neutron_t; type neutron_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 neutron_unit_file_t:file read_file_perms; allow $1 neutron_unit_file_t:service manage_service_perms; ps_process_pattern($1, neutron_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_systemctl'($*)) dnl ') ####################################### ## ## Read neutron process state files. ## ## ## ## Domain allowed access. ## ## # define(`neutron_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_read_state'($*)) dnl gen_require(` type neutron_t; ') allow $1 neutron_t:dir search_dir_perms; allow $1 neutron_t:file read_file_perms; allow $1 neutron_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_read_state'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an neutron environment ## ## ## ## Domain allowed access. ## ## # define(`neutron_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `neutron_admin'($*)) dnl gen_require(` type neutron_t; type neutron_log_t; type neutron_var_lib_t; type neutron_unit_file_t; ') allow $1 neutron_t:process { ptrace signal_perms }; ps_process_pattern($1, neutron_t) logging_search_logs($1) admin_pattern($1, neutron_log_t) files_search_var_lib($1) admin_pattern($1, neutron_var_lib_t) neutron_systemctl($1) admin_pattern($1, neutron_unit_file_t) allow $1 neutron_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `neutron_admin'($*)) dnl ') ## File system quota management ######################################## ## ## Execute quota management tools in the quota domain. ## ## ## ## Domain allowed to transition. ## ## # define(`quota_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_domtrans'($*)) dnl gen_require(` type quota_t, quota_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, quota_exec_t, quota_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_domtrans'($*)) dnl ') ######################################## ## ## Execute quota management tools in the quota domain, and ## allow the specified role the quota domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`quota_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_run'($*)) dnl gen_require(` type quota_t; ') quota_domtrans($1) role $2 types quota_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_run'($*)) dnl ') ####################################### ## ## Alow to read of filesystem quota data files. ## ## ## ## Domain to not audit. ## ## # define(`quota_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_read_db'($*)) dnl gen_require(` type quota_db_t; ') allow $1 quota_db_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_read_db'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of filesystem quota data files. ## ## ## ## Domain to not audit. ## ## # define(`quota_dontaudit_getattr_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_dontaudit_getattr_db'($*)) dnl gen_require(` type quota_db_t; ') dontaudit $1 quota_db_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_dontaudit_getattr_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete quota ## db files. ## ## ## ## Domain to not audit. ## ## # define(`quota_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_manage_db'($*)) dnl gen_require(` type quota_db_t; ') allow $1 quota_db_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_manage_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete quota ## flag files. ## ## ## ## Domain allowed access. ## ## # define(`quota_manage_flags',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_manage_flags'($*)) dnl gen_require(` type quota_flag_t; ') files_search_var_lib($1) manage_files_pattern($1, quota_flag_t, quota_flag_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_manage_flags'($*)) dnl ') ######################################## ## ## Transition to quota named content ## ## ## ## Domain allowed access. ## ## # define(`quota_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_filetrans_named_content'($*)) dnl gen_require(` type quota_db_t; ') files_root_filetrans($1, quota_db_t, file, "aquota.user") files_root_filetrans($1, quota_db_t, file, "aquota.group") files_boot_filetrans($1, quota_db_t, file, "aquota.user") files_boot_filetrans($1, quota_db_t, file, "aquota.group") files_etc_filetrans($1, quota_db_t, file, "aquota.user") files_etc_filetrans($1, quota_db_t, file, "aquota.group") files_tmp_filetrans($1, quota_db_t, file, "aquota.user") files_tmp_filetrans($1, quota_db_t, file, "aquota.group") files_home_filetrans($1, quota_db_t, file, "aquota.user") files_home_filetrans($1, quota_db_t, file, "aquota.group") files_usr_filetrans($1, quota_db_t, file, "aquota.user") files_usr_filetrans($1, quota_db_t, file, "aquota.group") files_var_filetrans($1, quota_db_t, file, "aquota.user") files_var_filetrans($1, quota_db_t, file, "aquota.group") files_spool_filetrans($1, quota_db_t, file, "aquota.user") files_spool_filetrans($1, quota_db_t, file, "aquota.group") mta_spool_filetrans($1, quota_db_t, file, "aquota.user") mta_spool_filetrans($1, quota_db_t, file, "aquota.group") mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user") mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_filetrans_named_content'($*)) dnl ') ####################################### ## ## Transition to quota_nld. ## ## ## ## Domain allowed to transition. ## ## # define(`quota_domtrans_nld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `quota_domtrans_nld'($*)) dnl gen_require(` type quota_nld_t, quota_nld_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, quota_nld_exec_t, quota_nld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `quota_domtrans_nld'($*)) dnl ') ## AMQP server written in Erlang. ######################################## ## ## Execute rabbitmq in the rabbitmq domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rabbitmq_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rabbitmq_domtrans'($*)) dnl gen_require(` type rabbitmq_t, rabbitmq_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rabbitmq_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an rabbitmq environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rabbitmq_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rabbitmq_admin'($*)) dnl gen_require(` type rabbitmq_t, rabbitmq_initrc_exec_t; type rabbitmq_var_lib_t, rabbitmq_var_log_t, rabbitmq_var_run_t; ') allow $1 { rabbitmq_t }:process { ptrace signal_perms }; ps_process_pattern($1, rabbitmq_t) init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rabbitmq_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, rabbitmq_var_log_t) files_search_var_lib($1) admin_pattern($1, rabbitmq_var_lib_t) files_search_pids($1) admin_pattern($1, rabbitmq_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rabbitmq_admin'($*)) dnl ') ## RADIUS authentication and accounting server. ######################################## ## ## Use radius over a UDP connection. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`radius_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `radius_use'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `radius_use'($*)) dnl ') ####################################### ## ## Execute radiusd server in the radiusd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`radiusd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `radiusd_systemctl'($*)) dnl gen_require(` type radiusd_unit_file_t; type radiusd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 radiusd_unit_file_t:file read_file_perms; allow $1 radiusd_unit_file_t:service manage_service_perms; ps_process_pattern($1, radiusd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `radiusd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an radius environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`radius_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `radius_admin'($*)) dnl gen_require(` type radiusd_t, radiusd_etc_t, radiusd_log_t; type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t; type radiusd_initrc_exec_t, radiusd_unit_file_t; ') allow $1 radiusd_t:process signal_perms; ps_process_pattern($1, radiusd_t) tunable_policy(`deny_ptrace',`',` allow $1 radiusd_t:process ptrace; ') init_labeled_script_domtrans($1, radiusd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 radiusd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { radiusd_etc_t radiusd_etc_rw_t }) logging_list_logs($1) admin_pattern($1, radiusd_log_t) files_list_var_lib($1) admin_pattern($1, radiusd_var_lib_t) files_list_pids($1) admin_pattern($1, radiusd_var_run_t) admin_pattern($1, radiusd_unit_file_t) bind_systemctl($1) allow $1 radiusd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `radius_admin'($*)) dnl ') ## IPv6 router advertisement daemon. ###################################### ## ## Read radvd PID files. ## ## ## ## Domain allowed access. ## ## # define(`radvd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `radvd_read_pid_files'($*)) dnl gen_require(` type radvd_var_run_t; ') files_search_pids($1) read_files_pattern($1, radvd_var_run_t, radvd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `radvd_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an radvd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`radvd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `radvd_admin'($*)) dnl gen_require(` type radvd_t, radvd_etc_t, radvd_initrc_exec_t; type radvd_var_run_t; ') allow $1 radvd_t:process signal_perms; ps_process_pattern($1, radvd_t) tunable_policy(`deny_ptrace',`',` allow $1 radvd_t:process ptrace; ') init_labeled_script_domtrans($1, radvd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 radvd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, radvd_etc_t) files_list_pids($1) admin_pattern($1, radvd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `radvd_admin'($*)) dnl ') ## RAID array management tools ######################################## ## ## Execute software raid tools in the mdadm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`raid_domtrans_mdadm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_domtrans_mdadm'($*)) dnl gen_require(` type mdadm_t, mdadm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mdadm_exec_t, mdadm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_domtrans_mdadm'($*)) dnl ') ###################################### ## ## Execute a domain transition to mdadm_t for the ## specified role, allowing it to use the mdadm_t ## domain ## ## ## ## Role allowed to access mdadm_t domain ## ## ## ## ## Domain allowed to transition to mdadm_t ## ## # define(`raid_run_mdadm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_run_mdadm'($*)) dnl gen_require(` type mdadm_t; ') role $1 types mdadm_t; raid_domtrans_mdadm($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_run_mdadm'($*)) dnl ') ###################################### ## ## Execute mdadm server in the mdadm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mdadm_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mdadm_systemctl'($*)) dnl gen_require(` type mdadm_t; type mdadm_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 mdadm_unit_file_t:file read_file_perms; allow $1 mdadm_unit_file_t:service manage_service_perms; ps_process_pattern($1, mdadm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mdadm_systemctl'($*)) dnl ') ######################################## ## ## read the mdadm pid files. ## ## ## ## Domain allowed access. ## ## # define(`raid_read_mdadm_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_read_mdadm_pid'($*)) dnl gen_require(` type mdadm_var_run_t; ') read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_read_mdadm_pid'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the mdadm pid files. ## ## ##

## Create, read, write, and delete the mdadm pid files. ##

##

## Added for use in the init module. ##

##
## ## ## Domain allowed access. ## ## # define(`raid_manage_mdadm_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_manage_mdadm_pid'($*)) dnl gen_require(` type mdadm_var_run_t; ') # FIXME: maybe should have a type_transition. not # clear what this is doing, from the original # mdadm policy allow $1 mdadm_var_run_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_manage_mdadm_pid'($*)) dnl ') ####################################### ## ## Check access to the mdadm executable. ## ## ## ## Domain allowed access. ## ## # define(`raid_access_check_mdadm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_access_check_mdadm'($*)) dnl gen_require(` type mdadm_exec_t; ') corecmd_search_bin($1) allow $1 mdadm_exec_t:file { getattr_file_perms execute }; dontaudit $1 mdadm_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_access_check_mdadm'($*)) dnl ') ######################################## ## ## Read mdadm config files. ## ## ## ## Domain allowed access. ## ## # define(`raid_read_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_read_conf_files'($*)) dnl gen_require(` type mdadm_conf_t; ') read_files_pattern($1, mdadm_conf_t, mdadm_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_read_conf_files'($*)) dnl ') ######################################## ## ## Manage mdadm config files. ## ## ## ## Domain allowed access. ## ## # define(`raid_manage_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_manage_conf_files'($*)) dnl gen_require(` type mdadm_conf_t; ') manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_manage_conf_files'($*)) dnl ') ######################################## ## ## Transition to mdadm named content ## ## ## ## Domain allowed access. ## ## # define(`raid_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_filetrans_named_content'($*)) dnl gen_require(` type mdadm_conf_t; ') files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf") files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_filetrans_named_content'($*)) dnl ') ######################################## ## ## Relabel from mdadm_var_run_t sock file. ## ## ## ## Domain allowed access. ## ## # define(`raid_relabel_mdadm_var_run_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_relabel_mdadm_var_run_content'($*)) dnl gen_require(` type mdadm_var_run_t; ') allow $1 mdadm_var_run_t:sock_file relabel_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_relabel_mdadm_var_run_content'($*)) dnl ') ##################################### ## ## Connect to raid with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`raid_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `raid_stream_connect'($*)) dnl gen_require(` type mdadm_t, mdadm_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, mdadm_var_run_t, mdadm_var_run_t, mdadm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `raid_stream_connect'($*)) dnl ') ## The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing ######################################## ## ## Execute TEMPLATE in the rasdaemon domin. ## ## ## ## Domain allowed to transition. ## ## # define(`rasdaemon_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_domtrans'($*)) dnl gen_require(` type rasdaemon_t, rasdaemon_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_domtrans'($*)) dnl ') ######################################## ## ## Search rasdaemon lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rasdaemon_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_search_lib'($*)) dnl gen_require(` type rasdaemon_var_lib_t; ') allow $1 rasdaemon_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_search_lib'($*)) dnl ') ######################################## ## ## Read rasdaemon lib files. ## ## ## ## Domain allowed access. ## ## # define(`rasdaemon_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_read_lib_files'($*)) dnl gen_require(` type rasdaemon_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_read_lib_files'($*)) dnl ') ######################################## ## ## Manage rasdaemon lib files. ## ## ## ## Domain allowed access. ## ## # define(`rasdaemon_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_manage_lib_files'($*)) dnl gen_require(` type rasdaemon_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage rasdaemon lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rasdaemon_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_manage_lib_dirs'($*)) dnl gen_require(` type rasdaemon_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute rasdaemon server in the rasdaemon domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rasdaemon_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_systemctl'($*)) dnl gen_require(` type rasdaemon_t; type rasdaemon_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 rasdaemon_unit_file_t:file read_file_perms; allow $1 rasdaemon_unit_file_t:service manage_service_perms; ps_process_pattern($1, rasdaemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rasdaemon environment ## ## ## ## Domain allowed access. ## ## ## # define(`rasdaemon_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rasdaemon_admin'($*)) dnl gen_require(` type rasdaemon_t; type rasdaemon_var_lib_t; type rasdaemon_unit_file_t; ') allow $1 rasdaemon_t:process { ptrace signal_perms }; ps_process_pattern($1, rasdaemon_t) files_search_var_lib($1) admin_pattern($1, rasdaemon_var_lib_t) rasdaemon_systemctl($1) admin_pattern($1, rasdaemon_unit_file_t) allow $1 rasdaemon_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rasdaemon_admin'($*)) dnl ') ## A distributed, collaborative, spam detection and filtering network. ## ##

## A distributed, collaborative, spam detection and filtering network. ##

##

## This policy will work with either the ATrpms provided config ## file in /etc/razor, or with the default of dumping everything into ## $HOME/.razor. ##

##
####################################### ## ## Template to create types and rules common to ## all razor domains. ## ## ## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## ## # define(`razor_common_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `razor_common_domain_template'($*)) dnl gen_require(` type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t; ') type $1_t; domain_type($1_t) domain_entry_file($1_t, razor_exec_t) allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_t self:fd use; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket sendto; allow $1_t self:unix_stream_socket connectto; allow $1_t self:shm create_shm_perms; allow $1_t self:sem create_sem_perms; allow $1_t self:msgq create_msgq_perms; allow $1_t self:msg { send receive }; allow $1_t self:tcp_socket create_socket_perms; # Read system config file allow $1_t razor_etc_t:dir list_dir_perms; allow $1_t razor_etc_t:file read_file_perms; allow $1_t razor_etc_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($1_t, razor_log_t, razor_log_t) manage_files_pattern($1_t, razor_log_t, razor_log_t) manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t) logging_log_filetrans($1_t, razor_log_t, file) manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t) manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t) files_search_var_lib($1_t) # Razor is one executable and several symlinks allow $1_t razor_exec_t:file read_file_perms; allow $1_t razor_exec_t:lnk_file read_lnk_file_perms; kernel_read_system_state($1_t) kernel_read_network_state($1_t) kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) kernel_read_kernel_sysctls($1_t) corecmd_exec_bin($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_raw_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_node($1_t) corenet_raw_sendrecv_generic_node($1_t) corenet_tcp_sendrecv_razor_port($1_t) # mktemp and other randoms dev_read_rand($1_t) dev_read_urand($1_t) files_search_pids($1_t) # Allow access to various files in the /etc/directory including mtab # and nsswitch files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) fs_search_auto_mountpoints($1_t) libs_read_lib_files($1_t) sysnet_read_config($1_t) sysnet_dns_name_resolve($1_t) optional_policy(` nis_use_ypbind($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `razor_common_domain_template'($*)) dnl ') ######################################## ## ## Role access for razor ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`razor_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `razor_role'($*)) dnl gen_require(` type razor_t, razor_exec_t, razor_home_t; ') role $1 types razor_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, razor_exec_t, razor_t) # allow ps to show razor and allow the user to kill it ps_process_pattern($2, razor_t) allow $2 razor_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 razor_t:process ptrace; ') manage_dirs_pattern($2, razor_home_t, razor_home_t) manage_files_pattern($2, razor_home_t, razor_home_t) manage_lnk_files_pattern($2, razor_home_t, razor_home_t) relabel_dirs_pattern($2, razor_home_t, razor_home_t) relabel_files_pattern($2, razor_home_t, razor_home_t) relabel_lnk_files_pattern($2, razor_home_t, razor_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `razor_role'($*)) dnl ') ######################################## ## ## Execute razor in the system razor domain. ## ## ## ## Domain allowed to transition. ## ## # define(`razor_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `razor_domtrans'($*)) dnl gen_require(` type razor_t, razor_exec_t; ') domtrans_pattern($1, razor_exec_t, razor_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `razor_domtrans'($*)) dnl ') ######################################## ## ## Create, read, write, and delete razor files ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`razor_manage_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `razor_manage_user_home_files'($*)) dnl gen_require(` type razor_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, razor_home_t, razor_home_t) read_lnk_files_pattern($1, razor_home_t, razor_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `razor_manage_user_home_files'($*)) dnl ') ######################################## ## ## read razor lib files. ## ## ## ## Domain allowed access. ## ## # define(`razor_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `razor_read_lib_files'($*)) dnl gen_require(` type razor_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, razor_var_lib_t, razor_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `razor_read_lib_files'($*)) dnl ') ## Network router discovery daemon. ###################################### ## ## Execute rdisc in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rdisc_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rdisc_exec'($*)) dnl gen_require(` type rdisc_exec_t; ') corecmd_search_bin($1) can_exec($1, rdisc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rdisc_exec'($*)) dnl ') ######################################## ## ## Execute rdisc server in the rdisc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rdisc_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rdisc_systemctl'($*)) dnl gen_require(` type rdisc_t; type rdisc_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 rdisc_unit_file_t:file read_file_perms; allow $1 rdisc_unit_file_t:service manage_service_perms; ps_process_pattern($1, rdisc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rdisc_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rdisc environment ## ## ## ## Domain allowed access. ## ## ## # define(`rdisc_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rdisc_admin'($*)) dnl gen_require(` type rdisc_t; type rdisc_unit_file_t; ') allow $1 rdisc_t:process { ptrace signal_perms }; ps_process_pattern($1, rdisc_t) rdisc_systemctl($1) admin_pattern($1, rdisc_unit_file_t) allow $1 rdisc_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rdisc_admin'($*)) dnl ') ## Read files into page cache for improved performance. ######################################## ## ## Execute a domain transition ## to run readahead. ## ## ## ## Domain allowed to transition. ## ## # define(`readahead_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `readahead_domtrans'($*)) dnl gen_require(` type readahead_t, readahead_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, readahead_exec_t, readahead_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `readahead_domtrans'($*)) dnl ') ######################################## ## ## Manage readahead var_run files. ## ## ## ## Domain allowed access. ## ## # define(`readahead_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `readahead_manage_pid_files'($*)) dnl gen_require(` type readahead_var_run_t; ') manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t) manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t) dev_filetrans($1, readahead_var_run_t, { dir file }) init_pid_filetrans($1, readahead_var_run_t, { dir file }) files_search_pids($1) init_search_pid_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `readahead_manage_pid_files'($*)) dnl ') ## dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA ######################################## ## ## Execute realmd in the realmd_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`realmd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_domtrans'($*)) dnl gen_require(` type realmd_t, realmd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, realmd_exec_t, realmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## realmd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`realmd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_dbus_chat'($*)) dnl gen_require(` type realmd_t; class dbus send_msg; ') allow $1 realmd_t:dbus send_msg; allow realmd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_dbus_chat'($*)) dnl ') ######################################## ## ## Search realmd cache directories. ## ## ## ## Domain allowed access. ## ## # define(`realmd_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_search_cache'($*)) dnl gen_require(` type realmd_var_cache_t; ') allow $1 realmd_var_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_search_cache'($*)) dnl ') ######################################## ## ## Read realmd cache files. ## ## ## ## Domain allowed access. ## ## # define(`realmd_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_read_cache_files'($*)) dnl gen_require(` type realmd_var_cache_t; ') files_search_var($1) read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## realmd cache files. ## ## ## ## Domain allowed access. ## ## # define(`realmd_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_manage_cache_files'($*)) dnl gen_require(` type realmd_var_cache_t; ') files_search_var($1) manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage realmd cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`realmd_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_manage_cache_dirs'($*)) dnl gen_require(` type realmd_var_cache_t; ') files_search_var($1) manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read realmd tmp files. ## ## ## ## Domain allowed access. ## ## # define(`realmd_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_read_tmp_files'($*)) dnl gen_require(` type realmd_tmp_t; ') files_search_var($1) read_files_pattern($1, realmd_tmp_t, realmd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_read_tmp_files'($*)) dnl ') ####################################### ## ## Read realmd library files. ## ## ## ## Domain allowed access. ## ## # define(`realmd_read_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_read_var_lib'($*)) dnl gen_require(` type realmd_var_lib_t; ') list_dirs_pattern($1, realmd_var_lib_t, realmd_var_lib_t) read_files_pattern($1, realmd_var_lib_t, realmd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_read_var_lib'($*)) dnl ') ######################################## ## ## Send to realmd over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`realmd_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `realmd_dgram_send'($*)) dnl gen_require(` type realmd_t, realmd_var_lib_t; ') files_search_var_lib($1) dgram_send_pattern($1, realmd_var_lib_t, realmd_var_lib_t, realmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `realmd_dgram_send'($*)) dnl ') ## Advanced key-value store ######################################## ## ## Execute redis server in the redis domin. ## ## ## ## Domain allowed to transition. ## ## # define(`redis_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_domtrans'($*)) dnl gen_require(` type redis_t, redis_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, redis_exec_t, redis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_domtrans'($*)) dnl ') ######################################## ## ## Execute redis server in the redis domain. ## ## ## ## Domain allowed access. ## ## # define(`redis_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_initrc_domtrans'($*)) dnl gen_require(` type redis_initrc_exec_t; ') init_labeled_script_domtrans($1, redis_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read redis's log files. ## ## ## ## Domain allowed access. ## ## # define(`redis_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_read_log'($*)) dnl gen_require(` type redis_log_t; ') logging_search_logs($1) read_files_pattern($1, redis_log_t, redis_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_read_log'($*)) dnl ') ######################################## ## ## Append to redis log files. ## ## ## ## Domain allowed access. ## ## # define(`redis_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_append_log'($*)) dnl gen_require(` type redis_log_t; ') logging_search_logs($1) append_files_pattern($1, redis_log_t, redis_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_append_log'($*)) dnl ') ######################################## ## ## Manage redis log files ## ## ## ## Domain allowed access. ## ## # define(`redis_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_manage_log'($*)) dnl gen_require(` type redis_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, redis_log_t, redis_log_t) manage_files_pattern($1, redis_log_t, redis_log_t) manage_lnk_files_pattern($1, redis_log_t, redis_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_manage_log'($*)) dnl ') ######################################## ## ## Search redis lib directories. ## ## ## ## Domain allowed access. ## ## # define(`redis_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_search_lib'($*)) dnl gen_require(` type redis_var_lib_t; ') allow $1 redis_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_search_lib'($*)) dnl ') ######################################## ## ## Read redis lib files. ## ## ## ## Domain allowed access. ## ## # define(`redis_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_read_lib_files'($*)) dnl gen_require(` type redis_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_read_lib_files'($*)) dnl ') ######################################## ## ## Manage redis lib files. ## ## ## ## Domain allowed access. ## ## # define(`redis_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_manage_lib_files'($*)) dnl gen_require(` type redis_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage redis lib directories. ## ## ## ## Domain allowed access. ## ## # define(`redis_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_manage_lib_dirs'($*)) dnl gen_require(` type redis_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read redis PID files. ## ## ## ## Domain allowed access. ## ## # define(`redis_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_read_pid_files'($*)) dnl gen_require(` type redis_var_run_t; ') files_search_pids($1) read_files_pattern($1, redis_var_run_t, redis_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_read_pid_files'($*)) dnl ') ####################################### ## ## Connect to redis over an unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`redis_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_stream_connect'($*)) dnl gen_require(` type redis_t, redis_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, redis_var_run_t, redis_var_run_t, redis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_stream_connect'($*)) dnl ') ######################################## ## ## Execute redis server in the redis domain. ## ## ## ## Domain allowed to transition. ## ## # define(`redis_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_systemctl'($*)) dnl gen_require(` type redis_t; type redis_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 redis_unit_file_t:file read_file_perms; allow $1 redis_unit_file_t:service manage_service_perms; ps_process_pattern($1, redis_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an redis environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`redis_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `redis_admin'($*)) dnl gen_require(` type redis_t, redis_initrc_exec_t, redis_var_lib_t; type redis_log_t, redis_var_run_t, redis_unit_file_t; ') allow $1 redis_t:process { ptrace signal_perms }; ps_process_pattern($1, redis_t) init_labeled_script_domtrans($1, redis_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 redis_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, redis_log_t) files_search_var_lib($1) admin_pattern($1, redis_var_lib_t) files_search_pids($1) admin_pattern($1, redis_var_run_t) redis_systemctl($1) admin_pattern($1, redis_unit_file_t) allow $1 redis_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `redis_admin'($*)) dnl ') ## Policy for rshd, rlogind, and telnetd. ######################################## ## ## Domain transition to the remote login domain. ## ## ## ## Domain allowed to transition. ## ## # define(`remotelogin_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `remotelogin_domtrans'($*)) dnl gen_require(` type remote_login_t; ') auth_domtrans_login_program($1, remote_login_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `remotelogin_domtrans'($*)) dnl ') ######################################## ## ## allow Domain to signal remote login domain. ## ## ## ## Domain allowed access. ## ## # define(`remotelogin_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `remotelogin_signal'($*)) dnl gen_require(` type remote_login_t; ') allow $1 remote_login_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `remotelogin_signal'($*)) dnl ') ######################################## ## ## allow Domain to signal remote login domain. ## ## ## ## Domain allowed access. ## ## # define(`remotelogin_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `remotelogin_signull'($*)) dnl gen_require(` type remote_login_t; ') allow $1 remote_login_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `remotelogin_signull'($*)) dnl ') ## Resource management daemon. ######################################## ## ## Connect to resmgrd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`resmgr_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `resmgr_stream_connect'($*)) dnl gen_require(` type resmgrd_var_run_t, resmgrd_t; ') files_search_pids($1) stream_connect_pattern($1, resmgrd_var_run_t, resmgrd_var_run_t, resmgrd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `resmgr_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an resmgr environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`resmgr_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `resmgr_admin'($*)) dnl gen_require(` type resmgrd_t, resmgrd_initrc_exec_t, resmgrd_var_run_t; type resmgrd_etc_t; ') allow $1 resmgrd_t:process { ptrace signal_perms }; ps_process_pattern($1, resmgrd_t) init_labeled_script_domtrans($1, resmgrd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 resmgrd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, resmgrd_etc_t) files_search_pids($1) admin_pattern($1, resmgrd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `resmgr_admin'($*)) dnl ') ## rgmanager - Resource Group Manager ####################################### ## ## Execute a domain transition to run rgmanager. ## ## ## ## Domain allowed to transition. ## ## # define(`rgmanager_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_domtrans'($*)) dnl gen_require(` type rgmanager_t, rgmanager_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rgmanager_exec_t, rgmanager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_domtrans'($*)) dnl ') ######################################## ## ## Connect to rgmanager over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_stream_connect'($*)) dnl gen_require(` type rgmanager_t, rgmanager_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_stream_connect'($*)) dnl ') ######################################## ## ## Manage rgmanager pid files ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_manage_pid_files'($*)) dnl gen_require(` type rgmanager_var_run_t; ') files_search_pids($1) manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_manage_pid_files'($*)) dnl ') ###################################### ## ## Allow manage rgmanager tmp files. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmp_files'($*)) dnl gen_require(` type rgmanager_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmp_files'($*)) dnl ') ###################################### ## ## Allow manage rgmanager tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_manage_tmpfs_files'($*)) dnl gen_require(` type rgmanager_tmpfs_t; ') fs_search_tmpfs($1) manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_manage_tmpfs_files'($*)) dnl ') ####################################### ## ## Allow read and write access to rgmanager semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_rw_semaphores'($*)) dnl gen_require(` type rgmanager_t; ') allow $1 rgmanager_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_rw_semaphores'($*)) dnl ') ###################################### ## ## All of the rules required to administrate ## an rgmanager environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the rgmanager domain. ## ## ## # define(`rgmanager_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_admin'($*)) dnl gen_require(` type rgmanager_t, rgmanager_initrc_exec_t, rgmanager_tmp_t; type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t; ') allow $1 rgmanager_t:process signal_perms; ps_process_pattern($1, rgmanager_t) tunable_policy(`deny_ptrace',`',` allow $1 rgmanager_t:process ptrace; ') init_labeled_script_domtrans($1, rgmanager_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rgmanager_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, rgmanager_tmp_t) admin_pattern($1, rgmanager_tmpfs_t) logging_list_logs($1) admin_pattern($1, rgmanager_var_log_t) files_list_pids($1) admin_pattern($1, rgmanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_admin'($*)) dnl ') ###################################### ## ## Allow the specified domain to manage rgmanager's lib/run files. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_manage_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_manage_files'($*)) dnl gen_require(` type rgmanager_var_lib_t; type rgmanager_var_run_t; ') files_list_var_lib($1) admin_pattern($1, rgmanager_var_lib_t) files_list_pids($1) admin_pattern($1, rgmanager_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_manage_files'($*)) dnl ') ###################################### ## ## Allow the specified domain to execute rgmanager's lib files. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_execute_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_execute_lib'($*)) dnl gen_require(` type rgmanager_var_lib_t; ') files_list_var_lib($1) allow $1 rgmanager_var_lib_t:dir search_dir_perms; can_exec($1, rgmanager_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_execute_lib'($*)) dnl ') ###################################### ## ## Allow the specified domain to search rgmanager's lib files. ## ## ## ## Domain allowed access. ## ## # define(`rgmanager_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rgmanager_search_lib'($*)) dnl gen_require(` type rgmanager_var_lib_t; ') files_list_var_lib($1) allow $1 rgmanager_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rgmanager_search_lib'($*)) dnl ') ## RHCS - Red Hat Cluster Suite ####################################### ## ## Creates types and rules for a basic ## rhcs init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`rhcs_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domain_template'($*)) dnl gen_require(` attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log; ') ############################## # # Declarations # type $1_t, cluster_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) type $1_tmpfs_t, cluster_tmpfs; files_tmpfs_file($1_tmpfs_t) type $1_var_log_t, cluster_log; logging_log_file($1_var_log_t) type $1_var_run_t, cluster_pid; files_pid_file($1_var_run_t) ############################## # # Local policy # manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file }) logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file }) manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file }) kernel_read_system_state($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domain_template'($*)) dnl ') ###################################### ## ## Execute a domain transition to run dlm_controld. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_dlm_controld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_dlm_controld'($*)) dnl gen_require(` type dlm_controld_t, dlm_controld_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dlm_controld_exec_t, dlm_controld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_dlm_controld'($*)) dnl ') ##################################### ## ## Connect to dlm_controld over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_dlm_controld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_dlm_controld'($*)) dnl gen_require(` type dlm_controld_t, dlm_controld_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_dlm_controld'($*)) dnl ') ##################################### ## ## Connect to haproxy over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_haproxy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_haproxy'($*)) dnl gen_require(` type haproxy_t, haproxy_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, haproxy_var_run_t, haproxy_var_run_t, haproxy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_haproxy'($*)) dnl ') ######################################## ## ## Send a null signal to haproxy. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_signull_haproxy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_signull_haproxy'($*)) dnl gen_require(` type haproxy_t; ') allow $1 haproxy_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_signull_haproxy'($*)) dnl ') ##################################### ## ## Allow read and write access to dlm_controld semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_dlm_controld_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_dlm_controld_semaphores'($*)) dnl gen_require(` type dlm_controld_t, dlm_controld_tmpfs_t; ') allow $1 dlm_controld_t:sem { rw_sem_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_dlm_controld_semaphores'($*)) dnl ') ###################################### ## ## Execute a domain transition to run fenced. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_fenced',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_fenced'($*)) dnl gen_require(` type fenced_t, fenced_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fenced_exec_t, fenced_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_fenced'($*)) dnl ') ##################################### ## ## Allow a domain to getattr on fenced executable. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_getattr_fenced',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_getattr_fenced'($*)) dnl gen_require(` type fenced_t, fenced_exec_t; ') allow $1 fenced_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_getattr_fenced'($*)) dnl ') ###################################### ## ## Allow read and write access to fenced semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_fenced_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_fenced_semaphores'($*)) dnl gen_require(` type fenced_t, fenced_tmpfs_t; ') allow $1 fenced_t:sem { rw_sem_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_fenced_semaphores'($*)) dnl ') ###################################### ## ## Read fenced PID files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_read_fenced_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_read_fenced_pid_files'($*)) dnl gen_require(` type fenced_var_run_t; ') files_search_pids($1) read_files_pattern($1, fenced_var_run_t, fenced_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_read_fenced_pid_files'($*)) dnl ') ###################################### ## ## Connect to fenced over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_fenced',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_fenced'($*)) dnl gen_require(` type fenced_var_run_t, fenced_t; ') files_search_pids($1) stream_connect_pattern($1, fenced_var_run_t, fenced_var_run_t, fenced_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_fenced'($*)) dnl ') ###################################### ## ## Send and receive messages from ## fenced over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_dbus_chat_fenced',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_dbus_chat_fenced'($*)) dnl gen_require(` type fenced_t; class dbus send_msg; ') allow $1 fenced_t:dbus send_msg; allow fenced_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_dbus_chat_fenced'($*)) dnl ') ###################################### ## ## Execute a domain transition to run fenced. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_haproxy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_haproxy'($*)) dnl gen_require(` type haproxy_t, haproxy_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, haproxy_exec_t, haproxy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_haproxy'($*)) dnl ') ##################################### ## ## Execute a domain transition to run gfs_controld. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_gfs_controld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_gfs_controld'($*)) dnl gen_require(` type gfs_controld_t, gfs_controld_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, gfs_controld_exec_t, gfs_controld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_gfs_controld'($*)) dnl ') #################################### ## ## Allow read and write access to gfs_controld semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_gfs_controld_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_semaphores'($*)) dnl gen_require(` type gfs_controld_t, gfs_controld_tmpfs_t; ') allow $1 gfs_controld_t:sem { rw_sem_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_semaphores'($*)) dnl ') ######################################## ## ## Read and write to gfs_controld_t shared memory. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_gfs_controld_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_gfs_controld_shm'($*)) dnl gen_require(` type gfs_controld_t, gfs_controld_tmpfs_t; ') allow $1 gfs_controld_t:shm { rw_shm_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_gfs_controld_shm'($*)) dnl ') ##################################### ## ## Connect to gfs_controld_t over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_gfs_controld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_gfs_controld'($*)) dnl gen_require(` type gfs_controld_t, gfs_controld_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, gfs_controld_var_run_t, gfs_controld_var_run_t, gfs_controld_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_gfs_controld'($*)) dnl ') ###################################### ## ## Execute a domain transition to run groupd. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_groupd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_groupd'($*)) dnl gen_require(` type groupd_t, groupd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, groupd_exec_t, groupd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_groupd'($*)) dnl ') ##################################### ## ## Connect to groupd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_groupd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_groupd'($*)) dnl gen_require(` type groupd_t, groupd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_groupd'($*)) dnl ') ##################################### ## ## Allow read and write access to groupd semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_groupd_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_semaphores'($*)) dnl gen_require(` type groupd_t, groupd_tmpfs_t; ') allow $1 groupd_t:sem { rw_sem_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_semaphores'($*)) dnl ') ######################################## ## ## Read and write to group shared memory. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_groupd_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_groupd_shm'($*)) dnl gen_require(` type groupd_t, groupd_tmpfs_t; ') allow $1 groupd_t:shm { rw_shm_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_groupd_shm'($*)) dnl ') ######################################## ## ## Read and write to group shared memory. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_cluster_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_shm'($*)) dnl gen_require(` attribute cluster_domain, cluster_tmpfs; ') allow $1 cluster_domain:shm { rw_shm_perms destroy }; fs_search_tmpfs($1) manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_shm'($*)) dnl ') #################################### ## ## Read and write access to cluster domains semaphores. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_cluster_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_semaphores'($*)) dnl gen_require(` attribute cluster_domain; ') allow $1 cluster_domain:sem { rw_sem_perms destroy }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_semaphores'($*)) dnl ') #################################### ## ## Connect to cluster domains over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_cluster'($*)) dnl gen_require(` attribute cluster_domain, cluster_pid; ') files_search_pids($1) stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_cluster'($*)) dnl ') ##################################### ## ## Connect to cluster domains over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`rhcs_stream_connect_cluster_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_stream_connect_cluster_to'($*)) dnl gen_require(` attribute cluster_domain; attribute cluster_pid; ') files_search_pids($1) stream_connect_pattern($1, cluster_pid, cluster_pid, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_stream_connect_cluster_to'($*)) dnl ') ######################################## ## ## Send a null signal to cluster. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_signull_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_signull_cluster'($*)) dnl gen_require(` type cluster_t; ') allow $1 cluster_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_signull_cluster'($*)) dnl ') ###################################### ## ## Execute a domain transition to run qdiskd. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_qdiskd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_qdiskd'($*)) dnl gen_require(` type qdiskd_t, qdiskd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, qdiskd_exec_t, qdiskd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_qdiskd'($*)) dnl ') ######################################## ## ## Allow domain to read qdiskd tmpfs files ## ## ## ## Domain allowed access. ## ## # define(`rhcs_read_qdiskd_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_read_qdiskd_tmpfs_files'($*)) dnl gen_require(` type qdiskd_tmpfs_t; ') fs_search_tmpfs($1) allow $1 qdiskd_tmpfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_read_qdiskd_tmpfs_files'($*)) dnl ') ###################################### ## ## Allow domain to read cluster lib files ## ## ## ## Domain allowed access. ## ## # define(`rhcs_read_cluster_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_read_cluster_lib_files'($*)) dnl gen_require(` type cluster_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_read_cluster_lib_files'($*)) dnl ') ##################################### ## ## Allow domain to manage cluster lib files ## ## ## ## Domain allowed access. ## ## # define(`rhcs_manage_cluster_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_lib_files'($*)) dnl gen_require(` type cluster_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_lib_files'($*)) dnl ') #################################### ## ## Allow domain to relabel cluster lib files ## ## ## ## Domain allowed access. ## ## # define(`rhcs_relabel_cluster_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_relabel_cluster_lib_files'($*)) dnl gen_require(` type cluster_var_lib_t; ') files_search_var_lib($1) relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_relabel_cluster_lib_files'($*)) dnl ') ###################################### ## ## Execute a domain transition to run cluster administrative domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_domtrans_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_domtrans_cluster'($*)) dnl gen_require(` type cluster_t, cluster_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, cluster_exec_t, cluster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_domtrans_cluster'($*)) dnl ') ####################################### ## ## Execute cluster init scripts in ## the init script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_initrc_domtrans_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_initrc_domtrans_cluster'($*)) dnl gen_require(` type cluster_initrc_exec_t; ') init_labeled_script_domtrans($1, cluster_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_initrc_domtrans_cluster'($*)) dnl ') ##################################### ## ## Execute cluster in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_exec_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_exec_cluster'($*)) dnl gen_require(` type cluster_exec_t; ') corecmd_search_bin($1) can_exec($1, cluster_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_exec_cluster'($*)) dnl ') ###################################### ## ## Read cluster log files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_read_log_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_read_log_cluster'($*)) dnl gen_require(` type cluster_var_log_t; ') logging_search_logs($1) list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t) read_files_pattern($1, cluster_var_log_t, cluster_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_read_log_cluster'($*)) dnl ') ###################################### ## ## Setattr cluster log files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_setattr_log_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_setattr_log_cluster'($*)) dnl gen_require(` type cluster_var_log_t; ') setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_setattr_log_cluster'($*)) dnl ') ##################################### ## ## Allow the specified domain to read/write inherited cluster's tmpf files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_inherited_cluster_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_inherited_cluster_tmp_files'($*)) dnl gen_require(` type cluster_tmp_t; ') allow $1 cluster_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_inherited_cluster_tmp_files'($*)) dnl ') ##################################### ## ## Allow manage cluster tmp files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_manage_cluster_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_tmp_files'($*)) dnl gen_require(` type cluster_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_tmp_files'($*)) dnl ') ##################################### ## ## Allow the specified domain to read/write cluster's tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_rw_cluster_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_rw_cluster_tmpfs'($*)) dnl gen_require(` type cluster_tmpfs_t; ') rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) allow $1 cluster_tmpfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_rw_cluster_tmpfs'($*)) dnl ') ##################################### ## ## Allow manage cluster tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_manage_cluster_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_tmpfs_files'($*)) dnl gen_require(` type cluster_tmpfs_t; ') fs_search_tmpfs($1) manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_tmpfs_files'($*)) dnl ') ##################################### ## ## Allow read cluster pid files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_read_cluster_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_read_cluster_pid_files'($*)) dnl gen_require(` type cluster_var_run_t; ') files_search_pids($1) read_files_pattern($1, cluster_var_run_t, cluster_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_read_cluster_pid_files'($*)) dnl ') ##################################### ## ## Allow manage cluster pid files. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_manage_cluster_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_manage_cluster_pid_files'($*)) dnl gen_require(` type cluster_var_run_t; ') files_search_pids($1) manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_manage_cluster_pid_files'($*)) dnl ') ####################################### ## ## Execute cluster server in the cluster domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_systemctl_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_systemctl_cluster'($*)) dnl gen_require(` type cluster_t; type cluster_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 cluster_unit_file_t:file read_file_perms; allow $1 cluster_unit_file_t:service manage_service_perms; ps_process_pattern($1, cluster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_systemctl_cluster'($*)) dnl ') ######################################## ## ## Send and receive messages from ## a cluster service over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_dbus_chat_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_dbus_chat_cluster'($*)) dnl gen_require(` type cluster_t; class dbus send_msg; ') allow $1 cluster_t:dbus send_msg; allow cluster_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_dbus_chat_cluster'($*)) dnl ') ##################################### ## ## All of the rules required to administrate ## an cluster environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the rgmanager domain. ## ## ## # define(`rhcs_admin_cluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_admin_cluster'($*)) dnl gen_require(` type cluster_t, cluster_initrc_exec_t, cluster_tmp_t; type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t; type cluster_unit_file_t; ') allow $1 cluster_t:process signal_perms; ps_process_pattern($1, cluster_t) tunable_policy(`deny_ptrace',`',` allow $1 cluster_t:process ptrace; ') init_labeled_script_domtrans($1, cluster_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 cluster_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, cluster_tmp_t) admin_pattern($1, cluster_tmpfs_t) logging_list_logs($1) admin_pattern($1, cluster_var_log_t) files_list_pids($1) admin_pattern($1, cluster_var_run_t) rhcs_systemctl_cluster($1) admin_pattern($1, cluster_unit_file_t) allow $1 cluster_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_admin_cluster'($*)) dnl ') ######################################## ## ## Start haproxy unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rhcs_start_haproxy_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_start_haproxy_services'($*)) dnl gen_require(` type haproxy_unit_file_t; ') systemd_exec_systemctl($1) allow $1 haproxy_unit_file_t:service {status start}; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_start_haproxy_services'($*)) dnl ') ######################################## ## ## Create log files with a named file ## type transition. ## ## ## ## Domain allowed access. ## ## # define(`rhcs_named_filetrans_log_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhcs_named_filetrans_log_dir'($*)) dnl gen_require(` type var_log_t; ') logging_log_named_filetrans($1, var_log_t, dir, "bundles") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhcs_named_filetrans_log_dir'($*)) dnl ') ## rhev polic module contains policies for rhev apps ##################################### ## ## Execute rhev-agentd in the rhev_agentd domain. ## ## ## ## Domain allowed access. ## ## # define(`rhev_domtrans_agentd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhev_domtrans_agentd'($*)) dnl gen_require(` type rhev_agentd_t, rhev_agentd_exec_t; ') domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhev_domtrans_agentd'($*)) dnl ') #################################### ## ## Read rhev-agentd PID files. ## ## ## ## Domain allowed access. ## ## # define(`rhev_read_pid_files_agentd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhev_read_pid_files_agentd'($*)) dnl gen_require(` type rhev_agentd_var_run_t; ') files_search_pids($1) read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhev_read_pid_files_agentd'($*)) dnl ') ##################################### ## ## Connect to rhev_agentd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhev_stream_connect_agentd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhev_stream_connect_agentd'($*)) dnl gen_require(` type rhev_agentd_var_run_t, rhev_agentd_t; ') files_search_pids($1) stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhev_stream_connect_agentd'($*)) dnl ') ###################################### ## ## Send sigchld to rhev-agentd ## ## ## ## Domain allowed access ## ## # define(`rhev_sigchld_agentd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhev_sigchld_agentd'($*)) dnl gen_require(` type rhev_agentd_t; ') allow $1 rhev_agentd_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhev_sigchld_agentd'($*)) dnl ') ## Red Hat Graphical Boot ######################################## ## ## RHGB stub interface. No access allowed. ## ## ## ## N/A ## ## # define(`rhgb_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_stub'($*)) dnl gen_require(` type rhgb_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_stub'($*)) dnl ') ######################################## ## ## Use a rhgb file descriptor. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_use_fds'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_use_fds'($*)) dnl ') ######################################## ## ## Get the process group of rhgb. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_getpgid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_getpgid'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_getpgid'($*)) dnl ') ######################################## ## ## Send a signal to rhgb. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_signal'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_signal'($*)) dnl ') ######################################## ## ## Read and write to unix stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_rw_stream_sockets'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## rhgb unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`rhgb_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type rhgb_t; ') dontaudit $1 rhgb_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Connected to rhgb unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_stream_connect'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_stream_connect'($*)) dnl ') ######################################## ## ## Read and write to rhgb shared memory. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_rw_shm'($*)) dnl gen_require(` type rhgb_t; ') allow $1 rhgb_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_rw_shm'($*)) dnl ') ######################################## ## ## Read from and write to the rhgb devpts. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_use_ptys'($*)) dnl gen_require(` type rhgb_devpts_t; ') allow $1 rhgb_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_use_ptys'($*)) dnl ') ######################################## ## ## dontaudit Read from and write to the rhgb devpts. ## ## ## ## Domain to not audit. ## ## # define(`rhgb_dontaudit_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_dontaudit_use_ptys'($*)) dnl gen_require(` type rhgb_devpts_t; ') dontaudit $1 rhgb_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_dontaudit_use_ptys'($*)) dnl ') ######################################## ## ## Read and write to rhgb temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`rhgb_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhgb_rw_tmpfs_files'($*)) dnl gen_require(` type rhgb_tmpfs_t; ') fs_search_tmpfs($1) allow $1 rhgb_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhgb_rw_tmpfs_files'($*)) dnl ') ## policy for rhnsd ######################################## ## ## Transition to rhnsd. ## ## ## ## Domain allowed to transition. ## ## # define(`rhnsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhnsd_domtrans'($*)) dnl gen_require(` type rhnsd_t, rhnsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rhnsd_exec_t, rhnsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhnsd_domtrans'($*)) dnl ') ######################################## ## ## Execute rhnsd server in the rhnsd domain. ## ## ## ## Domain allowed access. ## ## # define(`rhnsd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhnsd_initrc_domtrans'($*)) dnl gen_require(` type rhnsd_initrc_exec_t; ') init_labeled_script_domtrans($1, rhnsd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhnsd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute rhnsd server in the rhnsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rhnsd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhnsd_systemctl'($*)) dnl gen_require(` type rhnsd_t; type rhnsd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 rhnsd_unit_file_t:file read_file_perms; allow $1 rhnsd_unit_file_t:service manage_service_perms; ps_process_pattern($1, rhnsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhnsd_systemctl'($*)) dnl ') ###################################### ## ## Allow the specified domain to manage ## rhnsd configuration files. ## ## ## ## Domain allowed access. ## ## # define(`rhnsd_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhnsd_manage_config'($*)) dnl gen_require(` type rhnsd_conf_t; ') files_search_etc($1) manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t) manage_lnk_files_pattern($1, rhnsd_conf_t, rhnsd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhnsd_manage_config'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rhnsd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rhnsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhnsd_admin'($*)) dnl gen_require(` type rhnsd_t; type rhnsd_initrc_exec_t; ') allow $1 rhnsd_t:process { ptrace signal_perms }; ps_process_pattern($1, rhnsd_t) rhnsd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 rhnsd_initrc_exec_t system_r; allow $2 system_r; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhnsd_admin'($*)) dnl ') ## Subscription Management Certificate Daemon policy ######################################## ## ## Transition to rhsmcertd. ## ## ## ## Domain allowed to transition. ## ## # define(`rhsmcertd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_domtrans'($*)) dnl gen_require(` type rhsmcertd_t, rhsmcertd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_domtrans'($*)) dnl ') ######################################## ## ## Execute rhsmcertd server in the rhsmcertd domain. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_initrc_domtrans'($*)) dnl gen_require(` type rhsmcertd_initrc_exec_t; ') init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read rhsmcertd's config files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_read_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_config_files'($*)) dnl gen_require(` type rhsmcertd_config_t; ') allow $1 rhsmcertd_config_t:dir search; files_search_var_lib($1) read_files_pattern($1, rhsmcertd_config_t, rhsmcertd_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_read_config_files'($*)) dnl ') ######################################## ## ## Read rhsmcertd's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`rhsmcertd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_log'($*)) dnl gen_require(` type rhsmcertd_log_t; ') logging_search_logs($1) read_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_read_log'($*)) dnl ') ######################################## ## ## Append to rhsmcertd log files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_append_log'($*)) dnl gen_require(` type rhsmcertd_log_t; ') logging_search_logs($1) append_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_append_log'($*)) dnl ') ######################################## ## ## Manage rhsmcertd log files ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_log'($*)) dnl gen_require(` type rhsmcertd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) manage_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) manage_lnk_files_pattern($1, rhsmcertd_log_t, rhsmcertd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_log'($*)) dnl ') ######################################## ## ## Search rhsmcertd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_search_lib'($*)) dnl gen_require(` type rhsmcertd_var_lib_t; ') allow $1 rhsmcertd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_search_lib'($*)) dnl ') ######################################## ## ## Read rhsmcertd lib files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_lib_files'($*)) dnl gen_require(` type rhsmcertd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_read_lib_files'($*)) dnl ') ######################################## ## ## Manage rhsmcertd lib files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_files'($*)) dnl gen_require(` type rhsmcertd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage rhsmcertd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_lib_dirs'($*)) dnl gen_require(` type rhsmcertd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read cloud-what cache files. ## ## ## ## Domain allowed access. ## ## # define(`cloud_what_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloud_what_read_cache_files'($*)) dnl gen_require(` type cloud_what_var_cache_t; ') files_search_var($1) read_files_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloud_what_read_cache_files'($*)) dnl ') ######################################## ## ## Manage cloud-what cache files. ## ## ## ## Domain allowed access. ## ## # define(`cloud_what_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloud_what_manage_cache_files'($*)) dnl gen_require(` type cloud_what_var_cache_t; ') files_search_var($1) manage_files_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloud_what_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage cloud-what cache directories. ## ## ## ## Domain allowed access. ## ## # define(`cloud_what_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `cloud_what_manage_cache_dirs'($*)) dnl gen_require(` type cloud_what_var_cache_t; ') files_search_var($1) manage_dirs_pattern($1, cloud_what_var_cache_t, cloud_what_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `cloud_what_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read rhsmcertd PID files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_read_pid_files'($*)) dnl gen_require(` type rhsmcertd_var_run_t; ') files_search_pids($1) allow $1 rhsmcertd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_read_pid_files'($*)) dnl ') ######################################## ## ## Read rhsmcertd PID files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_manage_pid_files'($*)) dnl gen_require(` type rhsmcertd_var_run_t; ') files_search_pids($1) manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_manage_pid_files'($*)) dnl ') ######################################## ## ## Read/wirte inherited lock files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_rw_inherited_lock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_rw_inherited_lock_files'($*)) dnl gen_require(` type rhsmcertd_lock_t; ') files_search_locks($1) allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_rw_inherited_lock_files'($*)) dnl ') ######################################## ## ## Read/wirte lock files. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_rw_lock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_rw_lock_files'($*)) dnl gen_require(` type rhsmcertd_lock_t; ') files_search_locks($1) allow $1 rhsmcertd_lock_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_rw_lock_files'($*)) dnl ') #################################### ## ## Connect to rhsmcertd over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_stream_connect'($*)) dnl gen_require(` type rhsmcertd_t, rhsmcertd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t, rhsmcertd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_stream_connect'($*)) dnl ') ####################################### ## ## Send and receive messages from ## rhsmcertd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_dbus_chat'($*)) dnl gen_require(` type rhsmcertd_t; class dbus send_msg; ') allow $1 rhsmcertd_t:dbus send_msg; allow rhsmcertd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_dbus_chat'($*)) dnl ') ###################################### ## ## Dontaudit Send and receive messages from ## rhsmcertd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rhsmcertd_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_dontaudit_dbus_chat'($*)) dnl gen_require(` type rhsmcertd_t; class dbus send_msg; ') dontaudit $1 rhsmcertd_t:dbus send_msg; dontaudit rhsmcertd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rhsmcertd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rhsmcertd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rhsmcertd_admin'($*)) dnl gen_require(` type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t; type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t; ') allow $1 rhsmcertd_t:process signal_perms; ps_process_pattern($1, rhsmcertd_t) tunable_policy(`deny_ptrace',`',` allow $1 rhsmcertd_t:process ptrace; ') rhsmcertd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 rhsmcertd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, rhsmcertd_log_t) files_search_var_lib($1) admin_pattern($1, rhsmcertd_var_lib_t) files_search_pids($1) admin_pattern($1, rhsmcertd_var_run_t) files_search_locks($1) admin_pattern($1, rhsmcertd_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rhsmcertd_admin'($*)) dnl ') ## Ricci cluster management agent ######################################## ## ## Execute a domain transition to run ricci. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans'($*)) dnl gen_require(` type ricci_t, ricci_exec_t; ') domtrans_pattern($1, ricci_exec_t, ricci_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans'($*)) dnl ') ####################################### ## ## Execute ricci server in the ricci domain. ## ## ## ## Domain allowed access. ## ## # define(`ricci_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_initrc_domtrans'($*)) dnl gen_require(` type ricci_initrc_exec_t; ') init_labeled_script_domtrans($1, ricci_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ricci_modcluster. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans_modcluster',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modcluster'($*)) dnl gen_require(` type ricci_modcluster_t, ricci_modcluster_exec_t; ') domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans_modcluster'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## ricci_modcluster file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`ricci_dontaudit_use_modcluster_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_use_modcluster_fds'($*)) dnl gen_require(` type ricci_modcluster_t; ') dontaudit $1 ricci_modcluster_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_dontaudit_use_modcluster_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to read write ## ricci_modcluster unamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`ricci_dontaudit_rw_modcluster_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl gen_require(` type ricci_modcluster_t; ') dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_dontaudit_rw_modcluster_pipes'($*)) dnl ') ######################################## ## ## Connect to ricci_modclusterd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ricci_stream_connect_modclusterd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_stream_connect_modclusterd'($*)) dnl gen_require(` type ricci_modclusterd_t, ricci_modcluster_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ricci_modcluster_var_run_t, ricci_modcluster_var_run_t, ricci_modclusterd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_stream_connect_modclusterd'($*)) dnl ') ######################################## ## ## Read and write to ricci_modcluserd temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`ricci_rw_modclusterd_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_rw_modclusterd_tmpfs_files'($*)) dnl gen_require(` type ricci_modclusterd_tmpfs_t; ') fs_search_tmpfs($1) allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_rw_modclusterd_tmpfs_files'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ricci_modlog. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans_modlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modlog'($*)) dnl gen_require(` type ricci_modlog_t, ricci_modlog_exec_t; ') domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans_modlog'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ricci_modrpm. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans_modrpm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modrpm'($*)) dnl gen_require(` type ricci_modrpm_t, ricci_modrpm_exec_t; ') domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans_modrpm'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ricci_modservice. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans_modservice',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modservice'($*)) dnl gen_require(` type ricci_modservice_t, ricci_modservice_exec_t; ') domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans_modservice'($*)) dnl ') ######################################## ## ## Execute a domain transition to run ricci_modstorage. ## ## ## ## Domain allowed to transition. ## ## # define(`ricci_domtrans_modstorage',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_domtrans_modstorage'($*)) dnl gen_require(` type ricci_modstorage_t, ricci_modstorage_exec_t; ') domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_domtrans_modstorage'($*)) dnl ') #################################### ## ## Allow the specified domain to manage ricci's lib files. ## ## ## ## Domain allowed access. ## ## # define(`ricci_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_manage_lib_files'($*)) dnl gen_require(` type ricci_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t) manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an ricci environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ricci_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ricci_admin'($*)) dnl gen_require(` type ricci_t, ricci_initrc_exec_t, ricci_tmp_t; type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t; ') allow $1 ricci_t:process signal_perms; ps_process_pattern($1, ricci_t) tunable_policy(`deny_ptrace',`',` allow $1 ricci_t:process ptrace; ') ricci_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 ricci_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, ricci_tmp_t) files_list_var_lib($1) admin_pattern($1, ricci_var_lib_t) logging_list_logs($1) admin_pattern($1, ricci_var_log_t) files_list_pids($1) admin_pattern($1, ricci_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ricci_admin'($*)) dnl ') ## policy for rkhunter ######################################## ## ## Append rkhunter lib files. ## ## ## ## Domain allowed access. ## ## # define(`rkhunter_append_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkhunter_append_lib_files'($*)) dnl gen_require(` type rkhunter_var_lib_t; ') files_search_var_lib($1) append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkhunter_append_lib_files'($*)) dnl ') ######################################## ## ## Manage rkhunter lib files. ## ## ## ## Domain allowed access. ## ## # define(`rkhunter_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkhunter_manage_lib_files'($*)) dnl gen_require(` type rkhunter_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkhunter_manage_lib_files'($*)) dnl ') ## CLI for running app containers ######################################## ## ## Execute rkt_exec_t in the rkt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rkt_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_domtrans'($*)) dnl gen_require(` type rkt_t, rkt_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rkt_exec_t, rkt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_domtrans'($*)) dnl ') ###################################### ## ## Execute rkt in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rkt_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_exec'($*)) dnl gen_require(` type rkt_exec_t; ') corecmd_search_bin($1) can_exec($1, rkt_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_exec'($*)) dnl ') ######################################## ## ## Search rkt lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rkt_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_search_lib'($*)) dnl gen_require(` type rkt_var_lib_t; ') allow $1 rkt_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_search_lib'($*)) dnl ') ######################################## ## ## Read rkt lib files. ## ## ## ## Domain allowed access. ## ## # define(`rkt_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_read_lib_files'($*)) dnl gen_require(` type rkt_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_read_lib_files'($*)) dnl ') ######################################## ## ## Manage rkt lib files. ## ## ## ## Domain allowed access. ## ## # define(`rkt_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_manage_lib_files'($*)) dnl gen_require(` type rkt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rkt_var_lib_t, rkt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage rkt lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rkt_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_manage_lib_dirs'($*)) dnl gen_require(` type rkt_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rkt_var_lib_t, rkt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute rkt server in the rkt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rkt_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_systemctl'($*)) dnl gen_require(` type rkt_t; type rkt_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 rkt_unit_file_t:file read_file_perms; allow $1 rkt_unit_file_t:service manage_service_perms; ps_process_pattern($1, rkt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rkt environment ## ## ## ## Domain allowed access. ## ## # define(`rkt_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rkt_admin'($*)) dnl gen_require(` type rkt_t; type rkt_var_lib_t; type rkt_unit_file_t; ') allow $1 rkt_t:process { signal_perms }; ps_process_pattern($1, rkt_t) tunable_policy(`deny_ptrace',`',` allow $1 rkt_t:process ptrace; ') files_search_var_lib($1) admin_pattern($1, rkt_var_lib_t) rkt_systemctl($1) admin_pattern($1, rkt_unit_file_t) allow $1 rkt_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rkt_admin'($*)) dnl ') ## Remote login daemon. ######################################## ## ## Execute rlogind in the rlogin domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rlogin_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_domtrans'($*)) dnl gen_require(` type rlogind_t, rlogind_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rlogind_exec_t, rlogind_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_domtrans'($*)) dnl ') ######################################## ## ## Read rlogin user home content. ## ## ## ## Domain allowed access. ## ## # define(`rlogin_read_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_read_home_content'($*)) dnl gen_require(` type rlogind_home_t; ') userdom_search_user_home_dirs($1) list_dirs_pattern($1, rlogind_home_t, rlogind_home_t) read_files_pattern($1, rlogind_home_t, rlogind_home_t) read_lnk_files_pattern($1, rlogind_home_t, rlogind_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_read_home_content'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## rlogind home files. ## ## ## ## Domain allowed access. ## ## # define(`rlogin_manage_rlogind_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_home_files'($*)) dnl gen_require(` type rlogind_home_t; ') userdom_search_user_home_dirs($1) allow $1 rlogind_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_home_files'($*)) dnl ') ######################################## ## ## Relabel rlogind home files. ## ## ## ## Domain allowed access. ## ## # define(`rlogin_relabel_rlogind_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_home_files'($*)) dnl gen_require(` type rlogind_home_t; ') userdom_search_user_home_dirs($1) allow $1 rlogind_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_home_files'($*)) dnl ') ######################################## ## ## Create objects in user home ## directories with the rlogind home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`rlogin_home_filetrans_logind_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_home_filetrans_logind_home'($*)) dnl gen_require(` type rlogind_home_t; ') userdom_user_home_dir_filetrans($1, rlogind_home_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_home_filetrans_logind_home'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## rlogind temporary content. ## ## ## ## Domain allowed access. ## ## # define(`rlogin_manage_rlogind_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_manage_rlogind_tmp_content'($*)) dnl gen_require(` type rlogind_tmp_t; ') files_search_tmp($1) allow $1 rlogind_tmp_t:dir manage_dir_perms; allow $1 rlogind_tmp_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_manage_rlogind_tmp_content'($*)) dnl ') ######################################## ## ## Relabel rlogind temporary content. ## ## ## ## Domain allowed access. ## ## # define(`rlogin_relabel_rlogind_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rlogin_relabel_rlogind_tmp_content'($*)) dnl gen_require(` type rlogind_tmp_t; ') files_search_tmp($1) allow $1 rlogind_tmp_t:dir relabel_dir_perms; allow $1 rlogind_tmp_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rlogin_relabel_rlogind_tmp_content'($*)) dnl ') ## Check and feed random data from hardware device to kernel random device. ######################################## ## ## Execute rngd in the rngd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rng_systemctl_rngd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rng_systemctl_rngd'($*)) dnl gen_require(` type rngd_t, rngd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 rngd_unit_file_t:file read_file_perms; allow $1 rngd_unit_file_t:service manage_service_perms; ps_process_pattern($1, rngd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rng_systemctl_rngd'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an rng environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rng_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rng_admin'($*)) dnl gen_require(` type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t; ') allow $1 rngd_t:process signal_perms; ps_process_pattern($1, rngd_t) tunable_policy(`deny_ptrace',`',` allow $1 rngd_t:process ptrace; ') init_labeled_script_domtrans($1, rngd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rngd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, rngd_var_run_t) rng_systemctl_rngd($1) admin_pattern($1, rngd_unit_file_t) allow $1 rngd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rng_admin'($*)) dnl ') ## Daemon for Linux systems providing a stable D-BUS interface to manage the deployment of Server Roles. ######################################## ## ## Execute rolekit in the rolekit domin. ## ## ## ## Domain allowed to transition. ## ## # define(`rolekit_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_domtrans'($*)) dnl gen_require(` type rolekit_t, rolekit_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rolekit_exec_t, rolekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_domtrans'($*)) dnl ') ######################################## ## ## Execute rolekit server in the rolekit domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rolekit_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_systemctl'($*)) dnl gen_require(` type rolekit_t; type rolekit_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 rolekit_unit_file_t:file read_file_perms; allow $1 rolekit_unit_file_t:service manage_service_perms; ps_process_pattern($1, rolekit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_systemctl'($*)) dnl ') ####################################### ## ## Manage rolekit kernel keyrings. ## ## ## ## Domain allowed access. ## ## # define(`rolekit_manage_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_manage_keys'($*)) dnl gen_require(` type rolekit_t; ') allow $1 rolekit_t:key manage_key_perms; allow rolekit_t $1:key manage_key_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_manage_keys'($*)) dnl ') ######################################## ## ## Send and receive messages from ## policykit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rolekit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_dbus_chat'($*)) dnl gen_require(` type rolekit_t; class dbus send_msg; ') ps_process_pattern(rolekit_t, $1) allow $1 rolekit_t:dbus send_msg; allow rolekit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_dbus_chat'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rolekit environment ## ## ## ## Domain allowed access. ## ## ## # define(`rolekit_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_admin'($*)) dnl gen_require(` type rolekit_t; type rolekit_unit_file_t; ') allow $1 rolekit_t:process { signal_perms }; ps_process_pattern($1, rolekit_t) tunable_policy(`deny_ptrace',`',` allow $1 rolekit_t:process ptrace; ') rolekit_systemctl($1) admin_pattern($1, rolekit_unit_file_t) allow $1 rolekit_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_admin'($*)) dnl ') ####################################### ## ## Send to rolekit with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`rolekit_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rolekit_dgram_send'($*)) dnl gen_require(` type rolekit_t; ') allow $1 rolekit_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rolekit_dgram_send'($*)) dnl ') ## Roundup Issue Tracking System. ######################################## ## ## All of the rules required to ## administrate an roundup environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`roundup_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `roundup_admin'($*)) dnl gen_require(` type roundup_t, roundup_var_lib_t, roundup_var_run_t; type roundup_initrc_exec_t; ') allow $1 roundup_t:process signal_perms; ps_process_pattern($1, roundup_t) tunable_policy(`deny_ptrace',`',` allow $1 roundup_t:process ptrace; ') init_labeled_script_domtrans($1, roundup_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 roundup_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, roundup_var_lib_t) files_list_pids($1) admin_pattern($1, roundup_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `roundup_admin'($*)) dnl ') ## Remote Procedure Call Daemon for managment of network based process communication ######################################## ## ## RPC stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`rpc_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_stub'($*)) dnl gen_require(` type exports_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_stub'($*)) dnl ') ####################################### ## ## The template to define a rpc domain. ## ## ##

## This template creates a domain to be used for ## a new rpc daemon. ##

##
## ## ## The type of daemon to be used. ## ## # define(`rpc_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_domain_template'($*)) dnl gen_require(` attribute rpc_domain; ') ######################################## # # Declarations # type $1_t, rpc_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) domain_use_interactive_fds($1_t) #################################### # # Local Policy # kernel_read_system_state($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_domain_template'($*)) dnl ') ######################################## ## ## Send UDP network traffic to rpc and recieve UDP traffic from rpc. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`rpc_udp_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_udp_send'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_udp_send'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of the NFS export file. ## ## ## ## Domain to not audit. ## ## # define(`rpc_dontaudit_getattr_exports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_dontaudit_getattr_exports'($*)) dnl gen_require(` type exports_t; ') dontaudit $1 exports_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_dontaudit_getattr_exports'($*)) dnl ') ######################################## ## ## Allow read access to exports. ## ## ## ## Domain allowed access. ## ## # define(`rpc_read_exports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_read_exports'($*)) dnl gen_require(` type exports_t; ') allow $1 exports_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_read_exports'($*)) dnl ') ######################################## ## ## Allow write access to exports. ## ## ## ## Domain allowed access. ## ## # define(`rpc_write_exports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_write_exports'($*)) dnl gen_require(` type exports_t; ') allow $1 exports_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_write_exports'($*)) dnl ') ######################################## ## ## Manage nfs file exports ## ## ## ## Domain allowed access. ## ## # define(`rpc_manage_exports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_manage_exports'($*)) dnl gen_require(` type exports_t; ') manage_files_pattern($1, exports_t, exports_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_manage_exports'($*)) dnl ') ######################################## ## ## Execute domain in nfsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_domtrans_nfsd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_domtrans_nfsd'($*)) dnl gen_require(` type nfsd_t, nfsd_exec_t; ') domtrans_pattern($1, nfsd_exec_t, nfsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_domtrans_nfsd'($*)) dnl ') ####################################### ## ## Execute domain in nfsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_initrc_domtrans_nfsd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_nfsd'($*)) dnl gen_require(` type nfsd_initrc_exec_t; ') init_labeled_script_domtrans($1, nfsd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_nfsd'($*)) dnl ') ######################################## ## ## Execute nfsd server in the nfsd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_systemctl_nfsd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_systemctl_nfsd'($*)) dnl gen_require(` type nfsd_unit_file_t; type nfsd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 nfsd_unit_file_t:file read_file_perms; allow $1 nfsd_unit_file_t:service manage_service_perms; ps_process_pattern($1, nfsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_systemctl_nfsd'($*)) dnl ') ######################################## ## ## Send kill signals to rpcd. ## ## ## ## Domain allowed access. ## ## # define(`rpc_kill_rpcd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_kill_rpcd'($*)) dnl gen_require(` type rpcd_t; ') allow $1 rpcd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_kill_rpcd'($*)) dnl ') ######################################## ## ## Execute domain in rpcd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_domtrans_rpcd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_domtrans_rpcd'($*)) dnl gen_require(` type rpcd_t, rpcd_exec_t; ') domtrans_pattern($1, rpcd_exec_t, rpcd_t) allow rpcd_t $1:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_domtrans_rpcd'($*)) dnl ') ######################################## ## ## Execute rpcd in the rcpd domain, and ## allow the specified role the rpcd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`rpc_run_rpcd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_run_rpcd'($*)) dnl gen_require(` type rpcd_t; ') rpc_domtrans_rpcd($1) role $2 types rpcd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_run_rpcd'($*)) dnl ') ####################################### ## ## Execute domain in rpcd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_initrc_domtrans_rpcd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_initrc_domtrans_rpcd'($*)) dnl gen_require(` type rpcd_initrc_exec_t; ') init_labeled_script_domtrans($1, rpcd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_initrc_domtrans_rpcd'($*)) dnl ') ######################################## ## ## Execute rpcd server in the rpcd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_systemctl_rpcd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_systemctl_rpcd'($*)) dnl gen_require(` type rpcd_unit_file_t; type rpcd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 rpcd_unit_file_t:file read_file_perms; allow $1 rpcd_unit_file_t:service manage_service_perms; ps_process_pattern($1, rpcd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_systemctl_rpcd'($*)) dnl ') ######################################## ## ## Allow domain to read and write to an NFS UDP socket. ## ## ## ## Domain allowed access. ## ## # define(`rpc_udp_rw_nfs_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_udp_rw_nfs_sockets'($*)) dnl gen_require(` type nfsd_t; ') allow $1 nfsd_t:udp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_udp_rw_nfs_sockets'($*)) dnl ') ######################################## ## ## Send UDP traffic to NFSd. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`rpc_udp_send_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_udp_send_nfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_udp_send_nfs'($*)) dnl ') ######################################## ## ## Search NFS state data in /var/lib/nfs. ## ## ## ## Domain allowed access. ## ## # define(`rpc_search_nfs_state_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_search_nfs_state_data'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) allow $1 var_lib_nfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_search_nfs_state_data'($*)) dnl ') ######################################## ## ## List NFS state data in /var/lib/nfs. ## ## ## ## Domain allowed access. ## ## # define(`rpc_list_nfs_state_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_list_nfs_state_data'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) allow $1 var_lib_nfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_list_nfs_state_data'($*)) dnl ') ######################################## ## ## Manage NFS state data in /var/lib/nfs. ## ## ## ## Domain allowed access. ## ## # define(`rpc_manage_nfs_state_data_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data_dir'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) allow $1 var_lib_nfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data_dir'($*)) dnl ') ######################################## ## ## Read NFS state data in /var/lib/nfs. ## ## ## ## Domain allowed access. ## ## # define(`rpc_read_nfs_state_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_read_nfs_state_data'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) read_lnk_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_read_nfs_state_data'($*)) dnl ') ######################################## ## ## Manage NFS state data in /var/lib/nfs. ## ## ## ## Domain allowed access. ## ## # define(`rpc_manage_nfs_state_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_manage_nfs_state_data'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_search_var_lib($1) manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t) allow $1 var_lib_nfs_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_manage_nfs_state_data'($*)) dnl ') ######################################## ## ## Execute domain in gssd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpc_domtrans_gssd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_domtrans_gssd'($*)) dnl gen_require(` type gssd_t, gssd_exec_t; ') domtrans_pattern($1, gssd_exec_t, gssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_domtrans_gssd'($*)) dnl ') ######################################## ## ## Write keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`rpc_rw_gssd_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_rw_gssd_keys'($*)) dnl gen_require(` type gssd_t; ') allow $1 gssd_t:key { read search setattr view write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_rw_gssd_keys'($*)) dnl ') ######################################## ## ## Transition to alsa named content ## ## ## ## Domain allowed access. ## ## # define(`rpc_filetrans_var_lib_nfs_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_filetrans_var_lib_nfs_content'($*)) dnl gen_require(` type var_lib_nfs_t; ') files_var_lib_filetrans($1, var_lib_nfs_t, lnk_file, "nfs") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_filetrans_var_lib_nfs_content'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an rpc environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rpc_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_admin'($*)) dnl gen_require(` attribute rpc_domain; type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t; type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t; type nfsd_rw_t, gssd_keytab_t; ') allow $1 rpc_domain:process { ptrace signal_perms }; ps_process_pattern($1, rpc_domain) init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t }) domain_system_change_exemption($1) role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { gssd_keytab_t exports_t }) files_list_var_lib($1) admin_pattern($1, var_lib_nfs_t) files_list_pids($1) admin_pattern($1, rpcd_var_run_t) files_list_all($1) admin_pattern($1, nfsd_rw_t ) files_list_tmp($1) admin_pattern($1, gssd_tmp_t) fs_search_nfsd_fs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_admin'($*)) dnl ') ######################################## ## ## Read gssd process state files. ## ## ## ## Domain allowed access. ## ## # define(`rpc_read_gssd_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_read_gssd_state'($*)) dnl gen_require(` type gssd_t; ') ps_process_pattern($1, gssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_read_gssd_state'($*)) dnl ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # define(`rpc_gssd_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_gssd_noatsecure'($*)) dnl gen_require(` type gssd_t; ') allow $1 gssd_t:process { noatsecure rlimitinh }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_gssd_noatsecure'($*)) dnl ') ######################################## ## ## Send and receive messages from ## ganesha over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rpc_dbus_chat_nfsd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpc_dbus_chat_nfsd'($*)) dnl gen_require(` type nfsd_t; class dbus send_msg; ') allow $1 nfsd_t:dbus send_msg; allow nfsd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpc_dbus_chat_nfsd'($*)) dnl ') ## Universal Addresses to RPC Program Number Mapper ######################################## ## ## Execute a domain transition to run rpcbind. ## ## ## ## Domain allowed to transition. ## ## # define(`rpcbind_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_domtrans'($*)) dnl gen_require(` type rpcbind_t, rpcbind_exec_t; ') domtrans_pattern($1, rpcbind_exec_t, rpcbind_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_domtrans'($*)) dnl ') ######################################## ## ## Connect to rpcbindd over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_stream_connect'($*)) dnl gen_require(` type rpcbind_t, rpcbind_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, rpcbind_var_run_t, rpcbind_var_run_t, rpcbind_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_stream_connect'($*)) dnl ') ######################################## ## ## Read rpcbind PID files. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_read_pid_files'($*)) dnl gen_require(` type rpcbind_var_run_t; ') files_search_pids($1) allow $1 rpcbind_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_read_pid_files'($*)) dnl ') ######################################## ## ## Search rpcbind lib directories. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_search_lib'($*)) dnl gen_require(` type rpcbind_var_lib_t; ') allow $1 rpcbind_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_search_lib'($*)) dnl ') ######################################## ## ## Read rpcbind lib files. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_read_lib_files'($*)) dnl gen_require(` type rpcbind_var_lib_t; ') read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## rpcbind lib files. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_manage_lib_files'($*)) dnl gen_require(` type rpcbind_var_lib_t; ') manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_manage_lib_files'($*)) dnl ') ######################################## ## ## Send a null signal to rpcbind. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_signull'($*)) dnl gen_require(` type rpcbind_t; ') allow $1 rpcbind_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_signull'($*)) dnl ') ######################################## ## ## Transition to rpcbind named content ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_filetrans_named_content'($*)) dnl gen_require(` type rpcbind_var_run_t; ') files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_filetrans_named_content'($*)) dnl ') ######################################## ## ## Relabel from rpcbind sock file. ## ## ## ## Domain allowed access. ## ## # define(`rpcbind_relabel_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_relabel_sock_file'($*)) dnl gen_require(` type rpcbind_var_run_t; ') allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_relabel_sock_file'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rpcbind environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the rpcbind domain. ## ## ## # define(`rpcbind_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpcbind_admin'($*)) dnl gen_require(` type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t; type rpcbind_initrc_exec_t; ') allow $1 rpcbind_t:process signal_perms; ps_process_pattern($1, rpcbind_t) tunable_policy(`deny_ptrace',`',` allow $1 rpcbind_t:process ptrace; ') init_labeled_script_domtrans($1, rpcbind_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rpcbind_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, rpcbind_var_lib_t) files_list_pids($1) admin_pattern($1, rpcbind_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpcbind_admin'($*)) dnl ') ## Policy for the RPM package manager. ######################################## ## ## Execute rpm programs in the rpm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_domtrans'($*)) dnl gen_require(` type rpm_t, rpm_exec_t; attribute rpm_transition_domain; ') corecmd_search_bin($1) domtrans_pattern($1, rpm_exec_t, rpm_t) typeattribute $1 rpm_transition_domain; rpm_debuginfo_domtrans($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_domtrans'($*)) dnl ') ######################################## ## ## Execute debuginfo_install programs in the rpm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpm_debuginfo_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_debuginfo_domtrans'($*)) dnl gen_require(` type rpm_t, debuginfo_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, debuginfo_exec_t, rpm_t) read_lnk_files_pattern($1, debuginfo_exec_t, debuginfo_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_debuginfo_domtrans'($*)) dnl ') ######################################## ## ## Execute rpm_script programs in the rpm_script domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpm_domtrans_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_domtrans_script'($*)) dnl gen_require(` type rpm_script_t; ') # transition to rpm script: corecmd_shell_domtrans($1, rpm_script_t) allow rpm_script_t $1:fd use; allow rpm_script_t $1:fifo_file rw_file_perms; allow rpm_script_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_domtrans_script'($*)) dnl ') ######################################## ## ## Execute RPM programs in the RPM domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the RPM domain. ## ## ## # define(`rpm_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_run'($*)) dnl gen_require(` type rpm_t, rpm_script_t; attribute_role rpm_script_roles; ') rpm_domtrans($1) roleattribute $2 rpm_script_roles; domain_system_change_exemption($1) rpm_transition_script($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_run'($*)) dnl ') ######################################## ## ## Execute the rpm client in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rpm_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_exec'($*)) dnl gen_require(` type rpm_exec_t; ') corecmd_search_bin($1) can_exec($1, rpm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_exec'($*)) dnl ') ######################################## ## ## Execute rpmdb in the rpmdb domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rpmdb_domtrans_rpmdb',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpmdb_domtrans_rpmdb'($*)) dnl gen_require(` type rpmdb_t, rpmdb_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rpmdb_exec_t, rpmdb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpmdb_domtrans_rpmdb'($*)) dnl ') ######################################## ## ## Execute rpmdb in the rpmdb domain, ## and allow the specified role the rpmdb domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`rpmdb_run_rpmdb',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpmdb_run_rpmdb'($*)) dnl gen_require(` attribute_role rpmdb_roles; ') rpmdb_domtrans_rpmdb($1) roleattribute $2 rpmdb_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpmdb_run_rpmdb'($*)) dnl ') ######################################## ## ## Do not audit to execute a rpm. ## ## ## ## Domain to not audit. ## ## # define(`rpm_dontaudit_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_exec'($*)) dnl gen_require(` type rpm_exec_t; ') dontaudit $1 rpm_exec_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dontaudit_exec'($*)) dnl ') ######################################## ## ## Send a null signal to rpm. ## ## ## ## Domain allowed access. ## ## # define(`rpm_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_signull'($*)) dnl gen_require(` type rpm_t; ') allow $1 rpm_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_signull'($*)) dnl ') ######################################## ## ## Send a signals to rpm. ## ## ## ## Domain allowed access. ## ## # define(`rpm_script_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_script_signal'($*)) dnl gen_require(` type rpm_script_t; ') allow $1 rpm_script_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_script_signal'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from RPM. ## ## ## ## Domain allowed access. ## ## # define(`rpm_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_use_fds'($*)) dnl gen_require(` type rpm_t; ') allow $1 rpm_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_use_fds'($*)) dnl ') ######################################## ## ## Read from an unnamed RPM pipe. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_pipes'($*)) dnl gen_require(` type rpm_t; ') allow $1 rpm_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_pipes'($*)) dnl ') ######################################## ## ## Read and write an unnamed RPM pipe. ## ## ## ## Domain allowed access. ## ## # define(`rpm_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_rw_pipes'($*)) dnl gen_require(` type rpm_t; ') allow $1 rpm_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_rw_pipes'($*)) dnl ') ######################################## ## ## Read and write an unnamed RPM script pipe. ## ## ## ## Domain allowed access. ## ## # define(`rpm_rw_script_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_rw_script_inherited_pipes'($*)) dnl gen_require(` type rpm_script_tmp_t; ') allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_rw_script_inherited_pipes'($*)) dnl ') ######################################## ## ## dontaudit read and write an leaked file descriptors ## ## ## ## Domain to not audit. ## ## # define(`rpm_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_leaks'($*)) dnl gen_require(` type rpm_t, rpm_var_cache_t; type rpm_script_t, rpm_var_run_t, rpm_tmp_t; type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t; ') dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 rpm_t:tcp_socket { read write }; dontaudit $1 rpm_t:unix_dgram_socket { read write }; dontaudit $1 rpm_t:shm rw_shm_perms; dontaudit $1 rpm_script_t:fd use; dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms; dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms; dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms; dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms; dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms; dontaudit $1 rpm_var_lib_t:dir getattr; dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms; dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Send and receive messages from ## rpm over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rpm_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dbus_chat'($*)) dnl gen_require(` type rpm_t; class dbus send_msg; ') allow $1 rpm_t:dbus send_msg; allow rpm_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and ## receive messages from rpm over dbus. ## ## ## ## Domain to not audit. ## ## # define(`rpm_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_dbus_chat'($*)) dnl gen_require(` type rpm_t; class dbus send_msg; ') dontaudit $1 rpm_t:dbus send_msg; dontaudit rpm_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## rpm_script over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rpm_script_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_script_dbus_chat'($*)) dnl gen_require(` type rpm_script_t; class dbus send_msg; ') allow $1 rpm_script_t:dbus send_msg; allow rpm_script_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_script_dbus_chat'($*)) dnl ') ######################################## ## ## Search RPM log directory. ## ## ## ## Domain allowed access. ## ## # define(`rpm_search_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_search_log'($*)) dnl gen_require(` type rpm_log_t; ') logging_search_logs($1) allow $1 rpm_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_search_log'($*)) dnl ') ##################################### ## ## Allow the specified domain to append ## to rpm log files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_append_log'($*)) dnl gen_require(` type rpm_log_t; ') allow $1 rpm_log_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the RPM log. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_log'($*)) dnl gen_require(` type rpm_log_t; ') read_files_pattern($1, rpm_log_t, rpm_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the RPM log. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_log'($*)) dnl gen_require(` type rpm_log_t; ') logging_rw_generic_log_dirs($1) allow $1 rpm_log_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_log'($*)) dnl ') ######################################## ## ## Create rpm logs with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`rpm_named_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_named_filetrans'($*)) dnl gen_require(` type rpm_log_t; type rpm_var_cache_t; type rpm_var_lib_t; ') logging_log_named_filetrans($1, rpm_log_t, file, "dnf.log") logging_log_named_filetrans($1, rpm_log_t, file, "dnf.librepo.log") logging_log_named_filetrans($1, rpm_log_t, file, "dnf.rpm.log") logging_log_named_filetrans($1, rpm_log_t, file, "yum.log") logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") logging_log_named_filetrans($1, rpm_log_t, file, "up2date") files_var_filetrans($1, rpm_var_cache_t, dir, "dnf") files_var_filetrans($1, rpm_var_cache_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm") files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_named_filetrans'($*)) dnl ') ######################################## ## ## Create rpm hawkey logs with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`rpm_hawkey_named_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_hawkey_named_filetrans'($*)) dnl gen_require(` type rpm_log_t; ') allow $1 rpm_log_t:file manage_file_perms; logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_hawkey_named_filetrans'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from RPM scripts. ## ## ## ## Domain allowed access. ## ## # define(`rpm_use_script_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_use_script_fds'($*)) dnl gen_require(` type rpm_script_t; ') allow $1 rpm_script_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_use_script_fds'($*)) dnl ') ######################################## ## ## Create, read, write, and delete RPM ## script temporary files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_script_tmp_files'($*)) dnl gen_require(` type rpm_script_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_script_tmp_files'($*)) dnl ') ##################################### ## ## Allow the specified domain to append ## to rpm tmp files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_append_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_append_tmp_files'($*)) dnl gen_require(` type rpm_tmp_t; ') allow $1 rpm_tmp_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_append_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete RPM ## temporary files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_tmp_files'($*)) dnl gen_require(` type rpm_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t) manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_tmp_files'($*)) dnl ') ######################################## ## ## Read rpm temporary files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_tmp_files'($*)) dnl gen_require(` type rpm_tmp_t; ') files_search_tmp($1) list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t) read_files_pattern($1, rpm_tmp_t, rpm_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_tmp_files'($*)) dnl ') ######################################## ## ## Read RPM script temporary files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_script_tmp_files'($*)) dnl gen_require(` type rpm_script_tmp_t; ') files_search_tmp($1) read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_script_tmp_files'($*)) dnl ') ######################################## ## ## Read the RPM cache. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_cache'($*)) dnl gen_require(` type rpm_var_cache_t; ') files_search_var($1) allow $1 rpm_var_cache_t:dir list_dir_perms; read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_cache'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the RPM package database. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_cache'($*)) dnl gen_require(` type rpm_var_cache_t; ') files_search_var_lib($1) manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_cache'($*)) dnl ') ######################################## ## ## Read the RPM package database. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_db'($*)) dnl gen_require(` type rpm_var_lib_t; ') files_search_var_lib($1) allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) allow $1 rpm_var_lib_t:file map; rpm_read_cache($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_db'($*)) dnl ') ######################################## ## ## Delete the RPM package database. ## ## ## ## Domain allowed access. ## ## # define(`rpm_delete_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_delete_db'($*)) dnl gen_require(` type rpm_var_lib_t; ') files_search_var_lib($1) delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_delete_db'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the RPM package database. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_db'($*)) dnl gen_require(` type rpm_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) allow $1 rpm_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_db'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read,the RPM package database. ## ## ## ## Domain to not audit. ## ## # define(`rpm_dontaudit_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_read_db'($*)) dnl gen_require(` type rpm_var_lib_t; ') dontaudit $1 rpm_var_lib_t:dir list_dir_perms; dontaudit $1 rpm_var_lib_t:file read_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dontaudit_read_db'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## ## ## ## Domain to not audit. ## ## # define(`rpm_dontaudit_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_dontaudit_manage_db'($*)) dnl gen_require(` type rpm_var_lib_t; ') dontaudit $1 rpm_var_lib_t:dir manage_dir_perms; dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; dontaudit $1 rpm_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_dontaudit_manage_db'($*)) dnl ') ##################################### ## ## Read rpm pid files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_read_pid_files'($*)) dnl gen_require(` type rpm_var_run_t; ') read_files_pattern($1, rpm_var_run_t, rpm_var_run_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_read_pid_files'($*)) dnl ') ##################################### ## ## Create, read, write, and delete rpm pid files. ## ## ## ## Domain allowed access. ## ## # define(`rpm_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_manage_pid_files'($*)) dnl gen_require(` type rpm_var_run_t; ') manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_manage_pid_files'($*)) dnl ') ###################################### ## ## Create files in /var/run with the rpm pid file type. ## ## ## ## Domain allowed access. ## ## # define(`rpm_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_pid_filetrans'($*)) dnl gen_require(` type rpm_var_run_t; ') files_pid_filetrans($1, rpm_var_run_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_pid_filetrans'($*)) dnl ') ######################################## ## ## Send a null signal to rpm. ## ## ## ## Domain allowed access. ## ## # define(`rpm_inherited_fifo',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_inherited_fifo'($*)) dnl gen_require(` attribute rpm_transition_domain; ') allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_inherited_fifo'($*)) dnl ') ######################################## ## ## Make rpm_exec_t an entry point for ## the specified domain. ## ## ## ## Domain allowed access. ## ## # define(`rpm_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_entry_type'($*)) dnl gen_require(` type rpm_exec_t; ') domain_entry_file($1, rpm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_entry_type'($*)) dnl ') ######################################## ## ## Allow application to transition to rpm_script domain. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`rpm_transition_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_transition_script'($*)) dnl gen_require(` type rpm_script_t; attribute rpm_transition_domain; attribute_role rpm_script_roles; ') typeattribute $1 rpm_transition_domain; allow $1 rpm_script_t:process transition; roleattribute $2 rpm_script_roles; allow $1 rpm_script_t:fd use; allow rpm_script_t $1:fd use; allow rpm_script_t $1:fifo_file rw_fifo_file_perms; allow rpm_script_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_transition_script'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an rpm environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rpm_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rpm_admin'($*)) dnl gen_require(` type rpm_t, rpm_script_t, rpm_initrc_exec_t; type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t; type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t; type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t; type rpm_var_run_t; ') allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms }; ps_process_pattern($1, { rpm_t rpm_script_t }) init_labeled_script_domtrans($1, rpm_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rpm_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, rpm_file_t) files_list_tmp($1) admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t }) files_list_var_lib($1) admin_pattern($1, rpm_var_lib_t) files_search_locks($1) admin_pattern($1, rpm_lock_t) logging_list_logs($1) admin_pattern($1, rpm_log_t) files_list_pids($1) admin_pattern($1, rpm_var_run_t) fs_search_tmpfs($1) admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }) rpm_run($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rpm_admin'($*)) dnl ') ## rrdcached - Daemon that receives updates to existing RRD files, accumulates them and writes the updates to the RRD file. ######################################## ## ## Execute rrdcached_exec_t in the rrdcached domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rrdcached_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rrdcached_domtrans'($*)) dnl gen_require(` type rrdcached_t, rrdcached_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rrdcached_exec_t, rrdcached_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rrdcached_domtrans'($*)) dnl ') ###################################### ## ## Execute rrdcached in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rrdcached_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rrdcached_exec'($*)) dnl gen_require(` type rrdcached_exec_t; ') corecmd_search_bin($1) can_exec($1, rrdcached_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rrdcached_exec'($*)) dnl ') ######################################## ## ## Read rrdcached PID files. ## ## ## ## Domain allowed access. ## ## # define(`rrdcached_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rrdcached_read_pid_files'($*)) dnl gen_require(` type rrdcached_var_run_t; ') files_search_pids($1) read_files_pattern($1, rrdcached_var_run_t, rrdcached_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rrdcached_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rrdcached environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rrdcached_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rrdcached_admin'($*)) dnl gen_require(` type rrdcached_t; type rrdcached_var_run_t; ') allow $1 rrdcached_t:process { signal_perms }; ps_process_pattern($1, rrdcached_t) tunable_policy(`deny_ptrace',`',` allow $1 rrdcached_t:process ptrace; ') files_search_pids($1) admin_pattern($1, rrdcached_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rrdcached_admin'($*)) dnl ') ## Remote shell service. ######################################## ## ## Domain transition to rshd. ## ## ## ## Domain allowed to transition. ## ## # define(`rshd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rshd_domtrans'($*)) dnl gen_require(` type rshd_exec_t, rshd_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, rshd_exec_t, rshd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rshd_domtrans'($*)) dnl ') ## Restricted (scp/sftp) only shell. ######################################## ## ## Role access for rssh. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`rssh_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rssh_role'($*)) dnl gen_require(` attribute_role rssh_roles; type rssh_t, rssh_exec_t, rssh_ro_t; type rssh_rw_t; ') roleattribute $1 rssh_roles; domtrans_pattern($2, rssh_exec_t, rssh_t) allow $2 rssh_t:process { ptrace signal_perms }; ps_process_pattern($2, rssh_t) allow $2 { rssh_ro_t rssh_rw_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { rssh_ro_t rssh_rw_t }:file { manage_file_perms relabel_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rssh_role'($*)) dnl ') ######################################## ## ## Execute rssh in the rssh domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rssh_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rssh_spec_domtrans'($*)) dnl gen_require(` type rssh_t, rssh_exec_t; ') corecmd_search_bin($1) spec_domtrans_pattern($1, rssh_exec_t, rssh_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rssh_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute the rssh program ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`rssh_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rssh_exec'($*)) dnl gen_require(` type rssh_exec_t; ') corecmd_search_bin($1) can_exec($1, rssh_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rssh_exec'($*)) dnl ') ######################################## ## ## Execute a domain transition to ## run rssh chroot helper. ## ## ## ## Domain allowed to transition. ## ## # define(`rssh_domtrans_chroot_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rssh_domtrans_chroot_helper'($*)) dnl gen_require(` type rssh_chroot_helper_t, rssh_chroot_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rssh_chroot_helper_exec_t, rssh_chroot_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rssh_domtrans_chroot_helper'($*)) dnl ') ######################################## ## ## Read users rssh read-only content. ## ## ## ## Domain allowed access. ## ## # define(`rssh_read_ro_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rssh_read_ro_content'($*)) dnl gen_require(` type rssh_ro_t; ') allow $1 rssh_ro_t:dir list_dir_perms; allow $1 rssh_ro_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rssh_read_ro_content'($*)) dnl ') ## Fast incremental file transfer for synchronization ####################################### ## ## Sendmail stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`rsync_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_stub'($*)) dnl gen_require(` type rsync_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_stub'($*)) dnl ') ######################################## ## ## Make rsync an entry point for ## the specified domain. ## ## ## ## The domain for which init scripts are an entrypoint. ## ## # cjp: added for portage define(`rsync_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_entry_type'($*)) dnl gen_require(` type rsync_exec_t; ') domain_entry_file($1, rsync_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_entry_type'($*)) dnl ') ######################################## ## ## Execute a rsync in a specified domain. ## ## ##

## Execute a rsync in a specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # cjp: added for portage define(`rsync_entry_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_entry_spec_domtrans'($*)) dnl gen_require(` type rsync_exec_t; ') domain_trans($1, rsync_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_entry_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute a rsync in a specified domain. ## ## ##

## Execute a rsync in a specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # cjp: added for portage define(`rsync_entry_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_entry_domtrans'($*)) dnl gen_require(` type rsync_exec_t; ') domain_auto_trans($1, rsync_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_entry_domtrans'($*)) dnl ') ######################################## ## ## Execute rsync in the caller domain domain. ## ## ## ## Domain allowed access. ## ## ## # define(`rsync_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_exec'($*)) dnl gen_require(` type rsync_exec_t; ') can_exec($1, rsync_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_exec'($*)) dnl ') ## ## Allow the specified domain to ioctl an ## rsync with a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`rsync_ioctl_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_ioctl_stream_sockets'($*)) dnl gen_require(` type rsync_t; ') allow $1 rsync_t:unix_stream_socket ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_ioctl_stream_sockets'($*)) dnl ') ######################################## ## ## Read rsync config files. ## ## ## ## Domain allowed access. ## ## # define(`rsync_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_read_config'($*)) dnl gen_require(` type rsync_etc_t; ') read_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_read_config'($*)) dnl ') ######################################## ## ## Read rsync data files. ## ## ## ## Domain allowed access. ## ## # define(`rsync_read_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_read_data'($*)) dnl gen_require(` type rsync_data_t; ') read_files_pattern($1, rsync_data_t, rsync_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_read_data'($*)) dnl ') ######################################## ## ## Read and write rsync unix_stream_sockets. ## ## ## ## Domain allowed access. ## ## # define(`rsync_rw_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_rw_unix_stream_sockets'($*)) dnl gen_require(` type rsync_t; ') allow $1 rsync_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_rw_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Write to rsync config files. ## ## ## ## Domain allowed access. ## ## # define(`rsync_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_write_config'($*)) dnl gen_require(` type rsync_etc_t; ') write_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_write_config'($*)) dnl ') ######################################## ## ## Manage rsync config files. ## ## ## ## Domain allowed access. ## ## # define(`rsync_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_manage_config'($*)) dnl gen_require(` type rsync_etc_t; ') manage_files_pattern($1, rsync_etc_t, rsync_etc_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_manage_config'($*)) dnl ') ######################################## ## ## Create objects in etc directories ## with rsync etc type. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`rsync_etc_filetrans_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_etc_filetrans_config'($*)) dnl gen_require(` type rsync_etc_t; ') files_etc_filetrans($1, rsync_etc_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_etc_filetrans_config'($*)) dnl ') ######################################## ## ## Transition to rsync named content ## ## ## ## Domain allowed access. ## ## # define(`rsync_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rsync_filetrans_named_content'($*)) dnl gen_require(` type rsync_etc_t; type rsync_var_run_t; ') files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.conf") files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock") files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rsync_filetrans_named_content'($*)) dnl ') ## Platform diagnostics report firmware events. ######################################## ## ## Execute rtas_errd in the rtas_errd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`rtas_errd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_domtrans'($*)) dnl gen_require(` type rtas_errd_t, rtas_errd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_domtrans'($*)) dnl ') ######################################## ## ## Read rtas_errd's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`rtas_errd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_read_log'($*)) dnl gen_require(` type rtas_errd_log_t; ') logging_search_logs($1) read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_read_log'($*)) dnl ') ######################################## ## ## Append to rtas_errd log files. ## ## ## ## Domain allowed access. ## ## # define(`rtas_errd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_append_log'($*)) dnl gen_require(` type rtas_errd_log_t; ') logging_search_logs($1) append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_append_log'($*)) dnl ') ######################################## ## ## Manage rtas_errd log files ## ## ## ## Domain allowed access. ## ## # define(`rtas_errd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_manage_log'($*)) dnl gen_require(` type rtas_errd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t) manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_manage_log'($*)) dnl ') ######################################## ## ## Read rtas_errd's lock files. ## ## ## ## Domain allowed access. ## ## ## # define(`rtas_errd_read_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_read_lock'($*)) dnl gen_require(` type rtas_errd_var_lock_t; ') logging_search_logs($1) read_files_pattern($1, rtas_errd_var_lock_t, rtas_errd_var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_read_lock'($*)) dnl ') ######################################## ## ## Read and Write rtas_errd's lock files. ## ## ## ## Domain allowed access. ## ## ## # define(`rtas_errd_rw_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_rw_lock'($*)) dnl gen_require(` type rtas_errd_var_lock_t; ') rw_files_pattern($1, rtas_errd_var_lock_t, rtas_errd_var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_rw_lock'($*)) dnl ') ######################################## ## ## Read rtas_errd PID files. ## ## ## ## Domain allowed access. ## ## # define(`rtas_errd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_read_pid_files'($*)) dnl gen_require(` type rtas_errd_var_run_t; ') files_search_pids($1) read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_read_pid_files'($*)) dnl ') ######################################## ## ## Execute rtas_errd server in the rtas_errd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`rtas_errd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_systemctl'($*)) dnl gen_require(` type rtas_errd_t; type rtas_errd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 rtas_errd_unit_file_t:file read_file_perms; allow $1 rtas_errd_unit_file_t:service manage_service_perms; ps_process_pattern($1, rtas_errd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an rtas_errd environment ## ## ## ## Domain allowed access. ## ## # define(`rtas_errd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtas_errd_admin'($*)) dnl gen_require(` type rtas_errd_t; type rtas_errd_log_t, rtas_errd_var_run_t; type rtas_errd_unit_file_t; ') allow $1 rtas_errd_t:process { ptrace signal_perms }; ps_process_pattern($1, rtas_errd_t) logging_search_logs($1) admin_pattern($1, rtas_errd_log_t) files_search_pids($1) admin_pattern($1, rtas_errd_var_run_t) rtas_errd_systemctl($1) admin_pattern($1, rtas_errd_unit_file_t) allow $1 rtas_errd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtas_errd_admin'($*)) dnl ') ## Realtime scheduling for user processes. ######################################## ## ## Execute a domain transition to run rtkit_daemon. ## ## ## ## Domain allowed to transition. ## ## # define(`rtkit_daemon_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtkit_daemon_domtrans'($*)) dnl gen_require(` type rtkit_daemon_t, rtkit_daemon_exec_t; ') domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtkit_daemon_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## rtkit_daemon over dbus. ## ## ## ## Domain allowed access. ## ## # define(`rtkit_daemon_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtkit_daemon_dbus_chat'($*)) dnl gen_require(` type rtkit_daemon_t; class dbus send_msg; ') allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtkit_daemon_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit send and receive messages from ## rtkit_daemon over dbus. ## ## ## ## Domain to not audit. ## ## # define(`rtkit_daemon_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtkit_daemon_dontaudit_dbus_chat'($*)) dnl gen_require(` type rtkit_daemon_t; class dbus send_msg; ') dontaudit $1 rtkit_daemon_t:dbus send_msg; dontaudit rtkit_daemon_t $1:dbus send_msg; dontaudit rtkit_daemon_t $1:process { getsched setsched }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtkit_daemon_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Allow rtkit to control scheduling for your process ## ## ## ## Domain allowed access. ## ## # define(`rtkit_scheduled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rtkit_scheduled'($*)) dnl gen_require(` type rtkit_daemon_t; ') allow rtkit_daemon_t $1:process { getsched setsched }; kernel_search_proc($1) ps_process_pattern(rtkit_daemon_t, $1) optional_policy(` rtkit_daemon_dbus_chat($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rtkit_scheduled'($*)) dnl ') ## Who is logged in on other machines? ######################################## ## ## Execute a domain transition to run rwho. ## ## ## ## Domain allowed to transition. ## ## # define(`rwho_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_domtrans'($*)) dnl gen_require(` type rwho_t, rwho_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, rwho_exec_t, rwho_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_domtrans'($*)) dnl ') ######################################## ## ## Search rwho log directories. ## ## ## ## Domain allowed access. ## ## # define(`rwho_search_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_search_log'($*)) dnl gen_require(` type rwho_log_t; ') logging_search_logs($1) allow $1 rwho_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_search_log'($*)) dnl ') ######################################## ## ## Read rwho log files. ## ## ## ## Domain allowed access. ## ## # define(`rwho_read_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_read_log_files'($*)) dnl gen_require(` type rwho_log_t; ') logging_search_logs($1) allow $1 rwho_log_t:dir list_dir_perms; allow $1 rwho_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_read_log_files'($*)) dnl ') ######################################## ## ## Search rwho spool directories. ## ## ## ## Domain allowed access. ## ## # define(`rwho_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_search_spool'($*)) dnl gen_require(` type rwho_spool_t; ') files_search_spool($1) allow $1 rwho_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_search_spool'($*)) dnl ') ######################################## ## ## Read rwho spool files. ## ## ## ## Domain allowed access. ## ## # define(`rwho_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_read_spool_files'($*)) dnl gen_require(` type rwho_spool_t; ') files_search_spool($1) read_files_pattern($1, rwho_spool_t, rwho_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_read_spool_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## rwho spool files. ## ## ## ## Domain allowed access. ## ## # define(`rwho_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_manage_spool_files'($*)) dnl gen_require(` type rwho_spool_t; ') files_search_spool($1) manage_files_pattern($1, rwho_spool_t, rwho_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_manage_spool_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an rwho environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`rwho_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `rwho_admin'($*)) dnl gen_require(` type rwho_t, rwho_log_t, rwho_spool_t; type rwho_initrc_exec_t; ') allow $1 rwho_t:process signal_perms; ps_process_pattern($1, rwho_t) tunable_policy(`deny_ptrace',`',` allow $1 rwho_t:process ptrace; ') init_labeled_script_domtrans($1, rwho_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 rwho_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, rwho_log_t) files_list_spool($1) admin_pattern($1, rwho_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `rwho_admin'($*)) dnl ') ## ## SMB and CIFS client/server programs for UNIX and ## name Service Switch daemon for resolving names ## from Windows NT servers. ## ######################################## ## ## Execute nmbd net in the nmbd_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_nmbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_nmbd'($*)) dnl gen_require(` type nmbd_t, nmbd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nmbd_exec_t, nmbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_nmbd'($*)) dnl ') ####################################### ## ## Allow domain to signal samba ## ## ## ## Domain allowed access. ## ## # define(`samba_signal_nmbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_signal_nmbd'($*)) dnl gen_require(` type nmbd_t; ') allow $1 nmbd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_signal_nmbd'($*)) dnl ') ######################################## ## ## Search the samba pid directory. ## ## ## ## Domain to not audit. ## ## # define(`samba_search_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_search_pid'($*)) dnl gen_require(` type smbd_var_run_t; ') files_search_pids($1) allow $1 smbd_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_search_pid'($*)) dnl ') ######################################## ## ## Connect to nmbd. ## ## ## ## Domain allowed access. ## ## # define(`samba_stream_connect_nmbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_stream_connect_nmbd'($*)) dnl gen_require(` type nmbd_t, nmbd_var_run_t; ') samba_search_pid($1) stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_stream_connect_nmbd'($*)) dnl ') ######################################## ## ## Execute samba server in the samba domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_initrc_domtrans'($*)) dnl gen_require(` type samba_initrc_exec_t; ') init_labeled_script_domtrans($1, samba_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute samba server in the samba domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_systemctl'($*)) dnl gen_require(` type samba_unit_file_t; type smbd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 samba_unit_file_t:file read_file_perms; allow $1 samba_unit_file_t:service manage_service_perms; ps_process_pattern($1, smbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_systemctl'($*)) dnl ') ####################################### ## ## Get samba services status ## ## ## ## Domain allowed to transition. ## ## # define(`samba_service_status',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_service_status'($*)) dnl gen_require(` type samba_unit_file_t; ') allow $1 samba_unit_file_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_service_status'($*)) dnl ') ######################################## ## ## Execute samba net in the samba_net domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_net'($*)) dnl gen_require(` type samba_net_t, samba_net_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, samba_net_exec_t, samba_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_net'($*)) dnl ') ######################################## ## ## Execute samba net in the samba_unconfined_net domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_unconfined_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_unconfined_net'($*)) dnl gen_require(` type samba_unconfined_net_t, samba_net_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_unconfined_net'($*)) dnl ') ######################################## ## ## Execute samba net in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_exec_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_exec_net'($*)) dnl gen_require(` type samba_net_exec_t; ') corecmd_search_bin($1) can_exec($1, samba_net_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_exec_net'($*)) dnl ') ######################################## ## ## Execute samba net in the samba_net domain, and ## allow the specified role the samba_net domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`samba_run_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_run_net'($*)) dnl gen_require(` type samba_net_t; ') samba_domtrans_net($1) role $2 types samba_net_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_run_net'($*)) dnl ') ####################################### ## ## The role for the samba module. ## ## ## ## The role to be allowed the samba_net domain. ## ## ## # define(`samba_role_notrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_role_notrans'($*)) dnl gen_require(` type smbd_t; ') role $1 types smbd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_role_notrans'($*)) dnl ') ######################################## ## ## Execute samba net in the samba_unconfined_net domain, and ## allow the specified role the samba_unconfined_net domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to be allowed the samba_unconfined_net domain. ## ## ## # define(`samba_run_unconfined_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_run_unconfined_net'($*)) dnl gen_require(` type samba_unconfined_net_t; ') samba_domtrans_unconfined_net($1) role $2 types samba_unconfined_net_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_run_unconfined_net'($*)) dnl ') ######################################## ## ## Execute smbmount in the smbmount domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_smbmount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbmount'($*)) dnl gen_require(` type smbmount_t, smbmount_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, smbmount_exec_t, smbmount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_smbmount'($*)) dnl ') ######################################## ## ## Execute smbmount interactively and do ## a domain transition to the smbmount domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`samba_run_smbmount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_run_smbmount'($*)) dnl gen_require(` type smbmount_t; ') samba_domtrans_smbmount($1) role $2 types smbmount_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_run_smbmount'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## samba configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`samba_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_config'($*)) dnl gen_require(` type samba_etc_t; ') files_search_etc($1) list_dirs_pattern($1, samba_etc_t, samba_etc_t) read_files_pattern($1, samba_etc_t, samba_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## and write samba configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`samba_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_rw_config'($*)) dnl gen_require(` type samba_etc_t; ') files_search_etc($1) rw_files_pattern($1, samba_etc_t, samba_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_rw_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to read ## and write samba configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`samba_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_manage_config'($*)) dnl gen_require(` type samba_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, samba_etc_t, samba_etc_t) manage_files_pattern($1, samba_etc_t, samba_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_manage_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to read samba's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`samba_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_log'($*)) dnl gen_require(` type samba_log_t; ') logging_search_logs($1) allow $1 samba_log_t:dir list_dir_perms; read_files_pattern($1, samba_log_t, samba_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append to samba's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`samba_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_append_log'($*)) dnl gen_require(` type samba_log_t; ') logging_search_logs($1) allow $1 samba_log_t:dir list_dir_perms; allow $1 samba_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_append_log'($*)) dnl ') ######################################## ## ## Execute samba log in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`samba_exec_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_exec_log'($*)) dnl gen_require(` type samba_log_t; ') logging_search_logs($1) can_exec($1, samba_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_exec_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to read samba's secrets. ## ## ## ## Domain allowed access. ## ## # define(`samba_read_secrets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_secrets'($*)) dnl gen_require(` type samba_secrets_t; ') files_search_etc($1) allow $1 samba_secrets_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_secrets'($*)) dnl ') ######################################## ## ## Allow the specified domain to read samba's shares ## ## ## ## Domain allowed access. ## ## # define(`samba_read_share_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_share_files'($*)) dnl gen_require(` type samba_share_t; ') allow $1 samba_share_t:filesystem getattr; read_files_pattern($1, samba_share_t, samba_share_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_share_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to search ## samba /var directories. ## ## ## ## Domain allowed access. ## ## # define(`samba_search_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_search_var'($*)) dnl gen_require(` type samba_var_t; ') files_search_var($1) files_search_var_lib($1) allow $1 samba_var_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_search_var'($*)) dnl ') ######################################## ## ## Allow the specified domain to ## read samba /var files. ## ## ## ## Domain allowed access. ## ## # define(`samba_read_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_var_files'($*)) dnl gen_require(` type samba_var_t; ') files_search_var($1) files_search_var_lib($1) read_files_pattern($1, samba_var_t, samba_var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_var_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write samba ## /var files. ## ## ## ## Domain to not audit. ## ## # define(`samba_dontaudit_write_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_dontaudit_write_var_files'($*)) dnl gen_require(` type samba_var_t; ') dontaudit $1 samba_var_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_dontaudit_write_var_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to ## read and write samba /var files. ## ## ## ## Domain allowed access. ## ## # define(`samba_rw_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_rw_var_files'($*)) dnl gen_require(` type samba_var_t; ') files_search_var($1) files_search_var_lib($1) rw_files_pattern($1, samba_var_t, samba_var_t) allow $1 samba_var_t:file { map}; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_rw_var_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to ## read and write samba /var files. ## ## ## ## Domain allowed access. ## ## # define(`samba_manage_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_manage_var_files'($*)) dnl gen_require(` type samba_var_t; ') files_search_var_lib($1) files_search_var_lib($1) manage_files_pattern($1, samba_var_t, samba_var_t) manage_lnk_files_pattern($1, samba_var_t, samba_var_t) manage_sock_files_pattern($1, samba_var_t, samba_var_t) allow $1 samba_var_t:file { map }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_manage_var_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to ## read and write samba /var directories. ## ## ## ## Domain allowed access. ## ## # define(`samba_manage_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_manage_var_dirs'($*)) dnl gen_require(` type samba_var_t; ') files_search_var_lib($1) files_search_var_lib($1) manage_dirs_pattern($1, samba_var_t, samba_var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_manage_var_dirs'($*)) dnl ') ##################################### ## ## Manage samba var sock files. ## ## ## ## Domain allowed access. ## ## # define(`samba_manage_var_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_manage_var_sock_files'($*)) dnl gen_require(` type samba_var_t; ') files_search_pids($1) manage_sock_files_pattern($1, samba_var_t, samba_var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_manage_var_sock_files'($*)) dnl ') ######################################## ## ## Execute a domain transition to run smbcontrol. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_smbcontrol',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbcontrol'($*)) dnl gen_require(` type smbcontrol_t; type smbcontrol_exec_t; ') domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_smbcontrol'($*)) dnl ') ######################################## ## ## Execute smbcontrol in the smbcontrol domain, and ## allow the specified role the smbcontrol domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`samba_run_smbcontrol',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_run_smbcontrol'($*)) dnl gen_require(` type smbcontrol_t; ') samba_domtrans_smbcontrol($1) role $2 types smbcontrol_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_run_smbcontrol'($*)) dnl ') ######################################## ## ## Execute smbd in the smbd_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_smbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_smbd'($*)) dnl gen_require(` type smbd_t, smbd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, smbd_exec_t, smbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_smbd'($*)) dnl ') ######################################## ## ## Set attributes of samba_share directories. ## ## ## ## Domain allowed access. ## ## # define(`samba_setattr_samba_share_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_setattr_samba_share_dirs'($*)) dnl gen_require(` type samba_share_t; ') allow $1 samba_share_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_setattr_samba_share_dirs'($*)) dnl ') ###################################### ## ## Allow domain to signal samba ## ## ## ## Domain allowed access. ## ## # define(`samba_signal_smbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_signal_smbd'($*)) dnl gen_require(` type smbd_t; ') allow $1 smbd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_signal_smbd'($*)) dnl ') ###################################### ## ## Allow domain to signull samba ## ## ## ## Domain allowed access. ## ## # define(`samba_signull_smbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_signull_smbd'($*)) dnl gen_require(` type smbd_t; ') allow $1 smbd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_signull_smbd'($*)) dnl ') ######################################## ## ## Do not audit attempts to use file descriptors from samba. ## ## ## ## Domain to not audit. ## ## # define(`samba_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_dontaudit_use_fds'($*)) dnl gen_require(` type smbd_t; ') dontaudit $1 smbd_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Allow the specified domain to write to smbmount tcp sockets. ## ## ## ## Domain allowed access. ## ## # define(`samba_write_smbmount_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_write_smbmount_tcp_sockets'($*)) dnl gen_require(` type smbmount_t; ') allow $1 smbmount_t:tcp_socket write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_write_smbmount_tcp_sockets'($*)) dnl ') ######################################## ## ## Allow the specified domain to read and write to smbmount tcp sockets. ## ## ## ## Domain allowed access. ## ## # define(`samba_rw_smbmount_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_rw_smbmount_tcp_sockets'($*)) dnl gen_require(` type smbmount_t; ') allow $1 smbmount_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_rw_smbmount_tcp_sockets'($*)) dnl ') ####################################### ## ## Allow to getattr on winbind binary. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_getattr_winbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_getattr_winbind'($*)) dnl gen_require(` type winbind_exec_t; ') allow $1 winbind_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_getattr_winbind'($*)) dnl ') ######################################## ## ## Execute winbind_helper in the winbind_helper domain. ## ## ## ## Domain allowed to transition. ## ## # define(`samba_domtrans_winbind_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_domtrans_winbind_helper'($*)) dnl gen_require(` type winbind_helper_t, winbind_helper_exec_t; ') domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) allow $1 winbind_helper_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_domtrans_winbind_helper'($*)) dnl ') ######################################## ## ## Execute winbind_helper in the winbind_helper domain, and ## allow the specified role the winbind_helper domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`samba_run_winbind_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_run_winbind_helper'($*)) dnl gen_require(` type winbind_helper_t; ') samba_domtrans_winbind_helper($1) role $2 types winbind_helper_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_run_winbind_helper'($*)) dnl ') ######################################## ## ## Allow the specified domain to read the winbind pid files. ## ## ## ## Domain allowed access. ## ## # define(`samba_read_winbind_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_read_winbind_pid'($*)) dnl gen_require(` type winbind_var_run_t; ') samba_search_pid($1) allow $1 winbind_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_read_winbind_pid'($*)) dnl ') ######################################## ## ## Manage winbind PID files. ## ## ## ## Domain allowed access. ## ## # define(`samba_manage_winbind_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_manage_winbind_pid'($*)) dnl gen_require(` type winbind_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, winbind_var_run_t, winbind_var_run_t) manage_files_pattern($1, winbind_var_run_t, winbind_var_run_t) manage_sock_files_pattern($1, winbind_var_run_t, winbind_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_manage_winbind_pid'($*)) dnl ') ###################################### ## ## Allow domain to signull winbind ## ## ## ## Domain allowed access. ## ## # define(`samba_signull_winbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_signull_winbind'($*)) dnl gen_require(` type winbind_t; ') allow $1 winbind_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_signull_winbind'($*)) dnl ') ###################################### ## ## Allow domain to signull samba_unconfined_net ## ## ## ## Domain allowed access. ## ## # define(`samba_signull_unconfined_net',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_signull_unconfined_net'($*)) dnl gen_require(` type samba_unconfined_net_t; ') allow $1 samba_unconfined_net_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_signull_unconfined_net'($*)) dnl ') ######################################## ## ## Connect to winbind. ## ## ## ## Domain allowed access. ## ## # define(`samba_stream_connect_winbind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_stream_connect_winbind'($*)) dnl gen_require(` type samba_var_t, winbind_t, winbind_var_run_t; ') samba_search_pid($1) allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) samba_read_config($1) ifndef(`distro_redhat',` gen_require(` type winbind_tmp_t; ') # the default for the socket is (poorly named): # /tmp/.winbindd/pipe files_search_tmp($1) stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_stream_connect_winbind'($*)) dnl ') ######################################## ## ## Create a set of derived types for apache ## web content. ## ## ## ## The prefix to be used for deriving type names. ## ## # define(`samba_helper_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_helper_template'($*)) dnl gen_require(` type smbd_t; role system_r; ') #This type is for samba helper scripts type samba_$1_script_t; domain_type(samba_$1_script_t) role system_r types samba_$1_script_t; # This type is used for executable scripts files type samba_$1_script_exec_t; corecmd_shell_entry_type(samba_$1_script_t) domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) allow smbd_t samba_$1_script_exec_t:file ioctl; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_helper_template'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an samba environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the samba domain. ## ## ## # define(`samba_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samba_admin'($*)) dnl gen_require(` type nmbd_t, nmbd_var_run_t, smbd_var_run_t; type smbd_t, smbd_tmp_t, smbd_spool_t; type samba_log_t, samba_var_t, samba_secrets_t; type samba_etc_t, samba_share_t, samba_initrc_exec_t; type swat_var_run_t, swat_tmp_t, winbind_log_t; type winbind_var_run_t, winbind_tmp_t; type smbd_keytab_t, samba_unit_file_t; type samba_unconfined_script_t; type samba_unconfined_script_exec_t; ') allow $1 smbd_t:process signal_perms; ps_process_pattern($1, smbd_t) tunable_policy(`deny_ptrace',`',` allow $1 smbd_t:process ptrace; allow $1 nmbd_t:process ptrace; allow $1 samba_unconfined_script_t:process ptrace; ') allow $1 nmbd_t:process signal_perms; ps_process_pattern($1, nmbd_t) allow $1 samba_unconfined_script_t:process signal_perms; ps_process_pattern($1, samba_unconfined_script_t) samba_run_smbcontrol($1, $2) samba_run_winbind_helper($1, $2) samba_run_smbmount($1, $2) samba_run_net($1, $2) init_labeled_script_domtrans($1, samba_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 samba_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, { samba_etc_t smbd_keytab_t }) admin_pattern($1, samba_log_t) logging_list_logs($1) admin_pattern($1, samba_secrets_t) admin_pattern($1, samba_share_t) admin_pattern($1, samba_var_t) files_list_var($1) admin_pattern($1, smbd_var_run_t) files_list_pids($1) admin_pattern($1, smbd_tmp_t) files_list_tmp($1) admin_pattern($1, swat_var_run_t) admin_pattern($1, swat_tmp_t) admin_pattern($1, winbind_log_t) admin_pattern($1, winbind_tmp_t) admin_pattern($1, winbind_var_run_t) admin_pattern($1, samba_unconfined_script_exec_t) samba_systemctl($1) admin_pattern($1, samba_unit_file_t) allow $1 samba_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samba_admin'($*)) dnl ') ## system-config-samba dbus service. ## Check file integrity. ####################################### ## ## The template to define a samhain domain. ## ## ## ## Domain prefix to be used. ## ## # define(`samhain_service_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_service_template'($*)) dnl gen_require(` attribute samhain_domain; type samhain_exec_t; ') type $1_t; domain_type($1_t) domain_entry_file($1_t, samhain_exec_t) files_read_all_files($1_t) mls_file_write_all_levels($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_service_template'($*)) dnl ') ######################################## ## ## Execute samhain in the samhain domain ## ## ## ## Domain allowed to transition. ## ## # define(`samhain_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_domtrans'($*)) dnl gen_require(` type samhain_t, samhain_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, samhain_exec_t, samhain_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_domtrans'($*)) dnl ') ######################################## ## ## Execute samhain in the samhain ## domain with the clearance security ## level and allow the specifiled role ## the samhain domain. ## ## ##

## Execute samhain in the samhain ## domain with the clearance security ## level and allow the specifiled role ## the samhain domain. ##

##

## The range_transition rule used in ## this interface requires that the ## calling domain should have the ## clearance security level otherwise ## the MLS constraint for process ## transition would fail. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed to access. ## ## ## # define(`samhain_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_run'($*)) dnl gen_require(` attribute_role samhain_roles; type samhain_exec_t; ') samhain_domtrans($1) roleattribute $2 samhain_roles; ifdef(`enable_mls', ` range_transition $1 samhain_exec_t:process mls_systemhigh; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_run'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## samhain configuration files. ## ## ## ## Domain allowed access. ## ## # define(`samhain_manage_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_manage_config_files'($*)) dnl gen_require(` type samhain_etc_t; ') files_rw_etc_dirs($1) allow $1 samhain_etc_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_manage_config_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## samhain database files. ## ## ## ## Domain allowed access. ## ## # define(`samhain_manage_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_manage_db_files'($*)) dnl gen_require(` type samhain_db_t; ') files_search_var_lib($1) manage_files_pattern($1, samhain_db_t, samhain_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_manage_db_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## samhain init script files. ## ## ## ## Domain allowed access. ## ## # define(`samhain_manage_init_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_manage_init_script_files'($*)) dnl gen_require(` type samhain_initrc_exec_t; ') files_search_etc($1) manage_files_pattern($1, samhain_initrc_exec_t, samhain_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_manage_init_script_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## samhain log and log.lock files. ## ## ## ## Domain allowed access. ## ## # define(`samhain_manage_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_manage_log_files'($*)) dnl gen_require(` type samhain_log_t; ') logging_search_logs($1) manage_files_pattern($1, samhain_log_t, samhain_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_manage_log_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## samhain pid files. ## ## ## ## Domain allowed access. ## ## # define(`samhain_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_manage_pid_files'($*)) dnl gen_require(` type samhain_var_run_t; ') files_search_pids($1) manage_files_pattern($1, samhain_var_run_t, samhain_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_manage_pid_files'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate the samhain environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`samhain_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `samhain_admin'($*)) dnl gen_require(` attribute samhain_domain; type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') allow $1 samhain_domain:process { ptrace signal_perms }; ps_process_pattern($1, samhain_domain) # pending # init_labeled_script_domtrans($1, samhain_initrc_exec_t) # domain_system_change_exemption($1) # role_transition $2 samhain_initrc_exec_t system_r; # allow $2 system_r; files_list_var_lib($1) admin_pattern($1, samhain_db_t) files_list_etc($1) admin_pattern($1, { samhain_initrc_exec_t samhain_etc_t }) logging_list_logs($1) admin_pattern($1, samhain_log_t) files_list_pids($1) admin_pattern($1, samhain_var_run_t) # samhain_run($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `samhain_admin'($*)) dnl ') ## policy for sandbox ######################################## ## ## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## # define(`sandbox_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_transition'($*)) dnl gen_require(` attribute sandbox_domain; ') sandbox_dyntransition($1) #885288 allow $1 sandbox_domain:process transition; dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh }; role $2 types sandbox_domain; allow sandbox_domain $1:process { sigchld signull }; allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_domain $1:process signal; dontaudit sandbox_domain $1:key { link read search view }; dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_transition'($*)) dnl ') ######################################## ## ## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ## ## ## ## Domain allowed access ## ## # define(`sandbox_dyntransition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_dyntransition'($*)) dnl gen_require(` attribute sandbox_domain; ') allow $1 sandbox_domain:process dyntransition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_dyntransition'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## sandbox process domain. ## ## ## ## Prefix for the domain. ## ## # define(`sandbox_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_domain_template'($*)) dnl gen_require(` attribute sandbox_domain; ') type $1_t, sandbox_domain; application_type($1_t) # this is to satisfy the assertion: dev_raw_memory_reader($1_t) dev_raw_memory_writer($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) # this is to satisfy the assertion: storage_rw_inherited_fixed_disk_dev($1_t) storage_rw_inherited_scsi_generic($1_t) # this is to satisfy the assertion: auth_reader_shadow($1_t) auth_writer_shadow($1_t) #optional_policy(` # unconfined_typebounds($1_t) #') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_domain_template'($*)) dnl ') ## policy for sandboxX ######################################## ## ## Execute sandbox in the sandbox domain, and ## allow the specified role the sandbox domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## # define(`sandbox_x_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_x_transition'($*)) dnl gen_require(` type sandbox_xserver_t; type sandbox_file_t; attribute sandbox_x_domain; attribute sandbox_tmpfs_type; ') allow $1 sandbox_x_domain:process { signal_perms transition }; allow $1 sandbox_x_domain:process dyntransition; dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh }; allow sandbox_x_domain $1:process { sigchld signull }; allow { sandbox_x_domain sandbox_xserver_t } $1:fd use; role $2 types sandbox_x_domain; role $2 types sandbox_xserver_t; allow $1 sandbox_xserver_t:process signal_perms; dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms; dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms; dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms; allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms }; dontaudit sandbox_xserver_t $1:file read; allow sandbox_x_domain sandbox_x_domain:process signal; # Dontaudit leaked file descriptors dontaudit sandbox_x_domain $1:key { link read search view }; dontaudit sandbox_x_domain $1:fifo_file { read write }; dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms; dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms; dontaudit sandbox_x_domain $1:process { signal sigkill }; allow $1 sandbox_tmpfs_type:file manage_file_perms; dontaudit $1 sandbox_tmpfs_type:file manage_file_perms; can_exec($1, sandbox_file_t) allow $1 sandbox_file_t:filesystem getattr; manage_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t) relabel_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_x_transition'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## sandbox process domain. ## ## ## ## Prefix for the domain. ## ## # define(`sandbox_x_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_x_domain_template'($*)) dnl gen_require(` type xserver_exec_t, sandbox_devpts_t; type sandbox_xserver_t; type sandbox_exec_t; attribute sandbox_x_domain; attribute sandbox_tmpfs_type; attribute sandbox_type; attribute sandbox_web_type; ') type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type; application_type($1_t) mcs_constrained($1_t) kernel_read_system_state($1_t) selinux_get_fs_mount($1_t) auth_use_nsswitch($1_t) logging_send_syslog_msg($1_t) # window manager miscfiles_setattr_fonts_cache_dirs($1_t) allow $1_t self:capability setuid; type $1_client_t, sandbox_x_domain; application_type($1_client_t) kernel_read_system_state($1_client_t) mcs_constrained($1_t) type $1_client_tmpfs_t, sandbox_tmpfs_type; files_tmpfs_file($1_client_tmpfs_t) manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t) manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t) fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file ) fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file ) # Pulseaudio tmpfs files with different MCS labels dontaudit $1_client_t $1_client_tmpfs_t:file { read write }; dontaudit $1_t $1_client_tmpfs_t:file { read write map }; allow sandbox_xserver_t $1_client_tmpfs_t:file { read write }; allow $1_client_t $1_client_tmpfs_t:file { map }; domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) allow $1_t sandbox_xserver_t:process signal_perms; domtrans_pattern($1_t, sandbox_exec_t, $1_client_t) domain_entry_file($1_client_t, sandbox_exec_t) allow $1_client_t $1_t:shm { unix_read unix_write }; ps_process_pattern(sandbox_xserver_t, $1_client_t) ps_process_pattern(sandbox_xserver_t, $1_t) allow sandbox_xserver_t $1_client_t:shm rw_shm_perms; allow sandbox_xserver_t $1_t:shm rw_shm_perms; allow $1_client_t $1_t:unix_stream_socket connectto; allow $1_t $1_client_t:unix_stream_socket connectto; #optional_policy(` # unconfined_typebounds($1_t) # unconfined_typebounds($1_client_t) #') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_x_domain_template'($*)) dnl ') ######################################## ## ## allow domain to read, ## write sandbox_xserver tmp files ## ## ## ## Domain allowed access ## ## # define(`sandbox_rw_xserver_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_rw_xserver_tmpfs_files'($*)) dnl gen_require(` type sandbox_xserver_tmpfs_t; ') allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_rw_xserver_tmpfs_files'($*)) dnl ') ######################################## ## ## allow domain to read ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # define(`sandbox_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_read_tmpfs_files'($*)) dnl gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_read_tmpfs_files'($*)) dnl ') ######################################## ## ## allow domain to manage ## sandbox tmpfs files ## ## ## ## Domain allowed access ## ## # define(`sandbox_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_manage_tmpfs_files'($*)) dnl gen_require(` attribute sandbox_tmpfs_type; ') allow $1 sandbox_tmpfs_type:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_manage_tmpfs_files'($*)) dnl ') ######################################## ## ## Delete sandbox files ## ## ## ## Domain allowed access ## ## # define(`sandbox_delete_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_delete_files'($*)) dnl gen_require(` type sandbox_file_t; ') delete_files_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_delete_files'($*)) dnl ') ######################################## ## ## Manage sandbox content ## ## ## ## Domain allowed access ## ## # define(`sandbox_manage_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_manage_content'($*)) dnl gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:filesystem getattr; manage_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t); manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t); manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t); popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_manage_content'($*)) dnl ') ######################################## ## ## Delete sandbox symbolic links ## ## ## ## Domain allowed access ## ## # define(`sandbox_delete_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_delete_lnk_files'($*)) dnl gen_require(` type sandbox_file_t; ') delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_delete_lnk_files'($*)) dnl ') ######################################## ## ## Delete sandbox fifo files ## ## ## ## Domain allowed access ## ## # define(`sandbox_delete_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_delete_pipes'($*)) dnl gen_require(` type sandbox_file_t; ') delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_delete_pipes'($*)) dnl ') ######################################## ## ## Delete sandbox sock files ## ## ## ## Domain allowed access ## ## # define(`sandbox_delete_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_delete_sock_files'($*)) dnl gen_require(` type sandbox_file_t; ') delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_delete_sock_files'($*)) dnl ') ######################################## ## ## Allow domain to set the attributes ## of the sandbox directory. ## ## ## ## Domain allowed access ## ## # define(`sandbox_setattr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_setattr_dirs'($*)) dnl gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_setattr_dirs'($*)) dnl ') ######################################## ## ## Delete sandbox directories ## ## ## ## Domain allowed access ## ## # define(`sandbox_delete_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_delete_dirs'($*)) dnl gen_require(` type sandbox_file_t; ') delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_delete_dirs'($*)) dnl ') ######################################## ## ## allow domain to list sandbox dirs ## ## ## ## Domain allowed access ## ## # define(`sandbox_list',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_list'($*)) dnl gen_require(` type sandbox_file_t; ') allow $1 sandbox_file_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_list'($*)) dnl ') ######################################## ## ## Read and write a sandbox domain pty. ## ## ## ## Domain allowed access. ## ## # define(`sandbox_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_use_ptys'($*)) dnl gen_require(` type sandbox_devpts_t; ') allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_use_ptys'($*)) dnl ') ####################################### ## ## Allow domain to execute sandbox_file_t in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`sandbox_exec_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_exec_file'($*)) dnl gen_require(` type sandbox_file_t; ') can_exec($1, sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_exec_file'($*)) dnl ') ###################################### ## ## Allow domain to execute sandbox_file_t in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`sandbox_dontaudit_mounton',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sandbox_dontaudit_mounton'($*)) dnl gen_require(` type sandbox_file_t; ') dontaudit $1 sandbox_file_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sandbox_dontaudit_mounton'($*)) dnl ') ## Sanlock - lock manager built on shared storage. ######################################## ## ## Execute a domain transition to run sanlock. ## ## ## ## Domain allowed access. ## ## # define(`sanlock_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_domtrans'($*)) dnl gen_require(` type sanlock_t, sanlock_exec_t; ') domtrans_pattern($1, sanlock_exec_t, sanlock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_domtrans'($*)) dnl ') ######################################## ## ## Execute sanlock server in the sanlock domain. ## ## ## ## The type of the process performing this action. ## ## # define(`sanlock_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_initrc_domtrans'($*)) dnl gen_require(` type sanlock_initrc_exec_t; ') init_labeled_script_domtrans($1, sanlock_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_initrc_domtrans'($*)) dnl ') ###################################### ## ## Create, read, write, and delete sanlock PID files. ## ## ## ## Domain allowed access. ## ## # define(`sanlock_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_manage_pid_files'($*)) dnl gen_require(` type sanlock_var_run_t; ') files_search_pids($1) manage_files_pattern($1, sanlock_var_run_t, sanlock_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_manage_pid_files'($*)) dnl ') ######################################## ## ## Connect to sanlock over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`sanlock_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_stream_connect'($*)) dnl gen_require(` type sanlock_t, sanlock_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_stream_connect'($*)) dnl ') ######################################## ## ## Execute virt server in the virt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sanlock_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_systemctl'($*)) dnl gen_require(` type sanlock_unit_file_t; type sanlock_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 sanlock_unit_file_t:file read_file_perms; allow $1 sanlock_unit_file_t:service manage_service_perms; ps_process_pattern($1, sanlock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sanlock environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sanlock_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_admin'($*)) dnl gen_require(` type sanlock_t; type sanlock_initrc_exec_t; type sanlock_unit_file_t; ') allow $1 sanlock_t:process signal_perms; ps_process_pattern($1, sanlock_t) tunable_policy(`deny_ptrace',`',` allow $1 sanlock_t:process ptrace; ') sanlock_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 sanlock_initrc_exec_t system_r; allow $2 system_r; virt_systemctl($1) admin_pattern($1, sanlock_unit_file_t) allow $1 sanlock_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_admin'($*)) dnl ') ######################################## ## ## Execute sanlk_resetd_exec_t in the sanlk_resetd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sanlock_domtrans_sanlk_resetd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_domtrans_sanlk_resetd'($*)) dnl gen_require(` type sanlk_resetd_t, sanlk_resetd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sanlk_resetd_exec_t, sanlk_resetd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_domtrans_sanlk_resetd'($*)) dnl ') ###################################### ## ## Execute sanlk_resetd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`sanlock_exec_sanlk_resetd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_exec_sanlk_resetd'($*)) dnl gen_require(` type sanlk_resetd_exec_t; ') corecmd_search_bin($1) can_exec($1, sanlk_resetd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_exec_sanlk_resetd'($*)) dnl ') ######################################## ## ## Execute sanlk_resetd server in the sanlk_resetd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sanlock_systemctl_sanlk_resetd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_systemctl_sanlk_resetd'($*)) dnl gen_require(` type sanlk_resetd_t; type sanlk_resetd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 sanlk_resetd_unit_file_t:file read_file_perms; allow $1 sanlk_resetd_unit_file_t:service manage_service_perms; ps_process_pattern($1, sanlk_resetd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_systemctl_sanlk_resetd'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sanlk_resetd environment ## ## ## ## Domain allowed access. ## ## # define(`sanlock_admin_sanlk_resetd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_admin_sanlk_resetd'($*)) dnl gen_require(` type sanlk_resetd_t; type sanlk_resetd_unit_file_t; type sanlk_resetd_unit_file_t; ') allow $1 sanlk_resetd_t:process { signal_perms }; ps_process_pattern($1, sanlk_resetd_t) tunable_policy(`deny_ptrace',`',` allow $1 sanlk_resetd_t:process ptrace; ') files_search_pids($1) sanlock_systemctl_sanlk_resetd($1) admin_pattern($1, sanlk_resetd_unit_file_t) allow $1 sanlk_resetd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_admin_sanlk_resetd'($*)) dnl ') ######################################## ## ## Read sanlock process state files. ## ## ## ## Domain allowed access. ## ## # define(`sanlock_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sanlock_read_state'($*)) dnl gen_require(` type sanlock_t; ') ps_process_pattern($1, sanlock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sanlock_read_state'($*)) dnl ') ## SASL authentication server ######################################## ## ## Connect to SASL. ## ## ## ## Domain allowed access. ## ## # define(`sasl_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sasl_connect'($*)) dnl gen_require(` type saslauthd_t, saslauthd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, saslauthd_var_run_t, saslauthd_var_run_t, saslauthd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sasl_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sasl environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sasl_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sasl_admin'($*)) dnl gen_require(` type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t; type saslauthd_keytab_t; ') allow $1 saslauthd_t:process signal_perms; ps_process_pattern($1, saslauthd_t) tunable_policy(`deny_ptrace',`',` allow $1 saslauthd_t:process ptrace; ') init_labeled_script_domtrans($1, saslauthd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 saslauthd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, saslauthd_keytab_t) files_list_pids($1) admin_pattern($1, saslauthd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sasl_admin'($*)) dnl ') ## policy for sbd ######################################## ## ## Execute sbd_exec_t in the sbd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sbd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sbd_domtrans'($*)) dnl gen_require(` type sbd_t, sbd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sbd_exec_t, sbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sbd_domtrans'($*)) dnl ') ###################################### ## ## Execute sbd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`sbd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sbd_exec'($*)) dnl gen_require(` type sbd_exec_t; ') corecmd_search_bin($1) can_exec($1, sbd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sbd_exec'($*)) dnl ') ######################################## ## ## Read sbd PID files. ## ## ## ## Domain allowed access. ## ## # define(`sbd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sbd_read_pid_files'($*)) dnl gen_require(` type sbd_var_run_t; ') files_search_pids($1) read_files_pattern($1, sbd_var_run_t, sbd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sbd_read_pid_files'($*)) dnl ') ######################################## ## ## Execute sbd server in the sbd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sbd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sbd_systemctl'($*)) dnl gen_require(` type sbd_t; type sbd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 sbd_unit_file_t:file read_file_perms; allow $1 sbd_unit_file_t:service manage_service_perms; ps_process_pattern($1, sbd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sbd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sbd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sbd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sbd_admin'($*)) dnl gen_require(` type sbd_t; type sbd_var_run_t; type sbd_unit_file_t; ') allow $1 sbd_t:process { signal_perms }; ps_process_pattern($1, sbd_t) tunable_policy(`deny_ptrace',`',` allow $1 sbd_t:process ptrace; ') files_search_pids($1) admin_pattern($1, sbd_var_run_t) sbd_systemctl($1) admin_pattern($1, sbd_unit_file_t) allow $1 sbd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sbd_admin'($*)) dnl ') ## Standards Based Linux Instrumentation for Manageability. ###################################### ## ## Creates types and rules for a basic ## sblim daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`sblim_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_domain_template'($*)) dnl gen_require(` attribute sblim_domain; ') type sblim_$1_t, sblim_domain; type sblim_$1_exec_t; init_daemon_domain(sblim_$1_t, sblim_$1_exec_t) kernel_read_system_state(sblim_$1_t) corenet_all_recvfrom_unlabeled(sblim_$1_t) corenet_all_recvfrom_netlabel(sblim_$1_t) logging_send_syslog_msg(sblim_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_domain_template'($*)) dnl ') ######################################## ## ## Transition to gatherd. ## ## ## ## Domain allowed to transition. ## ## # define(`sblim_domtrans_gatherd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_domtrans_gatherd'($*)) dnl gen_require(` type sblim_gatherd_t, sblim_gatherd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_domtrans_gatherd'($*)) dnl ') ######################################## ## ## Read gatherd PID files. ## ## ## ## Domain allowed access. ## ## # define(`sblim_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_read_pid_files'($*)) dnl gen_require(` type sblim_var_run_t; ') files_search_pids($1) allow $1 sblim_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_read_pid_files'($*)) dnl ') ######################################## ## ## Transition to sblim named content ## ## ## ## Domain allowed access. ## ## # define(`sblim_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_filetrans_named_content'($*)) dnl gen_require(` type sblim_var_run_t; ') files_pid_filetrans($1, sblim_var_run_t, dir, "gather") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_filetrans_named_content'($*)) dnl ') ######################################## ## ## Connect to sblim_sfcb over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`sblim_stream_connect_sfcbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_stream_connect_sfcbd'($*)) dnl gen_require(` type sblim_sfcb_t, sblim_var_lib_t; type sblim_tmp_t; ') files_search_pids($1) stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) stream_connect_pattern($1, sblim_var_lib_t, sblim_tmp_t, sblim_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_stream_connect_sfcbd'($*)) dnl ') ####################################### ## ## Getattr on sblim executable. ## ## ## ## Domain allowed to transition. ## ## # define(`sblim_getattr_exec_sfcbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_getattr_exec_sfcbd'($*)) dnl gen_require(` type sblim_sfcbd_exec_t; ') allow $1 sblim_sfcbd_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_getattr_exec_sfcbd'($*)) dnl ') ######################################## ## ## Connect to sblim_sfcb over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`sblim_stream_connect_sfcb',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_stream_connect_sfcb'($*)) dnl gen_require(` type sblim_sfcb_t, sblim_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, sblim_var_lib_t, sblim_var_lib_t, sblim_sfcb_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_stream_connect_sfcb'($*)) dnl ') ####################################### ## ## Allow read and write access to sblim semaphores. ## ## ## ## Domain allowed access. ## ## # define(`sblim_rw_semaphores_sfcbd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_rw_semaphores_sfcbd'($*)) dnl gen_require(` type sblim_sfcbd_t; ') allow $1 sblim_sfcbd_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_rw_semaphores_sfcbd'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an gatherd environment ## ## ## ## Domain allowed access. ## ## ## # define(`sblim_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sblim_admin'($*)) dnl gen_require(` type sblim_gatherd_t; type sblim_reposd_t; type sblim_var_run_t; ') allow $1 sblim_gatherd_t:process signal_perms; ps_process_pattern($1, sblim_gatherd_t) tunable_policy(`deny_ptrace',`',` allow $1 sblim_gatherd_t:process ptrace; allow $1 sblim_reposd_t:process ptrace; ') allow $1 sblim_reposd_t:process signal_perms; ps_process_pattern($1, sblim_reposd_t) files_search_pids($1) admin_pattern($1, sblim_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sblim_admin'($*)) dnl ') ## GNU terminal multiplexer ####################################### ## ## The role template for the screen module. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`screen_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `screen_role_template'($*)) dnl gen_require(` type screen_exec_t, screen_tmp_t; type screen_home_t, screen_var_run_t; attribute screen_domain; ') ######################################## # # Declarations # type $1_screen_t, screen_domain; application_domain($1_screen_t, screen_exec_t) domain_interactive_fd($1_screen_t) ubac_constrained($1_screen_t) role $2 types $1_screen_t; tunable_policy(`deny_ptrace',`',` allow $3 $1_screen_t:process ptrace; ') userdom_list_user_home_dirs($1_screen_t) userdom_home_reader($1_screen_t) domtrans_pattern($3, screen_exec_t, $1_screen_t) allow $3 $1_screen_t:process { signal sigchld }; dontaudit $3 $1_screen_t:unix_stream_socket { ioctl read write }; allow $1_screen_t $3:unix_stream_socket { connectto }; allow $1_screen_t $3:process signal; allow $3 screen_exec_t:file entrypoint; ps_process_pattern($1_screen_t, $3) manage_fifo_files_pattern($3, screen_home_t, screen_home_t) manage_dirs_pattern($3, screen_home_t, screen_home_t) manage_files_pattern($3, screen_home_t, screen_home_t) manage_lnk_files_pattern($3, screen_home_t, screen_home_t) manage_sock_files_pattern($3, screen_home_t, screen_home_t) relabel_dirs_pattern($3, screen_home_t, screen_home_t) relabel_files_pattern($3, screen_home_t, screen_home_t) relabel_lnk_files_pattern($3, screen_home_t, screen_home_t) relabel_sock_files_pattern($3, screen_home_t, screen_home_t) userdom_user_home_content_filetrans($1_screen_t, screen_home_t, dir, ".screen") userdom_user_home_content_filetrans($1_screen_t, screen_home_t, file, ".screenrc") userdom_user_home_content_filetrans($1_screen_t, screen_home_t, file, ".tmux.conf") userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen") userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc") userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf") manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t) manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t) manage_sock_files_pattern($3, screen_var_run_t, screen_var_run_t) kernel_read_system_state($1_screen_t) # Revert to the user domain when a shell is executed. corecmd_shell_domtrans($1_screen_t, $3) corecmd_bin_domtrans($1_screen_t, $3) auth_domtrans_chk_passwd($1_screen_t) auth_domtrans_utempter($1_screen_t) auth_use_nsswitch($1_screen_t) logging_send_syslog_msg($1_screen_t) userdom_user_home_domtrans($1_screen_t, $3) userdom_manage_tmp_role($2, $1_screen_t) tunable_policy(`use_samba_home_dirs',` fs_cifs_domtrans($1_screen_t, $3) ') tunable_policy(`use_nfs_home_dirs',` fs_nfs_domtrans($1_screen_t, $3) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `screen_role_template'($*)) dnl ') ####################################### ## ## Execute the rssh program ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`screen_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `screen_exec'($*)) dnl gen_require(` type screen_exec_t; ') can_exec($1, screen_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `screen_exec'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the screen domain. ## ## ## ## Domain allowed access. ## ## # define(`screen_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `screen_sigchld'($*)) dnl gen_require(` attribute screen_domain; ') allow $1 screen_domain:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `screen_sigchld'($*)) dnl ') ## Sectool security audit tool ## Policy for sendmail. ######################################## ## ## Sendmail stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_stub'($*)) dnl gen_require(` type sendmail_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_stub'($*)) dnl ') ######################################## ## ## Allow attempts to read and write to ## sendmail unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_rw_pipes'($*)) dnl gen_require(` type sendmail_t; ') allow $1 sendmail_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_rw_pipes'($*)) dnl ') ######################################## ## ## Domain transition to sendmail. ## ## ## ## Domain allowed to transition. ## ## # define(`sendmail_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_domtrans'($*)) dnl gen_require(` type sendmail_t; ') mta_sendmail_domtrans($1, sendmail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_domtrans'($*)) dnl ') ####################################### ## ## Execute sendmail in the sendmail domain. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_initrc_domtrans'($*)) dnl gen_require(` type sendmail_initrc_exec_t; ') init_labeled_script_domtrans($1, sendmail_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute the sendmail program in the sendmail domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the sendmail domain. ## ## ## # define(`sendmail_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_run'($*)) dnl gen_require(` attribute_role sendmail_roles; ') sendmail_domtrans($1) roleattribute $2 sendmail_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_run'($*)) dnl ') ######################################## ## ## Send generic signals to sendmail. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_signal'($*)) dnl gen_require(` type sendmail_t; ') allow $1 sendmail_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_signal'($*)) dnl ') ######################################## ## ## Execute sendmail in the sendmail_unconfined domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sendmail_domtrans_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_domtrans_unconfined'($*)) dnl gen_require(` type unconfined_sendmail_t, sendmail_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_domtrans_unconfined'($*)) dnl ') ####################################### ## ## Execute sendmail in the unconfined ## sendmail domain, and allow the ## specified role the unconfined ## sendmail domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`sendmail_run_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_run_unconfined'($*)) dnl gen_require(` attribute_role sendmail_unconfined_roles; ') sendmail_domtrans_unconfined($1) roleattribute $2 sendmail_unconfined_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_run_unconfined'($*)) dnl ') ######################################## ## ## Read and write sendmail TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_rw_tcp_sockets'($*)) dnl gen_require(` type sendmail_t; ') allow $1 sendmail_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## sendmail TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`sendmail_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type sendmail_t; ') dontaudit $1 sendmail_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Read and write sendmail unix_stream_sockets. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_rw_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_rw_unix_stream_sockets'($*)) dnl gen_require(` type sendmail_t; ') allow $1 sendmail_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_rw_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## sendmail unix_stream_sockets. ## ## ## ## Domain to not audit. ## ## # define(`sendmail_dontaudit_rw_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl gen_require(` type sendmail_t; ') dontaudit $1 sendmail_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_dontaudit_rw_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Read sendmail logs. ## ## ## ## Domain allowed access. ## ## ## # define(`sendmail_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_read_log'($*)) dnl gen_require(` type sendmail_log_t; ') logging_search_logs($1) read_files_pattern($1, sendmail_log_t, sendmail_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_read_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete sendmail logs. ## ## ## ## Domain allowed access. ## ## ## # define(`sendmail_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_manage_log'($*)) dnl gen_require(` type sendmail_log_t; ') logging_search_logs($1) manage_files_pattern($1, sendmail_log_t, sendmail_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_manage_log'($*)) dnl ') ######################################## ## ## Create sendmail logs with the correct type. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_create_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_create_log'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_create_log'($*)) dnl ') ######################################## ## ## Create specified objects in generic ## log directories sendmail log file type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`sendmail_log_filetrans_sendmail_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_log_filetrans_sendmail_log'($*)) dnl gen_require(` type sendmail_log_t; ') logging_log_filetrans($1, sendmail_log_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_log_filetrans_sendmail_log'($*)) dnl ') ######################################## ## ## Manage sendmail tmp files. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_manage_tmp_files'($*)) dnl gen_require(` type sendmail_tmp_t; ') files_search_tmp($1) manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_manage_tmp_files'($*)) dnl ') ######################################## ## ## Set the attributes of sendmail pid files. ## ## ## ## Domain allowed access. ## ## # define(`sendmail_setattr_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_setattr_pid_files'($*)) dnl gen_require(` type sendmail_var_run_t; ') allow $1 sendmail_var_run_t:file setattr_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_setattr_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sendmail environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sendmail_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sendmail_admin'($*)) dnl gen_require(` type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t; type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t; type sendmail_keytab_t; type mail_spool_t; ') allow $1 sendmail_t:process signal_perms; ps_process_pattern($1, sendmail_t) tunable_policy(`deny_ptrace',`',` allow $1 sendmail_t:process ptrace; ') sendmail_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 sendmail_initrc_exec_t system_r; files_list_etc($1) admin_pattern($1, sendmail_keytab_t) logging_list_logs($1) admin_pattern($1, sendmail_log_t) files_list_tmp($1) admin_pattern($1, sendmail_tmp_t) files_list_pids($1) admin_pattern($1, sendmail_var_run_t) files_list_spool($1) admin_pattern($1, mail_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sendmail_admin'($*)) dnl ') ## Sensor information logging daemon ######################################## ## ## Execute sensord in the sensord domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sensord_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sensord_domtrans'($*)) dnl gen_require(` type sensord_t, sensord_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sensord_exec_t, sensord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sensord_domtrans'($*)) dnl ') ######################################## ## ## Execute sensord server in the sensord domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sensord_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sensord_systemctl'($*)) dnl gen_require(` type sensord_t; type sensord_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 sensord_unit_file_t:file read_file_perms; allow $1 sensord_unit_file_t:service manage_service_perms; ps_process_pattern($1, sensord_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sensord_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sensord environment ## ## ## ## Domain allowed access. ## ## ## # define(`sensord_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sensord_admin'($*)) dnl gen_require(` type sensord_t; type sensord_unit_file_t; type sensord_log_t; type sensord_var_run_t; ') allow $1 sensord_t:process { ptrace signal_perms }; ps_process_pattern($1, sensord_t) sensord_systemctl($1) admin_pattern($1, sensord_unit_file_t) allow $1 sensord_unit_file_t:service all_service_perms; admin_pattern($1, sensord_log_t) admin_pattern($1, sensord_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sensord_admin'($*)) dnl ') ## SELinux troubleshooting service ######################################## ## ## Connect to setroubleshootd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`setroubleshoot_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_stream_connect'($*)) dnl gen_require(` type setroubleshootd_t, setroubleshoot_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, setroubleshoot_var_run_t, setroubleshoot_var_run_t, setroubleshootd_t) allow $1 setroubleshoot_var_run_t:sock_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_stream_connect'($*)) dnl ') ######################################## ## ## Dontaudit attempts to connect to setroubleshootd ## over a unix stream socket. ## ## ## ## Domain to not audit. ## ## # define(`setroubleshoot_dontaudit_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_stream_connect'($*)) dnl gen_require(` type setroubleshootd_t, setroubleshoot_var_run_t; ') dontaudit $1 setroubleshoot_var_run_t:sock_file rw_sock_file_perms; dontaudit $1 setroubleshootd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_stream_connect'($*)) dnl ') ####################################### ## ## Send null signals to setroubleshoot. ## ## ## ## Domain allowed access. ## ## # define(`setroubleshoot_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_signull'($*)) dnl gen_require(` type setroubleshootd_t; ') allow $1 setroubleshootd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_signull'($*)) dnl ') ######################################## ## ## Send and receive messages from ## setroubleshoot over dbus. ## ## ## ## Domain allowed access. ## ## # define(`setroubleshoot_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat'($*)) dnl gen_require(` type setroubleshootd_t; class dbus send_msg; ') allow $1 setroubleshootd_t:dbus send_msg; allow setroubleshootd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat'($*)) dnl ') ######################################## ## ## Do not audit send and receive messages from ## setroubleshoot over dbus. ## ## ## ## Domain to not audit. ## ## # define(`setroubleshoot_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_dontaudit_dbus_chat'($*)) dnl gen_require(` type setroubleshootd_t; class dbus send_msg; ') dontaudit $1 setroubleshootd_t:dbus send_msg; dontaudit setroubleshootd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## setroubleshoot fixit over dbus. ## ## ## ## Domain allowed access. ## ## # define(`setroubleshoot_dbus_chat_fixit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_dbus_chat_fixit'($*)) dnl gen_require(` type setroubleshoot_fixit_t; class dbus send_msg; ') allow $1 setroubleshoot_fixit_t:dbus send_msg; allow setroubleshoot_fixit_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_dbus_chat_fixit'($*)) dnl ') ######################################## ## ## Dontaudit read/write to a setroubleshoot leaked sockets. ## ## ## ## Domain to not audit. ## ## # define(`setroubleshoot_fixit_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_fixit_dontaudit_leaks'($*)) dnl gen_require(` type setroubleshoot_fixit_t; ') dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write }; dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_fixit_dontaudit_leaks'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an setroubleshoot environment ## ## ## ## Domain allowed access. ## ## ## # define(`setroubleshoot_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setroubleshoot_admin'($*)) dnl gen_require(` type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t; type setroubleshoot_var_lib_t; ') allow $1 setroubleshootd_t:process signal_perms; ps_process_pattern($1, setroubleshootd_t) tunable_policy(`deny_ptrace',`',` allow $1 setroubleshootd_t:process ptrace; ') logging_list_logs($1) admin_pattern($1, setroubleshoot_var_log_t) files_list_var_lib($1) admin_pattern($1, setroubleshoot_var_lib_t) files_list_pids($1) admin_pattern($1, setroubleshoot_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setroubleshoot_admin'($*)) dnl ') ## Policy for gridengine MPI jobs ###################################### ## ## Creates types and rules for a basic ## sge domain. ## ## ## ## Prefix for the domain. ## ## # define(`sge_basic_types_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sge_basic_types_template'($*)) dnl gen_require(` attribute sge_domain; ') type $1_t, sge_domain; type $1_exec_t; kernel_read_system_state($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sge_basic_types_template'($*)) dnl ') ######################################## ## ## read/write sge_shepherd per tcp_socket ## ## ## ## Domain allowed access. ## ## # define(`sge_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sge_rw_tcp_sockets'($*)) dnl gen_require(` type sge_shepherd_t; type sge_job_ssh_t; ') allow $1 sge_shepherd_t:tcp_socket rw_socket_perms; allow $1 sge_job_ssh_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sge_rw_tcp_sockets'($*)) dnl ') ## Shoreline Firewall high-level tool for configuring netfilter ######################################## ## ## Execute a domain transition to run shorewall. ## ## ## ## Domain allowed to transition. ## ## # define(`shorewall_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_domtrans'($*)) dnl gen_require(` type shorewall_t, shorewall_exec_t; ') domtrans_pattern($1, shorewall_exec_t, shorewall_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_domtrans'($*)) dnl ') ###################################### ## ## Execute a domain transition to run shorewall. ## ## ## ## Domain allowed to transition. ## ## # define(`shorewall_lib_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_lib_domtrans'($*)) dnl gen_require(` type shorewall_t, shorewall_var_lib_t; ') domtrans_pattern($1, shorewall_var_lib_t, shorewall_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_lib_domtrans'($*)) dnl ') ####################################### ## ## Read shorewall etc configuration files. ## ## ## ## Domain allowed access. ## ## # define(`shorewall_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_read_config'($*)) dnl gen_require(` type shorewall_etc_t; ') files_search_etc($1) read_files_pattern($1, shorewall_etc_t, shorewall_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_read_config'($*)) dnl ') ###################################### ## ## Read shorewall /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`shorewall_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_read_lib_files'($*)) dnl gen_require(` type shorewall_var_lib_t; ') files_search_var_lib($1) search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_read_lib_files'($*)) dnl ') ####################################### ## ## Read and write shorewall /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`shorewall_rw_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_rw_lib_files'($*)) dnl gen_require(` type shorewall_var_lib_t; ') files_search_var_lib($1) search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_rw_lib_files'($*)) dnl ') ####################################### ## ## Read shorewall tmp files. ## ## ## ## Domain allowed access. ## ## # define(`shorewall_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_read_tmp_files'($*)) dnl gen_require(` type shorewall_tmp_t; ') files_search_tmp($1) read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_read_tmp_files'($*)) dnl ') ####################################### ## ## All of the rules required to administrate ## an shorewall environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the syslog domain. ## ## ## # define(`shorewall_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shorewall_admin'($*)) dnl gen_require(` type shorewall_t, shorewall_lock_t; type shorewall_log_t; type shorewall_initrc_exec_t, shorewall_var_lib_t; type shorewall_tmp_t, shorewall_etc_t; ') allow $1 shorewall_t:process signal_perms; ps_process_pattern($1, shorewall_t) tunable_policy(`deny_ptrace',`',` allow $1 shorewall_t:process ptrace; ') init_labeled_script_domtrans($1, shorewall_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 shorewall_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, shorewall_etc_t) files_list_locks($1) admin_pattern($1, shorewall_lock_t) logging_list_logs($1) admin_pattern($1, shorewall_log_t) files_list_var_lib($1) admin_pattern($1, shorewall_var_lib_t) files_list_tmp($1) admin_pattern($1, shorewall_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shorewall_admin'($*)) dnl ') ## System shutdown command ######################################## ## ## Execute a domain transition to run shutdown. ## ## ## ## Domain allowed to transition. ## ## # define(`shutdown_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_domtrans'($*)) dnl gen_require(` type shutdown_t, shutdown_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, shutdown_exec_t, shutdown_t) init_reboot($1) init_halt($1) optional_policy(` systemd_exec_systemctl($1) init_reload_services($1) init_stream_connect($1) systemd_login_reboot($1) systemd_login_halt($1) ') ifdef(`hide_broken_symptoms', ` dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_domtrans'($*)) dnl ') ######################################## ## ## Execute shutdown in the shutdown domain, and ## allow the specified role the shutdown domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`shutdown_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_run'($*)) dnl gen_require(` type shutdown_t; attribute_role shutdown_roles; ') shutdown_domtrans($1) roleattribute $2 shutdown_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_run'($*)) dnl ') ######################################## ## ## Role access for shutdown ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`shutdown_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_role'($*)) dnl gen_require(` type shutdown_t; ') shutdown_run($2, $1) allow $2 shutdown_t:process { ptrace signal_perms }; ps_process_pattern($2, shutdown_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_role'($*)) dnl ') ######################################## ## ## Recieve sigchld from shutdown ## ## ## ## Domain allowed access ## ## # define(`shutdown_send_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_send_sigchld'($*)) dnl gen_require(` type shutdown_t; ') allow shutdown_t $1:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_send_sigchld'($*)) dnl ') ######################################## ## ## Send and receive messages from ## shutdown over dbus. ## ## ## ## Domain allowed access. ## ## # define(`shutdown_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_dbus_chat'($*)) dnl gen_require(` type shutdown_t; class dbus send_msg; ') allow $1 shutdown_t:dbus send_msg; allow shutdown_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_dbus_chat'($*)) dnl ') ######################################## ## ## Get attributes of shutdown executable. ## ## ## ## Domain allowed access. ## ## # define(`shutdown_getattr_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `shutdown_getattr_exec_files'($*)) dnl gen_require(` type shutdown_exec_t; ') corecmd_search_bin($1) allow $1 shutdown_exec_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `shutdown_getattr_exec_files'($*)) dnl ') ## Update database for mlocate. ######################################## ## ## Create the locate log with append mode. ## ## ## ## Domain allowed access. ## ## # define(`slocate_create_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slocate_create_append_log'($*)) dnl refpolicywarn(`$0($*) has been deprecated') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slocate_create_append_log'($*)) dnl ') ######################################## ## ## Read locate lib files. ## ## ## ## Domain allowed access. ## ## # define(`locate_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locate_read_lib_files'($*)) dnl gen_require(` type locate_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, locate_var_lib_t, locate_var_lib_t) allow $1 locate_var_lib_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locate_read_lib_files'($*)) dnl ') ## OpenSLP server daemon to dynamically register services. ######################################## ## ## Transition to slpd. ## ## ## ## Domain allowed to transition. ## ## # define(`slpd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slpd_domtrans'($*)) dnl gen_require(` type slpd_t, slpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, slpd_exec_t, slpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slpd_domtrans'($*)) dnl ') ######################################## ## ## Execute slpd server in the slpd domain. ## ## ## ## Domain allowed access. ## ## # define(`slpd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slpd_initrc_domtrans'($*)) dnl gen_require(` type slpd_initrc_exec_t; ') init_labeled_script_domtrans($1, slpd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slpd_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an slpd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`slpd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slpd_admin'($*)) dnl gen_require(` type slpd_t, slpd_initrc_exec_t, slpd_log_t; type slpd_var_run_t; ') allow $1 slpd_t:process { ptrace signal_perms }; ps_process_pattern($1, slpd_t) slpd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 slpd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, slpd_log_t) files_search_pids($1) admin_pattern($1, slpd_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slpd_admin'($*)) dnl ') ## Service for downloading news feeds the slrn newsreader. ######################################## ## ## Search slrnpull spool directories. ## ## ## ## Domain allowed access. ## ## # define(`slrnpull_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slrnpull_search_spool'($*)) dnl gen_require(` type slrnpull_spool_t; ') files_search_spool($1) allow $1 slrnpull_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slrnpull_search_spool'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## slrnpull spool content. ## ## ## ## Domain allowed access. ## ## # define(`slrnpull_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `slrnpull_manage_spool'($*)) dnl gen_require(` type slrnpull_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, slrnpull_spool_t, slrnpull_spool_t) manage_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) manage_lnk_files_pattern($1, slrnpull_spool_t, slrnpull_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `slrnpull_manage_spool'($*)) dnl ') ## Smart disk monitoring daemon. ####################################### ## ## Read smartmon temporary files. ## ## ## ## Domain allowed access. ## ## # define(`smartmon_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smartmon_read_tmp_files'($*)) dnl gen_require(` type fsdaemon_tmp_t; ') files_search_tmp($1) allow $1 fsdaemon_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smartmon_read_tmp_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an smartmon environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`smartmon_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smartmon_admin'($*)) dnl gen_require(` type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; ') allow $1 fsdaemon_t:process signal_perms; ps_process_pattern($1, fsdaemon_t) tunable_policy(`deny_ptrace',`',` allow $1 fsdaemon_t:process ptrace; ') init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 fsdaemon_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, fsdaemon_tmp_t) files_list_pids($1) admin_pattern($1, fsdaemon_var_run_t) files_list_var_lib($1) admin_pattern($1, fsdaemon_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smartmon_admin'($*)) dnl ') ## Smokeping network latency measurement. ######################################## ## ## Execute a domain transition to run smokeping. ## ## ## ## Domain allowed to transition. ## ## # define(`smokeping_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_domtrans'($*)) dnl gen_require(` type smokeping_t, smokeping_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, smokeping_exec_t, smokeping_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_domtrans'($*)) dnl ') ######################################## ## ## Execute smokeping init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`smokeping_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_initrc_domtrans'($*)) dnl gen_require(` type smokeping_initrc_exec_t; ') init_labeled_script_domtrans($1, smokeping_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read smokeping pid files. ## ## ## ## Domain allowed access. ## ## # define(`smokeping_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_read_pid_files'($*)) dnl gen_require(` type smokeping_var_run_t; ') files_search_pids($1) allow $1 smokeping_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## smokeping pid files. ## ## ## ## Domain allowed access. ## ## # define(`smokeping_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_manage_pid_files'($*)) dnl gen_require(` type smokeping_var_run_t; ') files_search_pids($1) manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_manage_pid_files'($*)) dnl ') ######################################## ## ## Get attributes of smokeping lib files. ## ## ## ## Domain allowed access. ## ## # define(`smokeping_getattr_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_getattr_lib_files'($*)) dnl gen_require(` type smokeping_var_lib_t; ') files_search_var_lib($1) getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_getattr_lib_files'($*)) dnl ') ######################################## ## ## Read smokeping lib files. ## ## ## ## Domain allowed access. ## ## # define(`smokeping_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_read_lib_files'($*)) dnl gen_require(` type smokeping_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## smokeping lib files. ## ## ## ## Domain allowed access. ## ## # define(`smokeping_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_manage_lib_files'($*)) dnl gen_require(` type smokeping_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate a smokeping environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`smokeping_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smokeping_admin'($*)) dnl gen_require(` type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; type smokeping_var_run_t; ') allow $1 smokeping_t:process signal_perms; ps_process_pattern($1, smokeping_t) tunable_policy(`deny_ptrace',`',` allow $1 smokeping_t:process ptrace; ') smokeping_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 smokeping_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, smokeping_var_lib_t) files_search_pids($1) admin_pattern($1, smokeping_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smokeping_admin'($*)) dnl ') ## The Fedora hardware profiler client. ## The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions. ######################################## ## ## Execute smsd in the smsd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`smsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_domtrans'($*)) dnl gen_require(` type smsd_t, smsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, smsd_exec_t, smsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_domtrans'($*)) dnl ') ######################################## ## ## Execute smsd server in the smsd domain. ## ## ## ## Domain allowed access. ## ## # define(`smsd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_initrc_domtrans'($*)) dnl gen_require(` type smsd_initrc_exec_t; ') init_labeled_script_domtrans($1, smsd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read smsd's log files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_read_log'($*)) dnl gen_require(` type smsd_log_t; ') logging_search_logs($1) read_files_pattern($1, smsd_log_t, smsd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_read_log'($*)) dnl ') ######################################## ## ## Append to smsd log files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_append_log'($*)) dnl gen_require(` type smsd_log_t; ') logging_search_logs($1) append_files_pattern($1, smsd_log_t, smsd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_append_log'($*)) dnl ') ######################################## ## ## Manage smsd log files ## ## ## ## Domain allowed access. ## ## # define(`smsd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_manage_log'($*)) dnl gen_require(` type smsd_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, smsd_log_t, smsd_log_t) manage_files_pattern($1, smsd_log_t, smsd_log_t) manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_manage_log'($*)) dnl ') ######################################## ## ## Read smsd PID files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_read_pid_files'($*)) dnl gen_require(` type smsd_var_run_t; ') files_search_pids($1) read_files_pattern($1, smsd_var_run_t, smsd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_read_pid_files'($*)) dnl ') ######################################## ## ## Search smsd spool directories. ## ## ## ## Domain allowed access. ## ## # define(`smsd_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_search_spool'($*)) dnl gen_require(` type smsd_spool_t; ') allow $1 smsd_spool_t:dir search_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_search_spool'($*)) dnl ') ######################################## ## ## Read smsd spool files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_read_spool_files'($*)) dnl gen_require(` type smsd_spool_t; ') files_search_spool($1) read_files_pattern($1, smsd_spool_t, smsd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_read_spool_files'($*)) dnl ') ######################################## ## ## Manage smsd spool files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_manage_spool_files'($*)) dnl gen_require(` type smsd_spool_t; ') files_search_spool($1) manage_files_pattern($1, smsd_spool_t, smsd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_manage_spool_files'($*)) dnl ') ######################################## ## ## Manage smsd spool dirs. ## ## ## ## Domain allowed access. ## ## # define(`smsd_manage_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_manage_spool_dirs'($*)) dnl gen_require(` type smsd_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_manage_spool_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an smsd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`smsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_admin'($*)) dnl gen_require(` type smsd_t; type smsd_initrc_exec_t; type smsd_log_t; type smsd_var_run_t; type smsd_spool_t; ') allow $1 smsd_t:process { ptrace signal_perms }; ps_process_pattern($1, smsd_t) smsd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 smsd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, smsd_log_t) files_search_pids($1) admin_pattern($1, smsd_var_run_t) files_search_spool($1) admin_pattern($1, smsd_spool_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_admin'($*)) dnl ') ## Tools to send and receive short messages through GSM modems or mobile phones. ####################################### ## ## Search smsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`smsd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_search_lib'($*)) dnl gen_require(` type smsd_var_lib_t; ') allow $1 smsd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_search_lib'($*)) dnl ') ####################################### ## ## Read smsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_read_lib_files'($*)) dnl gen_require(` type smsd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_read_lib_files'($*)) dnl ') ####################################### ## ## Manage smsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`smsd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_manage_lib_files'($*)) dnl gen_require(` type smsd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_manage_lib_files'($*)) dnl ') ####################################### ## ## Manage smsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`smsd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smsd_manage_lib_dirs'($*)) dnl gen_require(` type smsd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smsd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an smstools environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`smstools_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `smstools_admin'($*)) dnl gen_require(` type smsd_t, smsd_initrc_exec_t, smsd_conf_t; type smsd_log_t, smsd_var_lib_t, smsd_var_run_t; type smsd_spool_t; ') allow $1 smsd_t:process { ptrace signal_perms }; ps_process_pattern($1, smsd_t) init_labeled_script_domtrans($1, smsd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 smsd_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, smsd_conf_t) files_search_var_lib($1) admin_pattern($1, smsd_var_lib_t) files_search_spool($1) admin_pattern($1, smsd_spool_t) files_search_pids($1) admin_pattern($1, smsd_var_run_t) logging_search_logs($1) admin_pattern($1, smsd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `smstools_admin'($*)) dnl ') ## policy for snapperd ######################################## ## ## Execute TEMPLATE in the snapperd domin. ## ## ## ## Domain allowed to transition. ## ## # define(`snapper_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snapper_domtrans'($*)) dnl gen_require(` type snapperd_t, snapperd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, snapperd_exec_t, snapperd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snapper_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## snapperd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`snapper_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snapper_dbus_chat'($*)) dnl gen_require(` type snapperd_t; class dbus send_msg; ') allow $1 snapperd_t:dbus send_msg; allow snapperd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snapper_dbus_chat'($*)) dnl ') ######################################## ## ## Allow a domain to read inherited snapper pipe. ## ## ## ## Domain allowed access. ## ## # define(`snapper_read_inherited_pipe',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snapper_read_inherited_pipe'($*)) dnl gen_require(` type snapperd_t; ') allow $1 snapperd_t:fifo_file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snapper_read_inherited_pipe'($*)) dnl ') ######################################## ## ## Allow a domain to relabel snapshots to snapperd_data_t ## ## ## ## Domain allowed access. ## ## # define(`snapper_relabel_snapshots',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snapper_relabel_snapshots'($*)) dnl gen_require(` type snapperd_data_t; ') kernel_relabelfrom_unlabeled_dirs($1) allow $1 snapperd_data_t:dir relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snapper_relabel_snapshots'($*)) dnl ') ####################################### ## ## Allow domain to create .smapshot ## ## ## ## Domain allowed access. ## ## # define(`snapper_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snapper_filetrans_named_content'($*)) dnl gen_require(` type snapperd_data_t; ') files_mountpoint_filetrans($1, snapperd_data_t, dir, ".snapshots") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snapper_filetrans_named_content'($*)) dnl ') ## Simple network management protocol services. ######################################## ## ## Send null signals to snmp. ## ## ## ## Domain allowed access. ## ## # define(`snmp_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_signull'($*)) dnl gen_require(` type snmpd_t; ') allow $1 snmpd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_signull'($*)) dnl ') ######################################## ## ## Connect to snmpd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`snmp_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_stream_connect'($*)) dnl gen_require(` type snmpd_t, snmpd_var_lib_t; ') files_search_var_lib($1) stream_connect_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_stream_connect'($*)) dnl ') ######################################## ## ## Connect to snmp over the TCP network. ## ## ## ## Domain allowed access. ## ## # define(`snmp_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_tcp_connect'($*)) dnl gen_require(` type snmpd_t; ') corenet_tcp_recvfrom_labeled($1, snmpd_t) corenet_tcp_sendrecv_snmp_port($1) corenet_tcp_connect_snmp_port($1) corenet_sendrecv_snmp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_tcp_connect'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic to SNMP (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`snmp_udp_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_udp_chat'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_udp_chat'($*)) dnl ') ######################################## ## ## Read snmpd lib content. ## ## ## ## Domain allowed access. ## ## # define(`snmp_read_snmp_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') files_search_var_lib($1) allow $1 snmpd_var_lib_t:dir list_dir_perms; read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_files'($*)) dnl ') ####################################### ## ## Read snmpd libraries directories ## ## ## ## Domain allowed access. ## ## # define(`snmp_read_snmp_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_read_snmp_var_lib_dirs'($*)) dnl gen_require(` type snmpd_var_lib_t; ') files_search_var_lib($1) allow $1 snmpd_var_lib_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_read_snmp_var_lib_dirs'($*)) dnl ') ######################################## ## ## Manage snmpd libraries directories ## ## ## ## Domain allowed access. ## ## # define(`snmp_manage_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_dirs'($*)) dnl gen_require(` type snmpd_var_lib_t; ') allow $1 snmpd_var_lib_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_dirs'($*)) dnl ') ######################################## ## ## Manage snmpd libraries. ## ## ## ## Domain allowed access. ## ## # define(`snmp_manage_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') files_search_var_lib($1) allow $1 snmpd_var_lib_t:dir list_dir_perms; manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_files'($*)) dnl ') ######################################## ## ## Manage snmpd libraries. ## ## ## ## Domain allowed access. ## ## # define(`snmp_manage_var_lib_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_manage_var_lib_sock_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') files_search_var_lib($1) allow $1 snmpd_var_lib_t:dir list_dir_perms; manage_sock_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_manage_var_lib_sock_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to manage ## snmpd lib content. ## ## ## ## Domain to not audit. ## ## # define(`snmp_dontaudit_manage_snmp_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_manage_snmp_var_lib_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') dontaudit $1 snmpd_var_lib_t:dir manage_dir_perms; dontaudit $1 snmpd_var_lib_t:file manage_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_dontaudit_manage_snmp_var_lib_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## snmpd lib content. ## ## ## ## Domain to not audit. ## ## # define(`snmp_dontaudit_read_snmp_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') dontaudit $1 snmpd_var_lib_t:dir list_dir_perms; dontaudit $1 snmpd_var_lib_t:file read_file_perms; dontaudit $1 snmpd_var_lib_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_dontaudit_read_snmp_var_lib_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write ## snmpd lib files. ## ## ## ## Domain to not audit. ## ## # define(`snmp_dontaudit_write_snmp_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl gen_require(` type snmpd_var_lib_t; ') dontaudit $1 snmpd_var_lib_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_dontaudit_write_snmp_var_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an snmp environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`snmp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snmp_admin'($*)) dnl gen_require(` type snmpd_t, snmpd_log_t, snmpd_initrc_exec_t; type snmpd_var_lib_t, snmpd_var_run_t; ') allow $1 snmpd_t:process signal_perms; ps_process_pattern($1, snmpd_t) tunable_policy(`deny_ptrace',`',` allow $1 snmpd_t:process ptrace; ') init_labeled_script_domtrans($1, snmpd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 snmpd_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, snmpd_log_t) files_list_var_lib($1) admin_pattern($1, snmpd_var_lib_t) files_list_pids($1) admin_pattern($1, snmpd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snmp_admin'($*)) dnl ') ## Snort network intrusion detection system. ######################################## ## ## Execute a domain transition to run snort. ## ## ## ## Domain allowed to transition. ## ## # define(`snort_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snort_domtrans'($*)) dnl gen_require(` type snort_t, snort_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, snort_exec_t, snort_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snort_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an snort environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`snort_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `snort_admin'($*)) dnl gen_require(` type snort_t, snort_var_run_t, snort_log_t; type snort_etc_t, snort_initrc_exec_t; ') allow $1 snort_t:process signal_perms; ps_process_pattern($1, snort_t) tunable_policy(`deny_ptrace',`',` allow $1 snort_t:process ptrace; ') init_labeled_script_domtrans($1, snort_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 snort_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, snort_etc_t) files_list_etc($1) admin_pattern($1, snort_log_t) logging_list_logs($1) admin_pattern($1, snort_var_run_t) files_list_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `snort_admin'($*)) dnl ') ## Generate debugging information for system. ######################################## ## ## Execute a domain transition to run sosreport. ## ## ## ## Domain allowed to transition. ## ## # define(`sosreport_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_domtrans'($*)) dnl gen_require(` type sosreport_t, sosreport_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sosreport_exec_t, sosreport_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_domtrans'($*)) dnl ') ######################################## ## ## Execute sosreport in the sosreport ## domain, and allow the specified ## role the sosreport domain. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`sosreport_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_run'($*)) dnl gen_require(` attribute_role sosreport_roles; ') sosreport_domtrans($1) roleattribute $2 sosreport_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_run'($*)) dnl ') ######################################## ## ## Role access for sosreport. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`sosreport_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_role'($*)) dnl gen_require(` type sosreport_t; ') sosreport_run($2, $1) allow $2 sosreport_t:process { ptrace signal_perms }; ps_process_pattern($2, sosreport_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_role'($*)) dnl ') ######################################## ## ## Read sosreport temporary files. ## ## ## ## Domain allowed access. ## ## # define(`sosreport_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_read_tmp_files'($*)) dnl gen_require(` type sosreport_tmp_t; ') files_search_tmp($1) read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_read_tmp_files'($*)) dnl ') ######################################## ## ## Append sosreport temporary files. ## ## ## ## Domain allowed access. ## ## # define(`sosreport_append_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_append_tmp_files'($*)) dnl gen_require(` type sosreport_tmp_t; ') files_search_tmp($1) append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_append_tmp_files'($*)) dnl ') ######################################## ## ## Delete sosreport temporary files. ## ## ## ## Domain allowed access. ## ## # define(`sosreport_delete_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_delete_tmp_files'($*)) dnl gen_require(` type sosreport_tmp_t; ') files_delete_tmp_dir_entry($1) delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_delete_tmp_files'($*)) dnl ') ######################################## ## ## Send a null signal to sosreport. ## ## ## ## Domain allowed access. ## ## # define(`sosreport_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sosreport_signull'($*)) dnl gen_require(` type sosreport_t; ') allow $1 sosreport_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sosreport_signull'($*)) dnl ') ## sound server for network audio server programs, nasd, yiff, etc ######################################## ## ## Connect to the sound server over a TCP socket (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`soundserver_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `soundserver_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `soundserver_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an soundd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`soundserver_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `soundserver_admin'($*)) dnl gen_require(` type soundd_t, soundd_etc_t, soundd_initrc_exec_t; type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t; type soundd_state_t; ') allow $1 soundd_t:process signal_perms; ps_process_pattern($1, soundd_t) tunable_policy(`deny_ptrace',`',` allow $1 soundd_t:process ptrace; ') init_labeled_script_domtrans($1, soundd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 soundd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, soundd_etc_t) files_list_tmp($1) admin_pattern($1, soundd_tmp_t) fs_list_tmpfs($1) admin_pattern($1, soundd_tmpfs_t) files_list_var($1) admin_pattern($1, soundd_state_t) files_list_pids($1) admin_pattern($1, soundd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `soundserver_admin'($*)) dnl ') ## Filter used for removing unsolicited email. ######################################## ## ## Role access for spamassassin ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`spamassassin_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_role'($*)) dnl gen_require(` type spamc_t, spamc_exec_t, spamc_tmp_t; type spamassassin_t, spamassassin_exec_t; type spamassassin_home_t, spamassassin_tmp_t; ') role $1 types { spamc_t spamassassin_t }; domtrans_pattern($2, spamassassin_exec_t, spamassassin_t) allow $2 spamassassin_t:process signal_perms; ps_process_pattern($2, spamassassin_t) domtrans_pattern($2, spamc_exec_t, spamc_t) allow $2 spamc_t:process signal_perms; ps_process_pattern($2, spamc_t) manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t) manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t) relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t) relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_role'($*)) dnl ') ######################################## ## ## Execute the standalone spamassassin ## program in the caller directory. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_exec'($*)) dnl gen_require(` type spamassassin_exec_t; ') can_exec($1, spamassassin_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_exec'($*)) dnl ') ######################################## ## ## Singnal the spam assassin daemon ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_signal_spamd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_signal_spamd'($*)) dnl gen_require(` type spamd_t; ') allow $1 spamd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_signal_spamd'($*)) dnl ') ######################################## ## ## Execute the spamassassin daemon ## program in the caller directory. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_exec_spamd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_exec_spamd'($*)) dnl gen_require(` type spamd_exec_t; ') can_exec($1, spamd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_exec_spamd'($*)) dnl ') ######################################## ## ## Execute spamassassin client in the spamassassin client domain. ## ## ## ## Domain allowed to transition. ## ## # define(`spamassassin_domtrans_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_client'($*)) dnl gen_require(` type spamc_t, spamc_exec_t; ') domtrans_pattern($1, spamc_exec_t, spamc_t) allow $1 spamc_exec_t:file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_client'($*)) dnl ') ######################################## ## ## Send kill signal to spamassassin client ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_kill_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_kill_client'($*)) dnl gen_require(` type spamc_t; ') allow $1 spamc_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_kill_client'($*)) dnl ') ######################################## ## ## Manage spamc home files. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_manage_home_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_manage_home_client'($*)) dnl gen_require(` type spamc_home_t; ') userdom_search_user_home_dirs($1) manage_dirs_pattern($1, spamc_home_t, spamc_home_t) manage_files_pattern($1, spamc_home_t, spamc_home_t) manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_manage_home_client'($*)) dnl ') ######################################## ## ## Read spamc home files. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_read_home_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_read_home_client'($*)) dnl gen_require(` type spamc_home_t; ') userdom_search_user_home_dirs($1) list_dirs_pattern($1, spamc_home_t, spamc_home_t) read_files_pattern($1, spamc_home_t, spamc_home_t) read_lnk_files_pattern($1, spamc_home_t, spamc_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_read_home_client'($*)) dnl ') ######################################## ## ## Execute the spamassassin client ## program in the caller directory. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_exec_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_exec_client'($*)) dnl gen_require(` type spamc_exec_t; ') can_exec($1, spamc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_exec_client'($*)) dnl ') ######################################## ## ## Execute spamassassin standalone client in the user spamassassin domain. ## ## ## ## Domain allowed to transition. ## ## # define(`spamassassin_domtrans_local_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_domtrans_local_client'($*)) dnl gen_require(` type spamassassin_t, spamassassin_exec_t; ') domtrans_pattern($1, spamassassin_exec_t, spamassassin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_domtrans_local_client'($*)) dnl ') ######################################## ## ## read spamd lib files. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_read_lib_files'($*)) dnl gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## spamd lib files. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_manage_lib_files'($*)) dnl gen_require(` type spamd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_manage_lib_files'($*)) dnl ') ######################################## ## ## Read temporary spamd file. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_read_spamd_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_read_spamd_tmp_files'($*)) dnl gen_require(` type spamd_tmp_t; ') files_search_tmp($1) allow $1 spamd_tmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_read_spamd_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attributes of temporary ## spamd sockets/ ## ## ## ## Domain to not audit. ## ## # define(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl gen_require(` type spamd_tmp_t; ') dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_dontaudit_getattr_spamd_tmp_sockets'($*)) dnl ') ######################################## ## ## Connect to run spamd. ## ## ## ## Domain allowed to connect. ## ## # define(`spamd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamd_stream_connect'($*)) dnl gen_require(` type spamd_t, spamd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamd_stream_connect'($*)) dnl ') ######################################## ## ## Read spamd pid files. ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_read_pid_files'($*)) dnl gen_require(` type spamd_var_run_t; ') files_search_pids($1) read_files_pattern($1, spamd_var_run_t, spamd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_read_pid_files'($*)) dnl ') ###################################### ## ## Transition to spamassassin named content ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_filetrans_home_content'($*)) dnl gen_require(` type spamc_home_t; ') userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_filetrans_home_content'($*)) dnl ') ###################################### ## ## Transition to spamassassin named content ## ## ## ## Domain allowed access. ## ## # define(`spamassassin_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_filetrans_admin_home_content'($*)) dnl gen_require(` type spamc_home_t; ') userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor") userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamassassin") userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd") userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an spamassassin environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the spamassassin domain. ## ## # define(`spamassassin_spamd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `spamassassin_spamd_admin'($*)) dnl gen_require(` type spamd_t, spamd_tmp_t, spamd_log_t; type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t; type spamd_initrc_exec_t; ') allow $1 spamd_t:process signal_perms; ps_process_pattern($1, spamd_t) tunable_policy(`deny_ptrace',`',` allow $1 spamd_t:process ptrace; ') init_labeled_script_domtrans($1, spamd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 spamd_initrc_exec_t system_r; allow $2 system_r; files_list_tmp($1) admin_pattern($1, spamd_tmp_t) logging_list_logs($1) admin_pattern($1, spamd_log_t) files_list_spool($1) admin_pattern($1, spamd_spool_t) files_list_var_lib($1) admin_pattern($1, spamd_var_lib_t) files_list_pids($1) admin_pattern($1, spamd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `spamassassin_spamd_admin'($*)) dnl ') ## speech-dispatcher - server process managing speech requests in Speech Dispatcher ######################################## ## ## Execute speech-dispatcher in the speech_dispatcher domain. ## ## ## ## Domain allowed to transition. ## ## # define(`speech_dispatcher_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_domtrans'($*)) dnl gen_require(` type speech_dispatcher_t, speech_dispatcher_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, speech_dispatcher_exec_t, speech_dispatcher_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_domtrans'($*)) dnl ') ######################################## ## ## Read speech-dispatcher's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`speech_dispatcher_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_read_log'($*)) dnl gen_require(` type speech_dispatcher_log_t; ') logging_search_logs($1) read_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_read_log'($*)) dnl ') ######################################## ## ## Append to speech-dispatcher log files. ## ## ## ## Domain allowed access. ## ## # define(`speech_dispatcher_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_append_log'($*)) dnl gen_require(` type speech_dispatcher_log_t; ') logging_search_logs($1) append_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_append_log'($*)) dnl ') ######################################## ## ## Manage speech-dispatcher log files ## ## ## ## Domain allowed access. ## ## # define(`speech_dispatcher_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_manage_log'($*)) dnl gen_require(` type speech_dispatcher_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t) manage_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t) manage_lnk_files_pattern($1, speech_dispatcher_log_t, speech_dispatcher_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_manage_log'($*)) dnl ') ######################################## ## ## Execute speech-dispatcher server in the speech_dispatcher domain. ## ## ## ## Domain allowed to transition. ## ## # define(`speech_dispatcher_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_systemctl'($*)) dnl gen_require(` type speech_dispatcher_t; type speech_dispatcher_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 speech_dispatcher_unit_file_t:file read_file_perms; allow $1 speech_dispatcher_unit_file_t:service manage_service_perms; ps_process_pattern($1, speech_dispatcher_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an speech-dispatcher environment ## ## ## ## Domain allowed access. ## ## ## # define(`speech_dispatcher_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `speech_dispatcher_admin'($*)) dnl gen_require(` type speech_dispatcher_t; type speech_dispatcher_log_t; type speech_dispatcher_unit_file_t; ') allow $1 speech_dispatcher_t:process { signal_perms }; ps_process_pattern($1, speech_dispatcher_t) tunable_policy(`deny_ptrace',`',` allow $1 speech_dispatcher_t:process ptrace; ') logging_search_logs($1) admin_pattern($1, speech_dispatcher_log_t) speech_dispatcher_systemctl($1) admin_pattern($1, speech_dispatcher_unit_file_t) allow $1 speech_dispatcher_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `speech_dispatcher_admin'($*)) dnl ') ## Squid caching http proxy server. ######################################## ## ## Execute squid in the squid domain. ## ## ## ## Domain allowed to transition. ## ## # define(`squid_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_domtrans'($*)) dnl gen_require(` type squid_t, squid_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, squid_exec_t, squid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_domtrans'($*)) dnl ') ######################################## ## ## Execute squid in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`squid_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_exec'($*)) dnl gen_require(` type squid_exec_t; ') corecmd_search_bin($1) can_exec($1, squid_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_exec'($*)) dnl ') ######################################## ## ## Send generic signals to squid. ## ## ## ## Domain allowed access. ## ## # define(`squid_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_signal'($*)) dnl gen_require(` type squid_t; ') allow $1 squid_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_signal'($*)) dnl ') ######################################## ## ## Read and write squid unix ## domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`squid_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_rw_stream_sockets'($*)) dnl gen_require(` type squid_t; ') allow $1 squid_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## squid cache directories. ## ## ## ## Domain to not audit. ## ## # define(`squid_dontaudit_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_dontaudit_search_cache'($*)) dnl gen_require(` type squid_cache_t; ') dontaudit $1 squid_cache_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_dontaudit_search_cache'($*)) dnl ') ######################################## ## ## Read squid configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`squid_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_read_config'($*)) dnl gen_require(` type squid_conf_t; ') files_search_etc($1) read_files_pattern($1, squid_conf_t, squid_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_read_config'($*)) dnl ') ######################################## ## ## Read squid log files. ## ## ## ## Domain allowed access. ## ## ## # define(`squid_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_read_log'($*)) dnl gen_require(` type squid_log_t; ') logging_search_logs($1) read_files_pattern($1, squid_log_t, squid_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_read_log'($*)) dnl ') ######################################## ## ## Append squid log files. ## ## ## ## Domain allowed access. ## ## # define(`squid_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_append_log'($*)) dnl gen_require(` type squid_log_t; ') logging_search_logs($1) append_files_pattern($1, squid_log_t, squid_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## squid log files. ## ## ## ## Domain allowed access. ## ## ## # define(`squid_manage_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_manage_logs'($*)) dnl gen_require(` type squid_log_t; ') logging_search_logs($1) manage_files_pattern($1, squid_log_t, squid_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_manage_logs'($*)) dnl ') ######################################## ## ## Use squid services by connecting over TCP. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`squid_use',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_use'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_use'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an squid environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`squid_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `squid_admin'($*)) dnl gen_require(` type squid_t, squid_cache_t, squid_conf_t; type squid_log_t, squid_var_run_t, squid_tmpfs_t; type squid_initrc_exec_t, squid_tmp_t; ') allow $1 squid_t:process signal_perms; ps_process_pattern($1, squid_t) tunable_policy(`deny_ptrace',`',` allow $1 squid_t:process ptrace; ') init_labeled_script_domtrans($1, squid_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 squid_initrc_exec_t system_r; allow $2 system_r; files_list_var($1) admin_pattern($1, squid_cache_t) files_list_etc($1) admin_pattern($1, squid_conf_t) logging_list_logs($1) admin_pattern($1, squid_log_t) files_list_pids($1) admin_pattern($1, squid_var_run_t) fs_list_tmpfs($1) admin_pattern($1, squid_tmpfs_t) files_list_tmp($1) admin_pattern($1, squid_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `squid_admin'($*)) dnl ') ## policy for sslh ######################################## ## ## Execute sslh in the sslh domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sslh_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sslh_domtrans'($*)) dnl gen_require(` type sslh_t, sslh_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sslh_exec_t, sslh_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sslh_domtrans'($*)) dnl ') ####################################### ## ## Execute tor server in the tor domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sslh_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sslh_systemctl'($*)) dnl gen_require(` type sslh_t; type sslh_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 sslh_unit_file_t:file read_file_perms; allow $1 sslh_unit_file_t:service manage_service_perms; ps_process_pattern($1, sslh_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sslh_systemctl'($*)) dnl ') ######################################## ## ## Permit the reading of sslh config files ## ## ## ## Domain allowed to access. ## ## # define(`sslh_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sslh_read_config'($*)) dnl gen_require(` type sslh_config_t; ') files_search_etc($1) allow $1 sslh_config_t:dir list_dir_perms; allow $1 sslh_config_t:file read_file_perms; allow $1 sslh_config_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sslh_read_config'($*)) dnl ') ######################################## ## ## Permit the creation and writing of sslh config files ## ## ## ## Domain allowed to configure. ## ## # define(`sslh_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sslh_write_config'($*)) dnl gen_require(` type sslh_config_t; ') files_search_etc($1) allow $1 sslh_config_t:dir rw_dir_perms; allow $1 sslh_config_t:file { rw_file_perms create }; allow $1 sslh_config_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sslh_write_config'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an sslh environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sslh_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sslh_admin'($*)) dnl gen_require(` type sslh_t, sslh_config_t; type sslh_var_run_t; type sslh_initrc_exec_t; ') allow $1 sslh_t:process signal_perms; ps_process_pattern($1, sslh_t) init_labeled_script_domtrans($1, sslh_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 sslh_initrc_exec_t system_r; allow $2 system_r; admin_pattern($1, sslh_config_t) files_list_pids($1) admin_pattern($1, sslh_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sslh_admin'($*)) dnl ') ## System Security Services Daemon ####################################### ## ## Allow a domain to getattr on sssd binary. ## ## ## ## Domain allowed to transition. ## ## # define(`sssd_getattr_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_getattr_exec'($*)) dnl gen_require(` type sssd_t, sssd_exec_t; ') allow $1 sssd_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_getattr_exec'($*)) dnl ') ######################################## ## ## Execute a domain transition to run sssd. ## ## ## ## Domain allowed to transition. ## ## # define(`sssd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_domtrans'($*)) dnl gen_require(` type sssd_t, sssd_exec_t; ') domtrans_pattern($1, sssd_exec_t, sssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_domtrans'($*)) dnl ') ######################################## ## ## Execute sssd server in the sssd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sssd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_initrc_domtrans'($*)) dnl gen_require(` type sssd_initrc_exec_t; ') init_labeled_script_domtrans($1, sssd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute sssd server in the sssd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sssd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_systemctl'($*)) dnl gen_require(` type sssd_t; type sssd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 sssd_unit_file_t:file read_file_perms; allow $1 sssd_unit_file_t:service manage_service_perms; ps_process_pattern($1, sssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_systemctl'($*)) dnl ') ####################################### ## ## Read sssd configuration. ## ## ## ## Domain allowed access. ## ## # define(`sssd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_read_config'($*)) dnl gen_require(` type sssd_conf_t; ') files_search_etc($1) list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) read_files_pattern($1, sssd_conf_t, sssd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_read_config'($*)) dnl ') ###################################### ## ## Write sssd configuration. ## ## ## ## Domain allowed access. ## ## # define(`sssd_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_write_config'($*)) dnl gen_require(` type sssd_conf_t; ') files_search_etc($1) write_files_pattern($1, sssd_conf_t, sssd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_write_config'($*)) dnl ') ##################################### ## ## Write sssd configuration. ## ## ## ## Domain allowed access. ## ## # define(`sssd_create_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_create_config'($*)) dnl gen_require(` type sssd_conf_t; ') files_search_etc($1) create_files_pattern($1, sssd_conf_t, sssd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_create_config'($*)) dnl ') #################################### ## ## Manage sssd configuration. ## ## ## ## Domain allowed access. ## ## # define(`sssd_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_manage_config'($*)) dnl gen_require(` type sssd_conf_t; ') files_search_etc($1) manage_files_pattern($1, sssd_conf_t, sssd_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_manage_config'($*)) dnl ') ######################################## ## ## Read sssd public files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_read_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_read_public_files'($*)) dnl gen_require(` type sssd_public_t; ') sssd_search_lib($1) list_dirs_pattern($1, sssd_public_t, sssd_public_t) read_files_pattern($1, sssd_public_t, sssd_public_t) allow $1 sssd_public_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_read_public_files'($*)) dnl ') ######################################## ## ## Delete sssd public files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_delete_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_delete_public_files'($*)) dnl gen_require(` type sssd_public_t; ') sssd_search_lib($1) allow $1 sssd_public_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_delete_public_files'($*)) dnl ') ######################################## ## ## Dontaudit read sssd public files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_dontaudit_read_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_read_public_files'($*)) dnl gen_require(` type sssd_public_t; ') dontaudit $1 sssd_public_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dontaudit_read_public_files'($*)) dnl ') ####################################### ## ## Manage sssd public files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_manage_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_manage_public_files'($*)) dnl gen_require(` type sssd_public_t; ') sssd_search_lib($1) manage_files_pattern($1, sssd_public_t, sssd_public_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_manage_public_files'($*)) dnl ') ######################################## ## ## Read sssd PID files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_read_pid_files'($*)) dnl gen_require(` type sssd_var_run_t; ') files_search_pids($1) allow $1 sssd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_read_pid_files'($*)) dnl ') ######################################## ## ## Manage sssd var_run files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_manage_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_manage_pids'($*)) dnl gen_require(` type sssd_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_manage_pids'($*)) dnl ') ######################################## ## ## Search sssd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`sssd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_search_lib'($*)) dnl gen_require(` type sssd_var_lib_t; ') allow $1 sssd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_search_lib'($*)) dnl ') ######################################## ## ## Do not audit attempts to search sssd lib directories. ## ## ## ## Domain to not audit. ## ## # define(`sssd_dontaudit_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_search_lib'($*)) dnl gen_require(` type sssd_var_lib_t; ') dontaudit $1 sssd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dontaudit_search_lib'($*)) dnl ') ######################################## ## ## Do not audit attempts to read sssd lib files. ## ## ## ## Domain to not audit. ## ## # define(`sssd_dontaudit_read_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_read_lib'($*)) dnl gen_require(` type sssd_var_lib_t; ') dontaudit $1 sssd_var_lib_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dontaudit_read_lib'($*)) dnl ') ######################################## ## ## Read sssd lib files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_read_lib_files'($*)) dnl gen_require(` type sssd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## sssd lib files. ## ## ## ## Domain allowed access. ## ## # define(`sssd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_manage_lib_files'($*)) dnl gen_require(` type sssd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) allow $1 sssd_var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_manage_lib_files'($*)) dnl ') ######################################## ## ## Send and receive messages from ## sssd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`sssd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dbus_chat'($*)) dnl gen_require(` type sssd_t; class dbus send_msg; ') allow $1 sssd_t:dbus send_msg; allow sssd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dbus_chat'($*)) dnl ') ######################################## ## ## Connect to sssd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`sssd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_stream_connect'($*)) dnl gen_require(` type sssd_t, sssd_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_stream_connect'($*)) dnl ') ######################################## ## ## Dontaudit attempts to connect to sssd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`sssd_dontaudit_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_stream_connect'($*)) dnl gen_require(` type sssd_t, sssd_var_lib_t; ') dontaudit $1 sssd_t:unix_stream_socket connectto; dontaudit $1 sssd_var_lib_t:sock_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dontaudit_stream_connect'($*)) dnl ') ######################################## ## ## Connect to sssd over a unix stream socket in /var/run. ## ## ## ## Domain allowed access. ## ## # define(`sssd_run_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_run_stream_connect'($*)) dnl gen_require(` type sssd_t, sssd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, sssd_var_run_t, sssd_var_run_t, sssd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_run_stream_connect'($*)) dnl ') ######################################## ## ## Dontaudit attempts to connect to sssd over a unix stream socket in /var/run. ## ## ## ## Domain allowed access. ## ## # define(`sssd_dontaudit_run_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_dontaudit_run_stream_connect'($*)) dnl gen_require(` type sssd_t, sssd_var_lib_t; ') dontaudit $1 sssd_t:unix_stream_socket connectto; dontaudit $1 sssd_var_run_t:sock_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_dontaudit_run_stream_connect'($*)) dnl ') ####################################### ## ## Manage keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`sssd_manage_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_manage_keys'($*)) dnl gen_require(` type sssd_t; ') allow $1 sssd_t:key manage_key_perms; allow sssd_t $1:key manage_key_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_manage_keys'($*)) dnl ') ####################################### ## ## Allow attempts to read and write to ## sssd pipes ## ## ## ## Domain allowed access. ## ## # define(`sssd_rw_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_rw_inherited_pipes'($*)) dnl gen_require(` type sssd_t; ') allow $1 sssd_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_rw_inherited_pipes'($*)) dnl ') ######################################## ## ## Allow caller to signal sssd. ## ## ## ## Domain allowed access. ## ## # define(`sssd_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_signal'($*)) dnl gen_require(` type sssd_t; ') allow $1 sssd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_signal'($*)) dnl ') ######################################## ## ## Allow caller to signull sssd. ## ## ## ## Domain allowed access. ## ## # define(`sssd_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_signull'($*)) dnl gen_require(` type sssd_t; ') allow $1 sssd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_signull'($*)) dnl ') ######################################## ## ## Transition to sssd named content ## ## ## ## Domain allowed access. ## ## # define(`sssd_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_filetrans_named_content'($*)) dnl gen_require(` type sssd_var_run_t; type sssd_var_log_t; type sssd_var_lib_t; type sssd_public_t; type sssd_conf_t; ') files_pid_filetrans($1, sssd_var_run_t, sock_file, "secrets.socket") files_pid_filetrans($1, sssd_var_run_t, sock_file, ".heim_org.h5l.kcm-socket") logging_log_filetrans($1, sssd_var_log_t, dir, "sssd") files_var_lib_filetrans($1, sssd_var_lib_t, dir, "sss") filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "mc") filetrans_pattern($1, sssd_var_lib_t, sssd_public_t, dir, "pubconf") files_etc_filetrans($1, sssd_conf_t, dir, "sssd") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an sssd environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the sssd domain. ## ## ## # define(`sssd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sssd_admin'($*)) dnl gen_require(` type sssd_t, sssd_public_t, sssd_initrc_exec_t; type sssd_unit_file_t; ') allow $1 sssd_t:process signal_perms; ps_process_pattern($1, sssd_t) tunable_policy(`deny_ptrace',`',` allow $1 sssd_t:process ptrace; ') # Allow sssd_t to restart the apache service sssd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 sssd_initrc_exec_t system_r; allow $2 system_r; sssd_manage_pids($1) sssd_manage_lib_files($1) admin_pattern($1, sssd_public_t) sssd_systemctl($1) admin_pattern($1, sssd_unit_file_t) allow $1 sssd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sssd_admin'($*)) dnl ') ## Instrumentation System Server ######################################## ## ## Execute stapserver in the stapserver domain. ## ## ## ## Domain allowed to transition. ## ## # define(`stapserver_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_domtrans'($*)) dnl gen_require(` type stapserver_t, stapserver_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, stapserver_exec_t, stapserver_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_domtrans'($*)) dnl ') ######################################## ## ## Read stapserver's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`stapserver_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_read_log'($*)) dnl gen_require(` type stapserver_log_t; ') logging_search_logs($1) read_files_pattern($1, stapserver_log_t, stapserver_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_read_log'($*)) dnl ') ######################################## ## ## Append to stapserver log files. ## ## ## ## Domain allowed access. ## ## # define(`stapserver_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_append_log'($*)) dnl gen_require(` type stapserver_log_t; ') logging_search_logs($1) append_files_pattern($1, stapserver_log_t, stapserver_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_append_log'($*)) dnl ') ######################################## ## ## Manage stapserver log files ## ## ## ## Domain allowed access. ## ## # define(`stapserver_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_manage_log'($*)) dnl gen_require(` type stapserver_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t) manage_files_pattern($1, stapserver_log_t, stapserver_log_t) manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_manage_log'($*)) dnl ') ######################################## ## ## Read stapserver PID files. ## ## ## ## Domain allowed access. ## ## # define(`stapserver_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_read_pid_files'($*)) dnl gen_require(` type stapserver_var_run_t; ') files_search_pids($1) allow $1 stapserver_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_read_pid_files'($*)) dnl ') ####################################### ## ## Manage stapserver lib files ## ## ## ## Domain allowed access. ## ## # define(`stapserver_manage_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_manage_lib'($*)) dnl gen_require(` type stapserver_var_lib_t; ') manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_manage_lib'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an stapserver environment ## ## ## ## Domain allowed access. ## ## ## # define(`stapserver_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stapserver_admin'($*)) dnl gen_require(` type stapserver_t; type stapserver_log_t; type stapserver_var_run_t; ') allow $1 stapserver_t:process { ptrace signal_perms }; ps_process_pattern($1, stapserver_t) logging_search_logs($1) admin_pattern($1, stapserver_log_t) files_search_pids($1) admin_pattern($1, stapserver_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stapserver_admin'($*)) dnl ') ## Daemon to create and monitor storage pools ######################################## ## ## Send and receive messages from ## stratisd over dbus. ## ## ## ## Domain allowed access. ## ## # define(`stratisd_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stratisd_dbus_chat'($*)) dnl gen_require(` type stratisd_t; class dbus send_msg; ') allow $1 stratisd_t:dbus send_msg; allow stratisd_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stratisd_dbus_chat'($*)) dnl ') ######################################## ## ## Execute stratisd_exec_t in the stratisd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`stratisd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stratisd_domtrans'($*)) dnl gen_require(` type stratisd_t, stratisd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, stratisd_exec_t, stratisd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stratisd_domtrans'($*)) dnl ') ###################################### ## ## Execute stratisd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`stratisd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stratisd_exec'($*)) dnl gen_require(` type stratisd_exec_t; ') corecmd_search_bin($1) can_exec($1, stratisd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stratisd_exec'($*)) dnl ') ######################################## ## ## Read stratisd PID files. ## ## ## ## Domain allowed access. ## ## # define(`stratisd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stratisd_read_pid_files'($*)) dnl gen_require(` type stratisd_var_run_t; ') files_search_pids($1) read_files_pattern($1, stratisd_var_run_t, stratisd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stratisd_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an stratisd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`stratisd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stratisd_admin'($*)) dnl gen_require(` type stratisd_t; type stratisd_var_run_t; ') allow $1 stratisd_t:process { signal_perms }; ps_process_pattern($1, stratisd_t) tunable_policy(`deny_ptrace',`',` allow $1 stratisd_t:process ptrace; ') files_search_pids($1) admin_pattern($1, stratisd_var_run_t) optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stratisd_admin'($*)) dnl ') ## SSL Tunneling Proxy. ######################################## ## ## Define the specified domain as a stunnel inetd service. ## ## ## ## The type associated with the stunnel inetd service process. ## ## ## ## ## The type associated with the process program. ## ## # define(`stunnel_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stunnel_service_domain'($*)) dnl gen_require(` type stunnel_t; ') domtrans_pattern(stunnel_t, $2, $1) allow $1 stunnel_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stunnel_service_domain'($*)) dnl ') ######################################## ## ## Read stunnel configuration content. ## ## ## ## Domain allowed access. ## ## # define(`stunnel_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `stunnel_read_config'($*)) dnl gen_require(` type stunnel_etc_t; ') files_search_etc($1) allow $1 stunnel_etc_t:dir list_dir_perms; allow $1 stunnel_etc_t:file read_file_perms; allow $1 stunnel_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `stunnel_read_config'($*)) dnl ') ## policy for svnserve ######################################## ## ## Transition to svnserve. ## ## ## ## Domain allowed to transition. ## ## # define(`svnserve_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `svnserve_domtrans'($*)) dnl gen_require(` type svnserve_t, svnserve_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, svnserve_exec_t, svnserve_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `svnserve_domtrans'($*)) dnl ') ######################################## ## ## Execute svnserve server in the svnserve domain. ## ## ## ## Domain allowed access. ## ## # define(`svnserve_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `svnserve_initrc_domtrans'($*)) dnl gen_require(` type svnserve_initrc_exec_t; ') init_labeled_script_domtrans($1, svnserve_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `svnserve_initrc_domtrans'($*)) dnl ') ####################################### ## ## Execute svnserve server in the svnserve domain. ## ## ## ## Domain allowed to transition. ## ## # define(`svnserve_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `svnserve_systemctl'($*)) dnl gen_require(` type svnserve_t; type svnserve_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 svnserve_unit_file_t:file read_file_perms; allow $1 svnserve_unit_file_t:service manage_service_perms; ps_process_pattern($1, svnserve_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `svnserve_systemctl'($*)) dnl ') ######################################## ## ## Read svnserve PID files. ## ## ## ## Domain allowed access. ## ## # define(`svnserve_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `svnserve_read_pid_files'($*)) dnl gen_require(` type svnserve_var_run_t; ') files_search_pids($1) allow $1 svnserve_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `svnserve_read_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an svnserve environment ## ## ## ## Domain allowed access. ## ## # define(`svnserve_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `svnserve_admin'($*)) dnl gen_require(` type svnserve_t; type svnserve_var_run_t; type svnserve_unit_file_t; ') allow $1 svnserve_t:process { ptrace signal_perms }; ps_process_pattern($1, svnserve_t) files_search_pids($1) admin_pattern($1, svnserve_var_run_t) svnserve_systemctl($1) admin_pattern($1, svnserve_unit_file_t) allow $1 svnserve_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `svnserve_admin'($*)) dnl ') ## policy for swift ######################################## ## ## Execute TEMPLATE in the swift domin. ## ## ## ## Domain allowed to transition. ## ## # define(`swift_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_domtrans'($*)) dnl gen_require(` type swift_t, swift_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, swift_exec_t, swift_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_domtrans'($*)) dnl ') ######################################## ## ## Read swift PID files. ## ## ## ## Domain allowed access. ## ## # define(`swift_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_read_pid_files'($*)) dnl gen_require(` type swift_var_run_t; ') files_search_pids($1) read_files_pattern($1, swift_var_run_t, swift_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_read_pid_files'($*)) dnl ') ######################################## ## ## Manage swift data files. ## ## ## ## Domain allowed access. ## ## # define(`swift_manage_data_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_manage_data_files'($*)) dnl gen_require(` type swift_data_t; ') files_search_pids($1) manage_files_pattern($1, swift_data_t, swift_data_t) manage_dirs_pattern($1, swift_data_t, swift_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_manage_data_files'($*)) dnl ') ##################################### ## ## Read and write swift lock files. ## ## ## ## Domain allowed access. ## ## # define(`swift_manage_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_manage_lock'($*)) dnl gen_require(` type swift_lock_t; ') files_search_locks($1) manage_files_pattern($1, swift_lock_t, swift_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_manage_lock'($*)) dnl ') ####################################### ## ## Transition content labels to swift named content ## ## ## ## Domain allowed access. ## ## # define(`swift_filetrans_named_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_filetrans_named_lock'($*)) dnl gen_require(` type swift_lock_t; ') files_lock_filetrans($1, swift_lock_t, file, "swift_server.lock") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_filetrans_named_lock'($*)) dnl ') ######################################## ## ## Execute swift server in the swift domain. ## ## ## ## Domain allowed to transition. ## ## # define(`swift_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_systemctl'($*)) dnl gen_require(` type swift_t; type swift_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 swift_unit_file_t:file read_file_perms; allow $1 swift_unit_file_t:service manage_service_perms; ps_process_pattern($1, swift_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an swift environment ## ## ## ## Domain allowed access. ## ## ## # define(`swift_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `swift_admin'($*)) dnl gen_require(` type swift_t; type swift_var_run_t; type swift_unit_file_t; ') allow $1 swift_t:process { ptrace signal_perms }; ps_process_pattern($1, swift_t) files_search_pids($1) admin_pattern($1, swift_var_run_t) swift_systemctl($1) admin_pattern($1, swift_unit_file_t) allow $1 swift_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `swift_admin'($*)) dnl ') ## SUID/SGID program monitoring. ######################################## ## ## Read sxid log files. ## ## ## ## Domain allowed access. ## ## ## # define(`sxid_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sxid_read_log'($*)) dnl gen_require(` type sxid_log_t; ') logging_search_logs($1) allow $1 sxid_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sxid_read_log'($*)) dnl ') ## Reports on various system states. ######################################## ## ## Create, read, write, and delete ## sysstat log files. ## ## ## ## Domain allowed access. ## ## ## # define(`sysstat_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysstat_manage_log'($*)) dnl gen_require(` type sysstat_log_t; ') logging_search_logs($1) manage_files_pattern($1, sysstat_log_t, sysstat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysstat_manage_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an sysstat environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`sysstat_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysstat_admin'($*)) dnl gen_require(` type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t; ') allow $1 sysstat_t:process { ptrace signal_perms }; ps_process_pattern($1, sysstat_t) init_labeled_script_domtrans($1, sysstat_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 sysstat_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, sysstat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysstat_admin'($*)) dnl ') ######################################## ## ## Execute sysstat_exec_t in the sysstat domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sysstat_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysstat_domtrans'($*)) dnl gen_require(` type sysstat_t, sysstat_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, sysstat_exec_t, sysstat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysstat_domtrans'($*)) dnl ') ## policy for tangd ######################################## ## ## Execute tangd_exec_t in the tangd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tangd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tangd_domtrans'($*)) dnl gen_require(` type tangd_t, tangd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tangd_exec_t, tangd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tangd_domtrans'($*)) dnl ') ###################################### ## ## Execute tangd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`tangd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tangd_exec'($*)) dnl gen_require(` type tangd_exec_t; ') corecmd_search_bin($1) can_exec($1, tangd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tangd_exec'($*)) dnl ') ######################################## ## ## Read the contents of the tangd ## database files. ## ## ## ## Domain allowed access. ## ## # define(`tangd_read_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tangd_read_db_files'($*)) dnl gen_require(` type tangd_db_t; ') read_files_pattern($1, tangd_db_t, tangd_db_t) list_dirs_pattern($1, tangd_db_t, tangd_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tangd_read_db_files'($*)) dnl ') ## Targetd is a service to allow the remote configuration of block device volumes and file systems within dedicated pools ######################################## ## ## Execute targetd_exec_t in the targetd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`targetd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_domtrans'($*)) dnl gen_require(` type targetd_t, targetd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, targetd_exec_t, targetd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_domtrans'($*)) dnl ') ###################################### ## ## Execute targetd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`targetd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_exec'($*)) dnl gen_require(` type targetd_exec_t; ') corecmd_search_bin($1) can_exec($1, targetd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_exec'($*)) dnl ') ######################################## ## ## Search targetd conf directories. ## ## ## ## Domain allowed access. ## ## # define(`targetd_search_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_search_conf'($*)) dnl gen_require(` type targetd_etc_rw_t; ') allow $1 targetd_etc_rw_t:dir search_dir_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_search_conf'($*)) dnl ') ######################################## ## ## Read targetd conf files. ## ## ## ## Domain allowed access. ## ## # define(`targetd_read_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_read_conf_files'($*)) dnl gen_require(` type targetd_etc_rw_t; ') allow $1 targetd_etc_rw_t:dir list_dir_perms; read_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_read_conf_files'($*)) dnl ') ######################################## ## ## Manage targetd conf files. ## ## ## ## Domain allowed access. ## ## # define(`targetd_manage_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_manage_conf_files'($*)) dnl gen_require(` type targetd_etc_rw_t; ') manage_files_pattern($1, targetd_etc_rw_t, targetd_etc_rw_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_manage_conf_files'($*)) dnl ') ######################################## ## ## Execute targetd server in the targetd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`targetd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_systemctl'($*)) dnl gen_require(` type targetd_t; type targetd_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 targetd_unit_file_t:file read_file_perms; allow $1 targetd_unit_file_t:service manage_service_perms; ps_process_pattern($1, targetd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an targetd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`targetd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `targetd_admin'($*)) dnl gen_require(` type targetd_t; type targetd_etc_rw_t; type targetd_unit_file_t; ') allow $1 targetd_t:process { signal_perms }; ps_process_pattern($1, targetd_t) tunable_policy(`deny_ptrace',`',` allow $1 targetd_t:process ptrace; ') files_search_etc($1) admin_pattern($1, targetd_etc_rw_t) targetd_systemctl($1) admin_pattern($1, targetd_unit_file_t) allow $1 targetd_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `targetd_admin'($*)) dnl ') ## TCP daemon. ######################################## ## ## Execute tcpd in the tcpd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tcpd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcpd_domtrans'($*)) dnl gen_require(` type tcpd_t, tcpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tcpd_exec_t, tcpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcpd_domtrans'($*)) dnl ') ######################################## ## ## Create a domain for services that ## utilize tcp wrappers. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`tcpd_wrapped_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcpd_wrapped_domain'($*)) dnl gen_require(` type tcpd_t; role system_r; ') domtrans_pattern(tcpd_t, $2, $1) allow $1 tcpd_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcpd_wrapped_domain'($*)) dnl ') ####################################### ## ## Read and write tcpd server TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`tcpd_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcpd_rw_tcp_sockets'($*)) dnl gen_require(` type tcpd_t; ') allow $1 tcpd_t:tcp_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcpd_rw_tcp_sockets'($*)) dnl ') ## TSS Core Services daemon. ######################################## ## ## Execute a domain transition to run tcsd. ## ## ## ## Domain allowed to transition. ## ## # define(`tcsd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_domtrans'($*)) dnl gen_require(` type tcsd_t, tcsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tcsd_exec_t, tcsd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_domtrans'($*)) dnl ') ######################################## ## ## Execute tcsd init scripts in the ## initrc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tcsd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_initrc_domtrans'($*)) dnl gen_require(` type tcsd_initrc_exec_t; ') init_labeled_script_domtrans($1, tcsd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search tcsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`tcsd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_search_lib'($*)) dnl gen_require(` type tcsd_var_lib_t; ') files_search_var_lib($1) allow $1 tcsd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_search_lib'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## tcsd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`tcsd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_dirs'($*)) dnl gen_require(` type tcsd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read tcsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`tcsd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_read_lib_files'($*)) dnl gen_require(` type tcsd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## tcsd lib files. ## ## ## ## Domain allowed access. ## ## # define(`tcsd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_manage_lib_files'($*)) dnl gen_require(` type tcsd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an tcsd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`tcsd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tcsd_admin'($*)) dnl gen_require(` type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t; ') allow $1 tcsd_t:process signal_perms; ps_process_pattern($1, tcsd_t) tunable_policy(`deny_ptrace',`',` allow $1 tcsd_t:process ptrace; ') tcsd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 tcsd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, tcsd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tcsd_admin'($*)) dnl ') ## Telepathy communications framework. ####################################### ## ## Creates basic types for telepathy ## domain ## ## ## ## Prefix for the domain. ## ## # define(`telepathy_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_domain_template'($*)) dnl gen_require(` attribute telepathy_domain; attribute telepathy_executable; ') type telepathy_$1_t, telepathy_domain; type telepathy_$1_exec_t, telepathy_executable; application_domain(telepathy_$1_t, telepathy_$1_exec_t) ubac_constrained(telepathy_$1_t) type telepathy_$1_tmp_t; userdom_user_tmp_file(telepathy_$1_tmp_t) kernel_read_system_state(telepathy_$1_t) auth_use_nsswitch(telepathy_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_domain_template'($*)) dnl ') ####################################### ## ## Role access for telepathy domains ## that executes via dbus-session ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## ## ## ## User domain prefix to be used. ## ## # define(`telepathy_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_role'($*)) dnl gen_require(` attribute telepathy_domain; type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t; type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t; type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t; type telepathy_sofiasip_exec_t, telepathy_idle_exec_t; type telepathy_logger_t, telepathy_logger_exec_t; type telepathy_mission_control_exec_t, telepathy_salut_exec_t; type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t; type telepathy_msn_exec_t; ') role $1 types telepathy_domain; allow $2 telepathy_domain:process signal_perms; ps_process_pattern($2, telepathy_domain) telepathy_gabble_stream_connect($2) telepathy_msn_stream_connect($2) telepathy_salut_stream_connect($2) dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t) dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t) dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t) dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t) dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t) dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t) dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t) dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t) dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t) telepathy_dbus_chat($2) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_role'($*)) dnl ') ######################################## ## ## Stream connect to Telepathy Gabble ## ## ## ## Domain allowed access. ## ## # define(`telepathy_gabble_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_gabble_stream_connect'($*)) dnl gen_require(` type telepathy_gabble_t, telepathy_gabble_tmp_t; ') stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_gabble_stream_connect'($*)) dnl ') ######################################## ## ## Allow Telepathy Gabble to stream connect to a domain. ## ## ## ## Domain allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`telepathy_gabble_stream_connect_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_gabble_stream_connect_to'($*)) dnl gen_require(` type telepathy_gabble_t; ') stream_connect_pattern(telepathy_gabble_t, $2, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_gabble_stream_connect_to'($*)) dnl ') ######################################## ## ## Send DBus messages to and from ## Telepathy Gabble. ## ## ## ## Domain allowed access. ## ## # define(`telepathy_gabble_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_gabble_dbus_chat'($*)) dnl gen_require(` type telepathy_gabble_t; class dbus send_msg; ') allow $1 telepathy_gabble_t:dbus send_msg; allow telepathy_gabble_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_gabble_dbus_chat'($*)) dnl ') ######################################## ## ## Read telepathy mission control state. ## ## ## ## Domain allowed access. ## ## # define(`telepathy_mission_control_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_mission_control_read_state'($*)) dnl gen_require(` type telepathy_mission_control_t; ') kernel_search_proc($1) ps_process_pattern($1, telepathy_mission_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_mission_control_read_state'($*)) dnl ') ####################################### ## ## Stream connect to telepathy MSN managers ## ## ## ## Domain allowed access. ## ## # define(`telepathy_msn_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_msn_stream_connect'($*)) dnl gen_require(` type telepathy_msn_t, telepathy_msn_tmp_t; ') stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_msn_stream_connect'($*)) dnl ') ######################################## ## ## Stream connect to Telepathy Salut ## ## ## ## Domain allowed access. ## ## # define(`telepathy_salut_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_salut_stream_connect'($*)) dnl gen_require(` type telepathy_salut_t, telepathy_salut_tmp_t; ') stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_salut_stream_connect'($*)) dnl ') ####################################### ## ## Send DBus messages to and from ## all Telepathy domain. ## ## ## ## Domain allowed access. ## ## # define(`telepathy_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_dbus_chat'($*)) dnl gen_require(` attribute telepathy_domain; class dbus send_msg; ') allow $1 telepathy_domain:dbus send_msg; allow telepathy_domain $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_dbus_chat'($*)) dnl ') ###################################### ## ## Execute telepathy executable ## in the specified domain. ## ## ##

## Execute a telepathy executable ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`telepathy_command_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_command_domtrans'($*)) dnl gen_require(` attribute telepathy_executable; ') allow $2 telepathy_executable:file entrypoint; domain_transition_pattern($1, telepathy_executable, $2) type_transition $1 telepathy_executable:process $2; # needs to dbus chat with unconfined_t and unconfined_dbusd_t optional_policy(` telepathy_dbus_chat($1) telepathy_dbus_chat($2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_command_domtrans'($*)) dnl ') ######################################## ## ## Create telepathy content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`telepathy_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_filetrans_home_content'($*)) dnl gen_require(` type telepathy_mission_control_cache_home_t; type telepathy_mission_control_home_t; type telepathy_logger_cache_home_t; type telepathy_gabble_cache_home_t; type telepathy_sunshine_home_t; type telepathy_logger_data_home_t; type telepathy_cache_home_t, telepathy_data_home_t; type telepathy_mission_control_data_home_t; ') filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger") filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal") filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble") filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control") userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control") userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine") optional_policy(` gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections") gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble") gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky") gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy") gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger") gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_filetrans_home_content'($*)) dnl ') ###################################### ## ## Execute telepathy in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`telepathy_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telepathy_exec'($*)) dnl gen_require(` attribute telepathy_executable; ') corecmd_search_bin($1) can_exec($1, telepathy_executable) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telepathy_exec'($*)) dnl ') ## Telnet daemon. ######################################## ## ## Read and write telnetd pty devices. ## ## ## ## Domain allowed access. ## ## # define(`telnet_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `telnet_use_ptys'($*)) dnl gen_require(` type telnetd_devpts_t; ') term_list_ptys($1) allow $1 telnetd_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `telnet_use_ptys'($*)) dnl ') ## Trivial file transfer protocol daemon ######################################## ## ## Read tftp content ## ## ## ## Domain allowed access. ## ## # define(`tftp_read_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_read_content'($*)) dnl gen_require(` type tftpdir_t; type tftpdir_rw_t; ') list_dirs_pattern($1, tftpdir_t, tftpdir_t) read_files_pattern($1, tftpdir_t, tftpdir_t) read_lnk_files_pattern($1, tftpdir_t, tftpdir_t) list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_read_content'($*)) dnl ') ######################################## ## ## Search tftp /var/lib directories. ## ## ## ## Domain allowed access. ## ## # define(`tftp_search_rw_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_search_rw_content'($*)) dnl gen_require(` type tftpdir_rw_t; ') search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_search_rw_content'($*)) dnl ') ######################################## ## ## Allow read tftp /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_read_rw_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_read_rw_content'($*)) dnl gen_require(` type tftpdir_rw_t; ') files_search_var_lib($1) read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_read_rw_content'($*)) dnl ') ######################################## ## ## Allow write tftp /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_write_rw_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_write_rw_content'($*)) dnl gen_require(` type tftpdir_rw_t; ') files_search_var_lib($1) write_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_write_rw_content'($*)) dnl ') ######################################## ## ## Manage tftp /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_manage_rw_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_manage_rw_content'($*)) dnl gen_require(` type tftpdir_rw_t; ') files_search_var_lib($1) manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_manage_rw_content'($*)) dnl ') ######################################## ## ## Manage tftp /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_delete_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_delete_content_dirs'($*)) dnl gen_require(` type tftpdir_rw_t; ') files_search_var_lib($1) delete_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_delete_content_dirs'($*)) dnl ') ######################################## ## ## Read tftp config files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_read_config'($*)) dnl gen_require(` type tftpd_etc_t; ') read_files_pattern($1, tftpd_etc_t, tftpd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_read_config'($*)) dnl ') ######################################## ## ## Manage tftp config files. ## ## ## ## Domain allowed access. ## ## # define(`tftp_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_manage_config'($*)) dnl gen_require(` type tftpd_etc_t; ') manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t) files_etc_filetrans($1, tftpd_etc_t, file, "tftp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_manage_config'($*)) dnl ') ######################################## ## ## Create objects in tftpdir directories ## with specified types. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Class of the object being created. ## ## # define(`tftp_filetrans_tftpdir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_filetrans_tftpdir'($*)) dnl gen_require(` type tftpdir_rw_t; ') filetrans_pattern($1, tftpdir_rw_t, $2, $3) files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_filetrans_tftpdir'($*)) dnl ') ######################################## ## ## Transition to tftp named content ## ## ## ## Domain allowed access. ## ## # define(`tftp_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_filetrans_named_content'($*)) dnl gen_require(` type tftpd_etc_t; ') files_etc_filetrans($1, tftpd_etc_t, file, "tftp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an tftp environment ## ## ## ## Domain allowed access. ## ## ## # define(`tftp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tftp_admin'($*)) dnl gen_require(` type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t; ') allow $1 tftpd_t:process signal_perms; ps_process_pattern($1, tftpd_t) tunable_policy(`deny_ptrace',`',` allow $1 tftpd_t:process ptrace; ') files_list_var_lib($1) admin_pattern($1, tftpdir_rw_t) admin_pattern($1, tftpdir_t) files_list_pids($1) admin_pattern($1, tftpd_var_run_t) tftp_manage_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tftp_admin'($*)) dnl ') ## Linux Target Framework Daemon. ##################################### ## ## Read and write tgtd semaphores. ## ## ## ## Domain allowed access. ## ## # define(`tgtd_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tgtd_rw_semaphores'($*)) dnl gen_require(` type tgtd_t; ') allow $1 tgtd_t:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tgtd_rw_semaphores'($*)) dnl ') ###################################### ## ## Create, read, write, and delete ## tgtd sempaphores. ## ## ## ## Domain allowed access. ## ## # define(`tgtd_manage_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tgtd_manage_semaphores'($*)) dnl gen_require(` type tgtd_t; ') allow $1 tgtd_t:sem create_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tgtd_manage_semaphores'($*)) dnl ') ###################################### ## ## Connect to tgtd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`tgtd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tgtd_stream_connect'($*)) dnl gen_require(` type tgtd_t, tgtd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tgtd_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an tgtd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`tgtd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tgtd_admin'($*)) dnl gen_require(` type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t; type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t; ') allow $1 tgtd_t:process { ptrace signal_perms }; ps_process_pattern($1, tgtd_t) init_labeled_script_domtrans($1, tgtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 tgtd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, tgtd_var_lib_t) files_search_pids($1) admin_pattern($1, tgtd_var_run_t) files_search_tmp($1) admin_pattern($1, tgtd_tmp_t) fs_search_tmpfs($1) admin_pattern($1, tgtd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tgtd_admin'($*)) dnl ') ## thin policy ####################################### ## ## Creates types and rules for a basic ## thin daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`thin_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thin_domain_template'($*)) dnl gen_require(` attribute thin_domain; ') type $1_t, thin_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) can_exec($1_t, $1_exec_t) kernel_read_system_state($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thin_domain_template'($*)) dnl ') ###################################### ## ## Execute mongod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`thin_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thin_exec'($*)) dnl gen_require(` type thin_exec_t; ') can_exec($1, thin_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thin_exec'($*)) dnl ') ##################################### ## ## Connect to thin over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`thin_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thin_stream_connect'($*)) dnl gen_require(` type thin_t, thin_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thin_stream_connect'($*)) dnl ') ## policy for thumb ######################################## ## ## Transition to thumb. ## ## ## ## Domain allowed to transition. ## ## # define(`thumb_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_domtrans'($*)) dnl gen_require(` type thumb_t, thumb_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, thumb_exec_t, thumb_t) dontaudit thumb_t $1:unix_stream_socket { getattr read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_domtrans'($*)) dnl ') ######################################## ## ## NNP Transition to thumb. ## ## ## ## Domain allowed to transition. ## ## # define(`thumb_nnp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_nnp_domtrans'($*)) dnl gen_require(` type thumb_t; ') allow $1 thumb_t:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_nnp_domtrans'($*)) dnl ') ######################################## ## ## Execute thumb in the thumb domain, and ## allow the specified role the thumb domain. ## ## ## ## Domain allowed to transition ## ## ## ## ## The role to be allowed the thumb domain. ## ## # define(`thumb_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_run'($*)) dnl gen_require(` type thumb_t; ') thumb_domtrans($1) thumb_nnp_domtrans($1) role $2 types thumb_t; allow $1 thumb_t:process signal_perms; dontaudit thumb_t $1:dir list_dir_perms; dontaudit thumb_t $1:file read_file_perms; dontaudit thumb_t $1:unix_stream_socket rw_socket_perms; allow thumb_t $1:shm create_shm_perms; allow thumb_t $1:sem create_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_run'($*)) dnl ') ######################################## ## ## Role access for thumb ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`thumb_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_role'($*)) dnl gen_require(` type thumb_t; class dbus send_msg; ') thumb_run($2, $1) ps_process_pattern($2, thumb_t) allow thumb_t $2:unix_stream_socket connectto; thumb_dbus_chat($2) thumb_filetrans_home_content($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_role'($*)) dnl ') ######################################## ## ## Send and receive messages from ## thumb over dbus. ## ## ## ## Domain allowed access. ## ## # define(`thumb_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_dbus_chat'($*)) dnl gen_require(` type thumb_t; class dbus send_msg; ') allow $1 thumb_t:dbus send_msg; allow thumb_t $1:dbus send_msg; ps_process_pattern(thumb_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_dbus_chat'($*)) dnl ') ######################################## ## ## Create thumb content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`thumb_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thumb_filetrans_home_content'($*)) dnl gen_require(` type thumb_home_t; ') userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails") userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log") optional_policy(` gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thumb_filetrans_home_content'($*)) dnl ') ## Thunderbird email client. ######################################## ## ## Role access for thunderbird. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`thunderbird_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thunderbird_role'($*)) dnl gen_require(` attribute_role thunderbird_roles; type thunderbird_t, thunderbird_exec_t, thunderbird_home_t; type thunderbird_tmpfs_t; ') roleattribute $1 thunderbird_roles; domtrans_pattern($2, thunderbird_exec_t, thunderbird_t) stream_connect_pattern($2, thunderbird_tmpfs_t, thunderbird_tmpfs_t, thunderbird_t) allow thunderbird_t $2:unix_stream_socket connectto; allow $2 thunderbird_t:process { ptrace signal_perms }; ps_process_pattern($2, thunderbird_t) allow $2 thunderbird_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 thunderbird_home_t:file { manage_file_perms relabel_file_perms }; allow $2 thunderbird_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, thunderbird_home_t, dir, ".thunderbird") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thunderbird_role'($*)) dnl ') ######################################## ## ## Execute thunderbird in the thunderbird domain. ## ## ## ## Domain allowed to transition. ## ## # define(`thunderbird_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `thunderbird_domtrans'($*)) dnl gen_require(` type thunderbird_t, thunderbird_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, thunderbird_exec_t, thunderbird_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `thunderbird_domtrans'($*)) dnl ') ## timedatex - D-Bus service for system clock and RTC settings ######################################## ## ## Execute timedatex_exec_t in the timedatex domain. ## ## ## ## Domain allowed to transition. ## ## # define(`timedatex_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timedatex_domtrans'($*)) dnl gen_require(` type timedatex_t, timedatex_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, timedatex_exec_t, timedatex_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timedatex_domtrans'($*)) dnl ') ######################################## ## ## Send and receive messages from ## timedatex over dbus. ## ## ## ## Domain allowed access. ## ## # define(`timedatex_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timedatex_dbus_chat'($*)) dnl gen_require(` type timedatex_t; class dbus send_msg; ') allow $1 timedatex_t:dbus send_msg; allow timedatex_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timedatex_dbus_chat'($*)) dnl ') ###################################### ## ## Execute timedatex in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`timedatex_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `timedatex_exec'($*)) dnl gen_require(` type timedatex_exec_t; ') corecmd_search_bin($1) can_exec($1, timedatex_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `timedatex_exec'($*)) dnl ') ## MIDI to WAV converter and player configured as a service. ## policy for tlp ######################################## ## ## Execute tlp_exec_t in the tlp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tlp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_domtrans'($*)) dnl gen_require(` type tlp_t, tlp_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tlp_exec_t, tlp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_domtrans'($*)) dnl ') ###################################### ## ## Execute tlp in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`tlp_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_exec'($*)) dnl gen_require(` type tlp_exec_t; ') corecmd_search_bin($1) can_exec($1, tlp_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_exec'($*)) dnl ') ###################################### ## ## Transition to tlp named content ## ## ## ## Domain allowed access. ## ## # define(`tlp_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_filetrans_named_content'($*)) dnl gen_require(` type tlp_var_run_t; ') files_pid_filetrans($1, tlp_var_run_t, dir, "tlp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_filetrans_named_content'($*)) dnl ') ######################################## ## ## Search tlp conf directories. ## ## ## ## Domain allowed access. ## ## # define(`tlp_search_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_search_conf'($*)) dnl gen_require(` type tlp_etc_rw_t; ') allow $1 tlp_etc_rw_t:dir search_dir_perms; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_search_conf'($*)) dnl ') ######################################## ## ## Read tlp conf files. ## ## ## ## Domain allowed access. ## ## # define(`tlp_read_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_read_conf_files'($*)) dnl gen_require(` type tlp_etc_rw_t; ') allow $1 tlp_etc_rw_t:dir list_dir_perms; read_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_read_conf_files'($*)) dnl ') ######################################## ## ## Manage tlp conf files. ## ## ## ## Domain allowed access. ## ## # define(`tlp_manage_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_manage_conf_files'($*)) dnl gen_require(` type tlp_etc_rw_t; ') manage_files_pattern($1, tlp_etc_rw_t, tlp_etc_rw_t) files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_manage_conf_files'($*)) dnl ') ######################################## ## ## Execute tlp server in the tlp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tlp_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_systemctl'($*)) dnl gen_require(` type tlp_t; type tlp_unit_file_t; ') systemd_exec_systemctl($1) systemd_read_fifo_file_passwd_run($1) allow $1 tlp_unit_file_t:file read_file_perms; allow $1 tlp_unit_file_t:service manage_service_perms; ps_process_pattern($1, tlp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_systemctl'($*)) dnl ') ######################################## ## ## Read all dbus pid files ## ## ## ## Domain allowed access. ## ## # define(`tlp_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_manage_pid_files'($*)) dnl gen_require(` type tlp_var_run_t; ') files_search_pids($1) manage_files_pattern($1, tlp_var_run_t, tlp_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_manage_pid_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an tlp environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`tlp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tlp_admin'($*)) dnl gen_require(` type tlp_t; type tlp_etc_rw_t; type tlp_unit_file_t; ') allow $1 tlp_t:process { signal_perms }; ps_process_pattern($1, tlp_t) tunable_policy(`deny_ptrace',`',` allow $1 tlp_t:process ptrace; ') files_search_etc($1) admin_pattern($1, tlp_etc_rw_t) tlp_systemctl($1) admin_pattern($1, tlp_unit_file_t) allow $1 tlp_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tlp_admin'($*)) dnl ') ## Manage temporary directory sizes and file ages. ######################################## ## ## Execute tmpreaper in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`tmpreaper_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tmpreaper_exec'($*)) dnl gen_require(` type tmpreaper_exec_t; ') corecmd_search_bin($1) can_exec($1, tmpreaper_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tmpreaper_exec'($*)) dnl ') ## policy for tomcat ###################################### ## ## Creates types and rules for a basic ## tomcat daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`tomcat_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_domain_template'($*)) dnl gen_require(` attribute tomcat_domain; ') type $1_t, tomcat_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) type $1_cache_t; files_type($1_cache_t) type $1_log_t; logging_log_file($1_log_t) type $1_var_lib_t; files_type($1_var_lib_t) type $1_var_run_t; files_pid_file($1_var_run_t) type $1_tmp_t; files_tmp_file($1_tmp_t) ################################## # # Local policy # manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t) manage_files_pattern($1_t, $1_cache_t, $1_cache_t) manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t) files_var_filetrans($1_t, $1_cache_t, { dir file }) manage_dirs_pattern($1_t, $1_log_t, $1_log_t) manage_files_pattern($1_t, $1_log_t, $1_log_t) manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t) logging_log_filetrans($1_t, $1_log_t, { dir file }) manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file }) allow $1_t $1_var_lib_t:file map; manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file }) manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t) manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t) files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir lnk_file }) allow $1_t $1_tmp_t:file map; can_exec($1_t, $1_exec_t) kernel_read_system_state($1_t) logging_send_syslog_msg($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_domain_template'($*)) dnl ') ######################################## ## ## Transition to tomcat. ## ## ## ## Domain allowed to transition. ## ## # define(`tomcat_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_domtrans'($*)) dnl gen_require(` type tomcat_t, tomcat_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tomcat_exec_t, tomcat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_domtrans'($*)) dnl ') ######################################## ## ## Search tomcat cache directories. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_search_cache'($*)) dnl gen_require(` type tomcat_cache_t; ') allow $1 tomcat_cache_t:dir search_dir_perms; files_search_var($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_search_cache'($*)) dnl ') ######################################## ## ## Read tomcat cache files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_read_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_read_cache_files'($*)) dnl gen_require(` type tomcat_cache_t; ') files_search_var($1) read_files_pattern($1, tomcat_cache_t, tomcat_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_read_cache_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## tomcat cache files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_manage_cache_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_manage_cache_files'($*)) dnl gen_require(` type tomcat_cache_t; ') files_search_var($1) manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_manage_cache_files'($*)) dnl ') ######################################## ## ## Manage tomcat cache dirs. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_manage_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_manage_cache_dirs'($*)) dnl gen_require(` type tomcat_cache_t; ') files_search_var($1) manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_manage_cache_dirs'($*)) dnl ') ######################################## ## ## Read tomcat's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`tomcat_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_read_log'($*)) dnl gen_require(` type tomcat_log_t; ') logging_search_logs($1) read_files_pattern($1, tomcat_log_t, tomcat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_read_log'($*)) dnl ') ######################################## ## ## Append to tomcat log files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_append_log'($*)) dnl gen_require(` type tomcat_log_t; ') logging_search_logs($1) append_files_pattern($1, tomcat_log_t, tomcat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_append_log'($*)) dnl ') ######################################## ## ## Manage tomcat log files ## ## ## ## Domain allowed access. ## ## # define(`tomcat_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_manage_log'($*)) dnl gen_require(` type tomcat_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t) manage_files_pattern($1, tomcat_log_t, tomcat_log_t) manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_manage_log'($*)) dnl ') ######################################## ## ## Search tomcat lib directories. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_search_lib'($*)) dnl gen_require(` type tomcat_var_lib_t; ') allow $1 tomcat_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_search_lib'($*)) dnl ') ######################################## ## ## Read tomcat lib files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_read_lib_files'($*)) dnl gen_require(` type tomcat_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_read_lib_files'($*)) dnl ') ######################################## ## ## Manage tomcat lib files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_manage_lib_files'($*)) dnl gen_require(` type tomcat_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage tomcat lib directories. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_manage_lib_dirs'($*)) dnl gen_require(` type tomcat_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read tomcat PID files. ## ## ## ## Domain allowed access. ## ## # define(`tomcat_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_read_pid_files'($*)) dnl gen_require(` type tomcat_var_run_t; ') files_search_pids($1) allow $1 tomcat_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_read_pid_files'($*)) dnl ') ######################################## ## ## Execute tomcat server in the tomcat domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tomcat_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_systemctl'($*)) dnl gen_require(` type tomcat_t; type tomcat_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 tomcat_unit_file_t:file read_file_perms; allow $1 tomcat_unit_file_t:service manage_service_perms; ps_process_pattern($1, tomcat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an tomcat environment ## ## ## ## Domain allowed access. ## ## ## # define(`tomcat_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tomcat_admin'($*)) dnl gen_require(` type tomcat_t; type tomcat_cache_t; type tomcat_log_t; type tomcat_var_lib_t; type tomcat_var_run_t; type tomcat_unit_file_t; ') allow $1 tomcat_t:process { ptrace signal_perms }; ps_process_pattern($1, tomcat_t) files_search_var($1) admin_pattern($1, tomcat_cache_t) logging_search_logs($1) admin_pattern($1, tomcat_log_t) files_search_var_lib($1) admin_pattern($1, tomcat_var_lib_t) files_search_pids($1) admin_pattern($1, tomcat_var_run_t) tomcat_systemctl($1) admin_pattern($1, tomcat_unit_file_t) allow $1 tomcat_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tomcat_admin'($*)) dnl ') ## The onion router. ######################################## ## ## Execute a domain transition to run tor. ## ## ## ## Domain allowed to transition. ## ## # define(`tor_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tor_domtrans'($*)) dnl gen_require(` type tor_t, tor_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tor_exec_t, tor_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tor_domtrans'($*)) dnl ') ####################################### ## ## Execute tor server in the tor domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tor_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tor_systemctl'($*)) dnl gen_require(` type tor_t; type tor_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 tor_unit_file_t:file read_file_perms; allow $1 tor_unit_file_t:service manage_service_perms; ps_process_pattern($1, tor_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tor_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an tor environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`tor_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tor_admin'($*)) dnl gen_require(` type tor_t, tor_var_log_t, tor_etc_t; type tor_var_lib_t, tor_var_run_t; type tor_initrc_exec_t; type tor_unit_file_t; ') allow $1 tor_t:process signal_perms; ps_process_pattern($1, tor_t) tunable_policy(`deny_ptrace',`',` allow $1 tor_t:process ptrace; ') init_labeled_script_domtrans($1, tor_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 tor_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, tor_etc_t) files_list_var_lib($1) admin_pattern($1, tor_var_lib_t) logging_list_logs($1) admin_pattern($1, tor_var_log_t) files_list_pids($1) admin_pattern($1, tor_var_run_t) tor_systemctl($1) admin_pattern($1, tor_unit_file_t) allow $1 tor_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tor_admin'($*)) dnl ') ## Portable Transparent Proxy Solution. ######################################## ## ## All of the rules required to ## administrate an transproxy environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`transproxy_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `transproxy_admin'($*)) dnl gen_require(` type transproxy_t, transproxy_initrc_exec_t, transproxy_var_run_t; ') allow $1 transproxy_t:process { ptrace signal_perms }; ps_process_pattern($1, transproxy_t) init_labeled_script_domtrans($1, transproxy_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 transproxy_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, transproxy_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `transproxy_admin'($*)) dnl ') ## File integrity checker. ######################################## ## ## Execute tripwire in the tripwire domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tripwire_domtrans_tripwire',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_tripwire'($*)) dnl gen_require(` type tripwire_t, tripwire_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tripwire_exec_t, tripwire_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_domtrans_tripwire'($*)) dnl ') ######################################## ## ## Execute tripwire in the tripwire ## domain, and allow the specified ## role the tripwire domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`tripwire_run_tripwire',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_run_tripwire'($*)) dnl gen_require(` attribute_role tripwire_roles; ') tripwire_domtrans_tripwire($1) roleattribute $2 tripwire_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_run_tripwire'($*)) dnl ') ######################################## ## ## Execute twadmin in the twadmin domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tripwire_domtrans_twadmin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twadmin'($*)) dnl gen_require(` type twadmin_t, twadmin_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, twadmin_exec_t, twadmin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twadmin'($*)) dnl ') ######################################## ## ## Execute twadmin in the twadmin ## domain, and allow the specified ## role the twadmin domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`tripwire_run_twadmin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_run_twadmin'($*)) dnl gen_require(` attribute_role twadmin_roles; ') tripwire_domtrans_twadmin($1) roleattribute $2 twadmin_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_run_twadmin'($*)) dnl ') ######################################## ## ## Execute twprint in the twprint domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tripwire_domtrans_twprint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_twprint'($*)) dnl gen_require(` type twprint_t, twprint_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, twprint_exec_t, twprint_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_domtrans_twprint'($*)) dnl ') ######################################## ## ## Execute twprint in the twprint ## domain, and allow the specified ## role the twprint domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`tripwire_run_twprint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_run_twprint'($*)) dnl gen_require(` attribute_role twprint_roles; ') tripwire_domtrans_twprint($1) roleattribute $2 twprint_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_run_twprint'($*)) dnl ') ######################################## ## ## Execute siggen in the siggen domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tripwire_domtrans_siggen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_domtrans_siggen'($*)) dnl gen_require(` type siggen_t, siggen_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, siggen_exec_t, siggen_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_domtrans_siggen'($*)) dnl ') ######################################## ## ## Execute siggen in the siggen domain, ## and allow the specified role ## the siggen domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`tripwire_run_siggen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tripwire_run_siggen'($*)) dnl gen_require(` attribute_role siggen_roles; ') tripwire_domtrans_siggen($1) roleattribute $2 siggen_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tripwire_run_siggen'($*)) dnl ') ## Dynamic adaptive system tuning daemon. ######################################## ## ## Execute a domain transition to run tuned. ## ## ## ## Domain allowed to transition. ## ## # define(`tuned_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_domtrans'($*)) dnl gen_require(` type tuned_t, tuned_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tuned_exec_t, tuned_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_domtrans'($*)) dnl ') ####################################### ## ## Execute tuned in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`tuned_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_exec'($*)) dnl gen_require(` type tuned_exec_t; ') corecmd_search_bin($1) can_exec($1, tuned_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_exec'($*)) dnl ') ###################################### ## ## Read tuned etc files. ## ## ## ## Domain allowed access. ## ## # define(`tuned_read_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_read_etc_files'($*)) dnl gen_require(` type tuned_etc_t; ') files_search_etc($1) read_files_pattern($1, tuned_etc_t, tuned_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_read_etc_files'($*)) dnl ') ###################################### ## ## Read tuned pid files. ## ## ## ## Domain allowed access. ## ## # define(`tuned_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_read_pid_files'($*)) dnl gen_require(` type tuned_var_run_t; ') files_search_pids($1) read_files_pattern($1, tuned_var_run_t, tuned_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_read_pid_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## tuned pid files. ## ## ## ## Domain allowed access. ## ## # define(`tuned_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_manage_pid_files'($*)) dnl gen_require(` type tuned_var_run_t; ') files_search_pids($1) manage_files_pattern($1, tuned_var_run_t, tuned_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_manage_pid_files'($*)) dnl ') ######################################## ## ## Execute tuned init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`tuned_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_initrc_domtrans'($*)) dnl gen_require(` type tuned_initrc_exec_t; ') init_labeled_script_domtrans($1, tuned_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an tuned environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`tuned_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_admin'($*)) dnl gen_require(` type tuned_t, tuned_var_run_t, tuned_initrc_exec_t; type tuned_etc_t, tuned_rw_etc_t, tuned_log_t; ') allow $1 tuned_t:process signal_perms; ps_process_pattern($1, tuned_t) tunable_policy(`deny_ptrace',`',` allow $1 tuned_t:process ptrace; ') tuned_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 tuned_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, { tuned_etc_t tuned_rw_etc_t }) logging_search_logs($1) admin_pattern($1, tuned_log_t) files_search_pids($1) admin_pattern($1, tuned_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_admin'($*)) dnl ') ######################################## ## ## Send and receive messages from tuned over dbus. ## ## ## ## Domain allowed access, ## ## # define(`tuned_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tuned_dbus_chat'($*)) dnl gen_require(` type tuned_t; class dbus send_msg; ') allow $1 tuned_t:dbus send_msg; allow tuned_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tuned_dbus_chat'($*)) dnl ') ## High quality television application. ####################################### ## ## Transition to alsa named content ## ## ## ## Domain allowed access. ## ## # define(`tvtime_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tvtime_filetrans_home_content'($*)) dnl gen_require(` type tvtime_home_t; ') userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tvtime_filetrans_home_content'($*)) dnl ') ######################################## ## ## Role access for tvtime ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`tvtime_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tvtime_role'($*)) dnl gen_require(` attribute_role tvtime_roles; type tvtime_t, tvtime_exec_t, tvtime_tmp_t; type tvtime_home_t, tvtime_tmpfs_t; ') roleattribute $1 tvtime_roles; domtrans_pattern($2, tvtime_exec_t, tvtime_t) ps_process_pattern($2, tvtime_t) allow $2 tvtime_t:process { ptrace signal_perms }; allow $2 { tvtime_home_t tvtime_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { tvtime_home_t tvtime_tmpfs_t tvtime_tmp_t }:file { manage_file_perms relabel_file_perms }; allow $2 { tvtime_home_t tvtime_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 tvtime_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 tvtime_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; userdom_user_home_dir_filetrans($2, tvtime_home_t, dir, ".tvtime") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tvtime_role'($*)) dnl ') ## Time zone updater. ######################################## ## ## Execute a domain transition to run tzdata. ## ## ## ## Domain allowed to transition. ## ## # define(`tzdata_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tzdata_domtrans'($*)) dnl gen_require(` type tzdata_t, tzdata_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, tzdata_exec_t, tzdata_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tzdata_domtrans'($*)) dnl ') ######################################## ## ## Execute tzdata in the tzdata domain, ## and allow the specified role ## the tzdata domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`tzdata_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `tzdata_run'($*)) dnl gen_require(` attribute_role tzdata_roles; ') tzdata_domtrans($1) roleattribute $2 tzdata_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `tzdata_run'($*)) dnl ') ## UNIX Client-Server Program Interface for TCP. ######################################## ## ## Define a specified domain as a ucspitcp service. ## ## ## ## Domain allowed access. ## ## ## ## ## The type associated with the process program. ## ## # define(`ucspitcp_service_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ucspitcp_service_domain'($*)) dnl gen_require(` type ucspitcp_t; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(ucspitcp_t, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ucspitcp_service_domain'($*)) dnl ') ## Iptables/netfilter userspace logging daemon. ######################################## ## ## Execute a domain transition to run ulogd. ## ## ## ## Domain allowed to transition. ## ## # define(`ulogd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_domtrans'($*)) dnl gen_require(` type ulogd_t, ulogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ulogd_exec_t, ulogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_domtrans'($*)) dnl ') ######################################## ## ## Read ulogd configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`ulogd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_read_config'($*)) dnl gen_require(` type ulogd_etc_t; ') files_search_etc($1) read_files_pattern($1, ulogd_etc_t, ulogd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_read_config'($*)) dnl ') ######################################## ## ## Read ulogd log files. ## ## ## ## Domain allowed access. ## ## ## # define(`ulogd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_read_log'($*)) dnl gen_require(` type ulogd_var_log_t; ') logging_search_logs($1) allow $1 ulogd_var_log_t:dir list_dir_perms; read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_read_log'($*)) dnl ') ####################################### ## ## Search ulogd log files. ## ## ## ## Domain allowed access. ## ## # define(`ulogd_search_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_search_log'($*)) dnl gen_require(` type ulogd_var_log_t; ') logging_search_logs($1) allow $1 ulogd_var_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_search_log'($*)) dnl ') ######################################## ## ## Append to ulogd log files. ## ## ## ## Domain allowed access. ## ## ## # define(`ulogd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_append_log'($*)) dnl gen_require(` type ulogd_var_log_t; ') logging_search_logs($1) allow $1 ulogd_var_log_t:dir list_dir_perms; allow $1 ulogd_var_log_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_append_log'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an ulogd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`ulogd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ulogd_admin'($*)) dnl gen_require(` type ulogd_t, ulogd_etc_t, ulogd_modules_t; type ulogd_var_log_t, ulogd_initrc_exec_t; ') allow $1 ulogd_t:process signal_perms; ps_process_pattern($1, ulogd_t) tunable_policy(`deny_ptrace',`',` allow $1 ulogd_t:process ptrace; ') init_labeled_script_domtrans($1, ulogd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 ulogd_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, ulogd_etc_t) logging_list_logs($1) admin_pattern($1, ulogd_var_log_t) files_list_usr($1) admin_pattern($1, ulogd_modules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ulogd_admin'($*)) dnl ') ## User mode linux tools and services. ######################################## ## ## Role access for uml. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`uml_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uml_role'($*)) dnl gen_require(` attribute_role uml_roles; type uml_t, uml_exec_t; type uml_ro_t, uml_rw_t, uml_tmp_t; type uml_devpts_t, uml_tmpfs_t; ') roleattribute $1 uml_roles; domtrans_pattern($2, uml_exec_t, uml_t) dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t) allow uml_t $2:unix_dgram_socket sendto; ps_process_pattern($2, uml_t) allow $2 uml_t:process signal_perms; allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uml_role'($*)) dnl ') ######################################## ## ## Set attributes of uml pid sock files. ## ## ## ## Domain allowed access. ## ## # define(`uml_setattr_util_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uml_setattr_util_sockets'($*)) dnl gen_require(` type uml_switch_var_run_t; ') allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uml_setattr_util_sockets'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## uml pid files. ## ## ## ## Domain allowed access. ## ## # define(`uml_manage_util_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uml_manage_util_files'($*)) dnl gen_require(` type uml_switch_var_run_t; ') manage_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) manage_lnk_files_pattern($1, uml_switch_var_run_t, uml_switch_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uml_manage_util_files'($*)) dnl ') ## Red Hat utility to change fstab. ######################################## ## ## Execute updfstab in the updfstab domain. ## ## ## ## Domain allowed to transition. ## ## # define(`updfstab_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `updfstab_domtrans'($*)) dnl gen_require(` type updfstab_t, updfstab_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, updfstab_exec_t, updfstab_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `updfstab_domtrans'($*)) dnl ') ## Daemon to record and keep track of system up times. ######################################## ## ## All of the rules required to ## administrate an uptime environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`uptime_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uptime_admin'($*)) dnl gen_require(` type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t; type uptimed_spool_t, uptimed_var_run_t; ') allow $1 uptimed_t:process { ptrace signal_perms }; ps_process_pattern($1, uptimed_t) init_labeled_script_domtrans($1, uptimed_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 uptimed_initrc_exec_t system_r; allow $2 system_r; files_search_etc($1) admin_pattern($1, uptimed_etc_t) files_search_spool($1) admin_pattern($1, uptimed_spool_t) files_search_pids($1) admin_pattern($1, uptimed_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uptime_admin'($*)) dnl ') ## List kernel modules of USB devices. ######################################## ## ## Execute usbmodules in the usbmodules domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usbmodules_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmodules_domtrans'($*)) dnl gen_require(` type usbmodules_t, usbmodules_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, usbmodules_exec_t, usbmodules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmodules_domtrans'($*)) dnl ') ######################################## ## ## Execute usbmodules in the usbmodules ## domain, and allow the specified ## role the usbmodules domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`usbmodules_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmodules_run'($*)) dnl gen_require(` attribute_role usbmodules_roles; ') usbmodules_domtrans($1) roleattribute $2 usbmodules_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmodules_run'($*)) dnl ') ## USB multiplexing daemon for communicating with Apple iPod Touch and iPhone. ######################################## ## ## Execute a domain transition to run usbmuxd. ## ## ## ## Domain allowed to transition. ## ## # define(`usbmuxd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmuxd_domtrans'($*)) dnl gen_require(` type usbmuxd_t, usbmuxd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, usbmuxd_exec_t, usbmuxd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmuxd_domtrans'($*)) dnl ') ##################################### ## ## Connect to usbmuxd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`usbmuxd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmuxd_stream_connect'($*)) dnl gen_require(` type usbmuxd_t, usbmuxd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmuxd_stream_connect'($*)) dnl ') ######################################## ## ## Execute usbmuxd server in the usbmuxd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usbmuxd_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmuxd_systemctl'($*)) dnl gen_require(` type usbmuxd_t; type usbmuxd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 usbmuxd_unit_file_t:file read_file_perms; allow $1 usbmuxd_unit_file_t:service manage_service_perms; ps_process_pattern($1, usbmuxd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmuxd_systemctl'($*)) dnl ') ##################################### ## ## All of the rules required to administrate ## an usbmuxd environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the usbmuxd domain. ## ## ## # define(`usbmuxd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usbmuxd_admin'($*)) dnl gen_require(` type usbmuxd_t,usbmuxd_var_run_t; type usbmuxd_unit_file_t; ') allow $1 usbmuxd_t:process { signal_perms }; ps_process_pattern($1, usbmuxd_t) tunable_policy(`deny_ptrace',`',` allow $1 usbmuxd_t:process ptrace; ') allow $2 system_r; files_list_pids($1) admin_pattern($1, usbmuxd_var_run_t) usbmuxd_systemctl($1) admin_pattern($1, usbmuxd_unit_file_t) allow $1 usbmuxd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usbmuxd_admin'($*)) dnl ') ## SELinux utility to run a shell with a new role ####################################### ## ## The role template for the userhelper module. ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## The user role. ## ## ## ## ## The user domain associated with the role. ## ## # define(`userhelper_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_role_template'($*)) dnl gen_require(` attribute userhelper_type; type userhelper_exec_t, userhelper_conf_t; class dbus send_msg; ') ######################################## # # Declarations # type $1_userhelper_t, userhelper_type; userdom_user_application_domain($1_userhelper_t, userhelper_exec_t) domain_role_change_exemption($1_userhelper_t) domain_obj_id_change_exemption($1_userhelper_t) domain_interactive_fd($1_userhelper_t) domain_subj_id_change_exemption($1_userhelper_t) role $2 types $1_userhelper_t; ######################################## # # Local policy # allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search chown sys_tty_config }; allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_userhelper_t self:process setexec; allow $1_userhelper_t self:fd use; allow $1_userhelper_t self:fifo_file rw_fifo_file_perms; allow $1_userhelper_t self:shm create_shm_perms; allow $1_userhelper_t self:sem create_sem_perms; allow $1_userhelper_t self:msgq create_msgq_perms; allow $1_userhelper_t self:msg { send receive }; allow $1_userhelper_t self:unix_dgram_socket create_socket_perms; allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms; allow $1_userhelper_t self:unix_dgram_socket sendto; allow $1_userhelper_t self:unix_stream_socket connectto; allow $1_userhelper_t self:sock_file read_sock_file_perms; #Transition to the derived domain. domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t) allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms; rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t) can_exec($1_userhelper_t, userhelper_exec_t) dontaudit $3 $1_userhelper_t:process signal; kernel_read_all_sysctls($1_userhelper_t) kernel_getattr_debugfs($1_userhelper_t) kernel_read_system_state($1_userhelper_t) # Execute shells corecmd_exec_shell($1_userhelper_t) # By default, revert to the calling domain when a program is executed corecmd_bin_domtrans($1_userhelper_t, $3) # Inherit descriptors from the current session. domain_use_interactive_fds($1_userhelper_t) # for when the user types "exec userhelper" at the command line domain_sigchld_interactive_fds($1_userhelper_t) dev_read_urand($1_userhelper_t) # Read /dev directories and any symbolic links. dev_list_all_dev_nodes($1_userhelper_t) files_list_var_lib($1_userhelper_t) # Read the /etc/security/default_type file files_read_etc_files($1_userhelper_t) # Read /var. files_read_var_files($1_userhelper_t) files_read_var_symlinks($1_userhelper_t) # for some PAM modules and for cwd files_search_home($1_userhelper_t) fs_search_auto_mountpoints($1_userhelper_t) fs_read_nfs_files($1_userhelper_t) fs_read_nfs_symlinks($1_userhelper_t) # Allow $1_userhelper to obtain contexts to relabel TTYs selinux_get_fs_mount($1_userhelper_t) selinux_validate_context($1_userhelper_t) selinux_compute_access_vector($1_userhelper_t) selinux_compute_create_context($1_userhelper_t) selinux_compute_relabel_context($1_userhelper_t) selinux_compute_user_contexts($1_userhelper_t) # Read the devpts root directory. term_list_ptys($1_userhelper_t) # Relabel terminals. term_relabel_all_ttys($1_userhelper_t) term_relabel_all_ptys($1_userhelper_t) # Access terminals. term_use_all_ttys($1_userhelper_t) term_use_all_ptys($1_userhelper_t) auth_domtrans_chk_passwd($1_userhelper_t) auth_manage_pam_pid($1_userhelper_t) auth_manage_var_auth($1_userhelper_t) auth_search_pam_console_data($1_userhelper_t) auth_use_nsswitch($1_userhelper_t) logging_send_syslog_msg($1_userhelper_t) # Inherit descriptors from the current session. init_use_fds($1_userhelper_t) # Write to utmp. init_manage_utmp($1_userhelper_t) init_pid_filetrans_utmp($1_userhelper_t) seutil_read_config($1_userhelper_t) seutil_read_default_contexts($1_userhelper_t) # Allow $1_userhelper_t to transition to user domains. userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t) userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t) ifdef(`distro_redhat',` optional_policy(` # Allow transitioning to rpm_t, for up2date rpm_domtrans($1_userhelper_t) ') ') optional_policy(` tunable_policy(`! secure_mode',` #if we are not in secure mode then we can transition to sysadm_t sysadm_bin_spec_domtrans($1_userhelper_t) sysadm_entry_spec_domtrans($1_userhelper_t) ') ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_role_template'($*)) dnl ') ######################################## ## ## Search the userhelper configuration directory. ## ## ## ## Domain allowed access. ## ## # define(`userhelper_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_search_config'($*)) dnl gen_require(` type userhelper_conf_t; ') allow $1 userhelper_conf_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_search_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## the userhelper configuration directory. ## ## ## ## Domain to not audit. ## ## # define(`userhelper_dontaudit_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_search_config'($*)) dnl gen_require(` type userhelper_conf_t; ') dontaudit $1 userhelper_conf_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_search_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to write ## the userhelper configuration files. ## ## ## ## Domain to not audit. ## ## # define(`userhelper_dontaudit_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_dontaudit_write_config'($*)) dnl gen_require(` type userhelper_conf_t; ') dontaudit $1 userhelper_conf_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_dontaudit_write_config'($*)) dnl ') ######################################## ## ## Allow domain to use userhelper file descriptor. ## ## ## ## Domain allowed access. ## ## # define(`userhelper_use_fd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_use_fd'($*)) dnl gen_require(` attribute userhelper_type; ') allow $1 userhelper_type:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_use_fd'($*)) dnl ') ######################################## ## ## Allow domain to send sigchld to userhelper. ## ## ## ## Domain allowed access. ## ## # define(`userhelper_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_sigchld'($*)) dnl gen_require(` attribute userhelper_type; ') allow $1 userhelper_type:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_sigchld'($*)) dnl ') ######################################## ## ## Execute the userhelper program in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`userhelper_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_exec'($*)) dnl gen_require(` type userhelper_exec_t; ') can_exec($1, userhelper_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_exec'($*)) dnl ') ####################################### ## ## The role template for the consolehelper module. ## ## ##

## This template creates a derived domains which are used ## for consolehelper applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`userhelper_console_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_console_role_template'($*)) dnl gen_require(` type consolehelper_exec_t; attribute consolehelper_domain; class dbus send_msg; ') type $1_consolehelper_t, consolehelper_domain; domain_type($1_consolehelper_t) domain_entry_file($1_consolehelper_t, consolehelper_exec_t) role $2 types $1_consolehelper_t; domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t) allow $3 $1_consolehelper_t:process signal; allow $3 $1_consolehelper_t:dbus send_msg; allow $1_consolehelper_t $3:dbus send_msg; allow $1_consolehelper_t $3:unix_stream_socket connectto; kernel_read_system_state($1_consolehelper_t) auth_use_pam($1_consolehelper_t) userdom_manage_tmp_role($2, $1_consolehelper_t) optional_policy(` dbus_connect_session_bus($1_consolehelper_t) ') optional_policy(` hddtemp_run($1_consolehelper_t, $2) ') optional_policy(` shutdown_run($1_consolehelper_t, $2) shutdown_send_sigchld($3) ') optional_policy(` mock_run($1_consolehelper_t, $2) ') optional_policy(` xserver_run_xauth($1_consolehelper_t, $2) xserver_read_xdm_pid($1_consolehelper_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_console_role_template'($*)) dnl ') ######################################## ## ## Execute the consolehelper program ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`userhelper_exec_consolehelper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userhelper_exec_consolehelper'($*)) dnl gen_require(` type consolehelper_exec_t; ') corecmd_search_bin($1) can_exec($1, consolehelper_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userhelper_exec_consolehelper'($*)) dnl ') ## User network interface configuration helper. ######################################## ## ## Execute usernetctl in the usernetctl domain. ## ## ## ## Domain allowed to transition. ## ## # define(`usernetctl_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usernetctl_domtrans'($*)) dnl gen_require(` type usernetctl_t, usernetctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, usernetctl_exec_t, usernetctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usernetctl_domtrans'($*)) dnl ') ######################################## ## ## Execute usernetctl in the usernetctl ## domain, and allow the specified role ## the usernetctl domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`usernetctl_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usernetctl_run'($*)) dnl gen_require(` type usernetctl_t; attribute_role usernetctl_roles; ') usernetctl_domtrans($1) roleattribute $2 usernetctl_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usernetctl_run'($*)) dnl ') ## Unix to Unix Copy. ######################################## ## ## Execute uucico in the uucpd_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`uucp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uucp_domtrans'($*)) dnl gen_require(` type uucpd_t, uucpd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, uucpd_exec_t, uucpd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uucp_domtrans'($*)) dnl ') ######################################## ## ## Append uucp log files. ## ## ## ## Domain allowed access. ## ## # define(`uucp_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uucp_append_log'($*)) dnl gen_require(` type uucpd_log_t; ') logging_search_logs($1) allow $1 uucpd_log_t:dir list_dir_perms; append_files_pattern($1, uucpd_log_t, uucpd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uucp_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## uucp spool files. ## ## ## ## Domain allowed access. ## ## # define(`uucp_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uucp_manage_spool'($*)) dnl gen_require(` type uucpd_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, uucpd_spool_t, uucpd_spool_t) manage_files_pattern($1, uucpd_spool_t, uucpd_spool_t) manage_lnk_files_pattern($1, uucpd_spool_t, uucpd_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uucp_manage_spool'($*)) dnl ') ######################################## ## ## Execute uux in the uux_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`uucp_domtrans_uux',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uucp_domtrans_uux'($*)) dnl gen_require(` type uux_t, uux_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, uux_exec_t, uux_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uucp_domtrans_uux'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an uucp environment. ## ## ## ## Domain allowed access. ## ## ## # define(`uucp_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uucp_admin'($*)) dnl gen_require(` type uucpd_t, uucpd_tmp_t, uucpd_log_t; type uucpd_spool_t, uucpd_ro_t, uucpd_rw_t; type uucpd_var_run_t, uucpd_initrc_exec_t; ') allow $1 uucpd_t:process signal_perms; ps_process_pattern($1, uucpd_t) tunable_policy(`deny_ptrace',`',` allow $1 uucpd_t:process ptrace; ') logging_list_logs($1) admin_pattern($1, uucpd_log_t) files_list_spool($1) admin_pattern($1, uucpd_spool_t) admin_pattern($1, { uucpd_rw_t uucpd_ro_t }) files_list_tmp($1) admin_pattern($1, uucpd_tmp_t) files_list_pids($1) admin_pattern($1, uucpd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uucp_admin'($*)) dnl ') ## UUID generation daemon. ######################################## ## ## Execute uuidd in the uuidd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`uuidd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_domtrans'($*)) dnl gen_require(` type uuidd_t, uuidd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, uuidd_exec_t, uuidd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_domtrans'($*)) dnl ') ######################################## ## ## Execute uuidd init scripts in ## the initrc domain. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_initrc_domtrans'($*)) dnl gen_require(` type uuidd_initrc_exec_t; ') init_labeled_script_domtrans($1, uuidd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Search uuidd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_search_lib'($*)) dnl gen_require(` type uuidd_var_lib_t; ') files_search_var_lib($1) allow $1 uuidd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_search_lib'($*)) dnl ') ######################################## ## ## Read uuidd lib files. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_read_lib_files'($*)) dnl gen_require(` type uuidd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## uuidd lib files. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_files'($*)) dnl gen_require(` type uuidd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## uuidd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_manage_lib_dirs'($*)) dnl gen_require(` type uuidd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read uuidd pid files. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_read_pid_files'($*)) dnl gen_require(` type uuidd_var_run_t; ') files_search_pids($1) allow $1 uuidd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_read_pid_files'($*)) dnl ') ######################################## ## ## Connect to uuidd with an unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`uuidd_stream_connect_manager',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_stream_connect_manager'($*)) dnl gen_require(` type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t) stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_stream_connect_manager'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an uuidd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`uuidd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uuidd_admin'($*)) dnl gen_require(` type uuidd_t, uuidd_initrc_exec_t; type uuidd_var_run_t, uuidd_var_lib_t; ') allow $1 uuidd_t:process signal_perms; ps_process_pattern($1, uuidd_t) tunable_policy(`deny_ptrace',`',` allow $1 uuidd_t:process ptrace; ') uuidd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 uuidd_initrc_exec_t system_r; allow $2 system_r; files_search_var_lib($1) admin_pattern($1, uuidd_var_lib_t) files_search_pids($1) admin_pattern($1, uuidd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uuidd_admin'($*)) dnl ') ## University of Washington IMAP toolkit POP3 and IMAP mail server. ######################################## ## ## Execute imapd in the imapd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`uwimap_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `uwimap_domtrans'($*)) dnl gen_require(` type imapd_t, imapd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, imapd_exec_t, imapd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `uwimap_domtrans'($*)) dnl ') ## Varnishd http accelerator daemon. ####################################### ## ## Execute varnishd in the varnishd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`varnishd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_domtrans'($*)) dnl gen_require(` type varnishd_t, varnishd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, varnishd_exec_t, varnishd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_domtrans'($*)) dnl ') ####################################### ## ## Execute varnishd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_exec'($*)) dnl gen_require(` type varnishd_exec_t; ') corecmd_search_bin($1) can_exec($1, varnishd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_exec'($*)) dnl ') ###################################### ## ## Read varnishd configuration files. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_read_config'($*)) dnl gen_require(` type varnishd_etc_t; ') files_search_etc($1) read_files_pattern($1, varnishd_etc_t, varnishd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_read_config'($*)) dnl ') ##################################### ## ## Read varnish lib files. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_read_lib_files'($*)) dnl gen_require(` type varnishd_var_lib_t; ') files_search_var_lib($1) list_dirs_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) mmap_read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_read_lib_files'($*)) dnl ') ####################################### ## ## Read varnish log files. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_read_log'($*)) dnl gen_require(` type varnishlog_log_t; ') logging_search_logs($1) read_files_pattern($1, varnishlog_log_t, varnishlog_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_read_log'($*)) dnl ') ###################################### ## ## Append varnish log files. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_append_log'($*)) dnl gen_require(` type varnishlog_log_t; ') logging_search_logs($1) append_files_pattern($1, varnishlog_log_t, varnishlog_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_append_log'($*)) dnl ') ##################################### ## ## Create, read, write, and delete ## varnish log files. ## ## ## ## Domain allowed access. ## ## # define(`varnishd_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_manage_log'($*)) dnl gen_require(` type varnishlog_log_t; ') logging_search_logs($1) manage_files_pattern($1, varnishlog_log_t, varnishlog_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_manage_log'($*)) dnl ') ###################################### ## ## All of the rules required to ## administrate an varnishlog environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`varnishd_admin_varnishlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_admin_varnishlog'($*)) dnl gen_require(` type varnishd_t; type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t; type varnishlog_var_run_t; ') allow $1 varnishlog_t:process signal_perms; ps_process_pattern($1, varnishlog_t) tunable_policy(`deny_ptrace',`',` allow $1 varnishd_t:process ptrace; ') init_labeled_script_domtrans($1, varnishlog_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 varnishlog_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, varnishlog_var_run_t) logging_list_logs($1) admin_pattern($1, varnishlog_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_admin_varnishlog'($*)) dnl ') ####################################### ## ## All of the rules required to ## administrate an varnishd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`varnishd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `varnishd_admin'($*)) dnl gen_require(` type varnishd_t, varnishd_var_lib_t, varnishd_etc_t; type varnishd_var_run_t, varnishd_tmp_t; type varnishd_initrc_exec_t; ') allow $1 varnishd_t:process signal_perms; ps_process_pattern($1, varnishd_t) tunable_policy(`deny_ptrace',`',` allow $1 varnishd_t:process ptrace; ') init_labeled_script_domtrans($1, varnishd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 varnishd_initrc_exec_t system_r; allow $2 system_r; files_list_var_lib($1) admin_pattern($1, varnishd_var_lib_t) files_list_etc($1) admin_pattern($1, varnishd_etc_t) files_list_pids($1) admin_pattern($1, varnishd_var_run_t) files_list_tmp($1) admin_pattern($1, varnishd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `varnishd_admin'($*)) dnl ') ## run real-mode video BIOS code to alter hardware state. ######################################## ## ## Execute vbetool in the vbetool domain. ## ## ## ## Domain allowed to transition. ## ## # define(`vbetool_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vbetool_domtrans'($*)) dnl gen_require(` type vbetool_t, vbetool_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vbetool_exec_t, vbetool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vbetool_domtrans'($*)) dnl ') ######################################## ## ## Execute vbetool in the vbetool ## domain, and allow the specified ## role the vbetool domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`vbetool_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vbetool_run'($*)) dnl gen_require(` attribute_role vbetool_roles; ') vbetool_domtrans($1) roleattribute $2 vbetool_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vbetool_run'($*)) dnl ') ## Spice agent for Linux. ######################################## ## ## Execute a domain transition to run vdagent. ## ## ## ## Domain allowed access. ## ## # define(`vdagent_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_domtrans'($*)) dnl gen_require(` type vdagent_t, vdagent_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vdagent_exec_t, vdagent_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_domtrans'($*)) dnl ') ##################################### ## ## Get attributes of vdagent executable files. ## ## ## ## Domain allowed access. ## ## # define(`vdagent_getattr_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_getattr_exec_files'($*)) dnl gen_require(` type vdagent_exec_t; ') allow $1 vdagent_exec_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_getattr_exec_files'($*)) dnl ') ####################################### ## ## Get attributes of vdagent log files. ## ## ## ## Domain allowed access. ## ## # define(`vdagent_getattr_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_getattr_log'($*)) dnl gen_require(` type vdagent_log_t; ') logging_search_logs($1) allow $1 vdagent_log_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_getattr_log'($*)) dnl ') ######################################## ## ## Read vdagent pid files. ## ## ## ## Domain allowed access. ## ## # define(`vdagent_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_read_pid_files'($*)) dnl gen_require(` type vdagent_var_run_t; ') files_search_pids($1) allow $1 vdagent_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_read_pid_files'($*)) dnl ') ##################################### ## ## Connect to vdagent with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`vdagent_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_stream_connect'($*)) dnl gen_require(` type vdagent_var_run_t, vdagent_t; ') files_search_pids($1) stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an vdagent environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`vdagent_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vdagent_admin'($*)) dnl gen_require(` type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t; type vdagent_log_t; ') allow $1 vdagent_t:process signal_perms; ps_process_pattern($1, vdagent_t) tunable_policy(`deny_ptrace',`',` allow $1 vdagent_t:process ptrace; ') init_labeled_script_domtrans($1, vdagentd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 vdagentd_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, vdagent_log_t) files_search_pids($1) admin_pattern($1, vdagent_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vdagent_admin'($*)) dnl ') ## Virtual host metrics daemon. ######################################## ## ## Execute a domain transition to run vhostmd. ## ## ## ## Domain allowed to transition. ## ## # define(`vhostmd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_domtrans'($*)) dnl gen_require(` type vhostmd_t, vhostmd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_domtrans'($*)) dnl ') ######################################## ## ## Execute vhostmd init scripts in ## the initrc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`vhostmd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_initrc_domtrans'($*)) dnl gen_require(` type vhostmd_initrc_exec_t; ') init_labeled_script_domtrans($1, vhostmd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read vhostmd tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_read_tmpfs_files'($*)) dnl gen_require(` type vhostmd_tmpfs_t; ') fs_search_tmpfs($1) allow $1 vhostmd_tmpfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_read_tmpfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## vhostmd tmpfs files ## ## ## ## Domain to not audit. ## ## # define(`vhostmd_dontaudit_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl gen_require(` type vhostmd_tmpfs_t; ') dontaudit $1 vhostmd_tmpfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_read_tmpfs_files'($*)) dnl ') ####################################### ## ## Read and write vhostmd tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_rw_tmpfs_files'($*)) dnl gen_require(` type vhostmd_tmpfs_t; ') fs_search_tmpfs($1) rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## vhostmd tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_manage_tmpfs_files'($*)) dnl gen_require(` type vhostmd_tmpfs_t; ') fs_search_tmpfs($1) manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_manage_tmpfs_files'($*)) dnl ') ######################################## ## ## Read vhostmd pid files. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_read_pid_files'($*)) dnl gen_require(` type vhostmd_var_run_t; ') files_search_pids($1) allow $1 vhostmd_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_read_pid_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## vhostmd pid files. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_manage_pid_files'($*)) dnl gen_require(` type vhostmd_var_run_t; ') files_search_pids($1) manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_manage_pid_files'($*)) dnl ') ######################################## ## ## Connect to vhostmd with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`vhostmd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_stream_connect'($*)) dnl gen_require(` type vhostmd_t, vhostmd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t, vhostmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_stream_connect'($*)) dnl ') ####################################### ## ## Do not audit attempts to read and ## write vhostmd unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`vhostmd_dontaudit_rw_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_dontaudit_rw_stream_connect'($*)) dnl gen_require(` type vhostmd_t; ') dontaudit $1 vhostmd_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_dontaudit_rw_stream_connect'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an vhostmd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`vhostmd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vhostmd_admin'($*)) dnl gen_require(` type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t; type vhostmd_tmpfs_t; ') allow $1 vhostmd_t:process signal_perms; ps_process_pattern($1, vhostmd_t) tunable_policy(`deny_ptrace',`',` allow $1 vhostmd_t:process ptrace; ') vhostmd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 vhostmd_initrc_exec_t system_r; allow $2 system_r; fs_search_tmpfs($1) admin_pattern($1, vhostmd_tmpfs_t) files_search_pids($1) admin_pattern($1, vhostmd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vhostmd_admin'($*)) dnl ') ## Libvirt virtualization API ######################################## ## ## virtd_lxc_t stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`virt_stub_lxc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stub_lxc'($*)) dnl gen_require(` type virtd_lxc_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stub_lxc'($*)) dnl ') ######################################## ## ## svirt_sandbox_domain attribute stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`virt_stub_svirt_sandbox_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stub_svirt_sandbox_domain'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stub_svirt_sandbox_domain'($*)) dnl ') ######################################## ## ## container_file_t stub interface. No access allowed. ## ## ## ## Domain allowed access. ## ## # define(`virt_stub_container_image',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stub_container_image'($*)) dnl gen_require(` type container_file_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stub_container_image'($*)) dnl ') define(`virt_stub_svirt_sandbox_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stub_svirt_sandbox_file'($*)) dnl gen_require(` type container_file_t; type container_ro_file_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stub_svirt_sandbox_file'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## qemu process domain. ## ## ## ## Prefix for the domain. ## ## # define(`virt_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_domain_template'($*)) dnl gen_require(` attribute virt_image_type, virt_domain; attribute virt_tmpfs_type; attribute virt_ptynode; type qemu_exec_t; type virtlogd_t; ') type $1_t, virt_domain; application_domain($1_t, qemu_exec_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) role system_r types $1_t; type $1_devpts_t, virt_ptynode; term_pty($1_devpts_t) kernel_read_system_state($1_t) auth_read_passwd($1_t) logging_send_syslog_msg($1_t) allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; term_create_pty($1_t, $1_devpts_t) # Allow domain to write to pipes connected to virtlogd allow $1_t virtlogd_t:fd use; allow $1_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_domain_template'($*)) dnl ') ######################################## ## ## Make the specified type usable as a virt image ## ## ## ## Type to be used as a virtual image ## ## # define(`virt_image',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_image'($*)) dnl gen_require(` attribute virt_image_type; ') typeattribute $1 virt_image_type; files_type($1) # virt images can be assigned to blk devices dev_node($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_image'($*)) dnl ') ####################################### ## ## Getattr on virt executable. ## ## ## ## Domain allowed to transition. ## ## # define(`virt_getattr_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_getattr_exec'($*)) dnl gen_require(` type virtd_exec_t; ') allow $1 virtd_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_getattr_exec'($*)) dnl ') ######################################## ## ## Execute a domain transition to run virt. ## ## ## ## Domain allowed to transition. ## ## # define(`virt_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_domtrans'($*)) dnl gen_require(` type virtd_t, virtd_exec_t; ') domtrans_pattern($1, virtd_exec_t, virtd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_domtrans'($*)) dnl ') ######################################## ## ## Execute virtd in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`virt_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_exec'($*)) dnl gen_require(` type virtd_exec_t; ') can_exec($1, virtd_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_exec'($*)) dnl ') ######################################## ## ## Transition to virt_bridgehelper. ## ## ## ## Domain allowed to transition. ## ## define(`virt_domtrans_bridgehelper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_domtrans_bridgehelper'($*)) dnl gen_require(` type virt_bridgehelper_t, virt_bridgehelper_exec_t; ') domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_domtrans_bridgehelper'($*)) dnl ') ####################################### ## ## Connect to virt over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`virt_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stream_connect'($*)) dnl gen_require(` type virtd_t, virt_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stream_connect'($*)) dnl ') ####################################### ## ## Connect to svirt process over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`virt_stream_connect_svirt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stream_connect_svirt'($*)) dnl gen_require(` type svirt_t; type svirt_image_t; ') stream_connect_pattern($1, svirt_image_t, svirt_image_t, svirt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stream_connect_svirt'($*)) dnl ') ######################################## ## ## Read and write to apmd unix ## stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`virt_rw_stream_sockets_svirt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_rw_stream_sockets_svirt'($*)) dnl gen_require(` type svirt_t; ') allow $1 svirt_t:unix_stream_socket { setopt getopt read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_rw_stream_sockets_svirt'($*)) dnl ') ######################################## ## ## Allow domain to attach to virt TUN devices ## ## ## ## Domain allowed access. ## ## # define(`virt_attach_tun_iface',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_attach_tun_iface'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_attach_tun_iface'($*)) dnl ') ######################################## ## ## Allow domain to attach to virt sandbox TUN devices ## ## ## ## Domain allowed access. ## ## # define(`virt_attach_sandbox_tun_iface',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_attach_sandbox_tun_iface'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_attach_sandbox_tun_iface'($*)) dnl ') ######################################## ## ## Read virt config files. ## ## ## ## Domain allowed access. ## ## # define(`virt_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_config'($*)) dnl gen_require(` type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_config'($*)) dnl ') ######################################## ## ## manage virt config files. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_config'($*)) dnl gen_require(` type virt_etc_t, virt_etc_rw_t; ') files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_config'($*)) dnl ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_getattr_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_getattr_content'($*)) dnl gen_require(` type virt_content_t; ') allow $1 virt_content_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_getattr_content'($*)) dnl ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_read_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_content'($*)) dnl gen_require(` type virt_content_t; ') virt_search_lib($1) allow $1 virt_content_t:dir list_dir_perms; allow $1 virt_content_t:blk_file map; allow $1 virt_content_t:file map; list_dirs_pattern($1, virt_content_t, virt_content_t) read_files_pattern($1, virt_content_t, virt_content_t) read_lnk_files_pattern($1, virt_content_t, virt_content_t) read_blk_files_pattern($1, virt_content_t, virt_content_t) read_chr_files_pattern($1, virt_content_t, virt_content_t) tunable_policy(`virt_use_nfs',` fs_list_nfs($1) fs_read_nfs_files($1) fs_read_nfs_symlinks($1) ') tunable_policy(`virt_use_samba',` fs_list_cifs($1) fs_read_cifs_files($1) fs_read_cifs_symlinks($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_content'($*)) dnl ') ######################################## ## ## Allow domain to write virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_write_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_write_content'($*)) dnl gen_require(` type virt_content_t; ') allow $1 virt_content_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_write_content'($*)) dnl ') ######################################## ## ## Read virt PID symlinks files. ## ## ## ## Domain allowed access. ## ## # define(`virt_read_pid_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_pid_symlinks'($*)) dnl gen_require(` type virt_var_run_t; ') files_search_pids($1) read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_pid_symlinks'($*)) dnl ') ######################################## ## ## Read virt PID files. ## ## ## ## Domain allowed access. ## ## # define(`virt_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_pid_files'($*)) dnl gen_require(` type virt_var_run_t; ') files_search_pids($1) read_files_pattern($1, virt_var_run_t, virt_var_run_t) read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_pid_files'($*)) dnl ') ######################################## ## ## Manage virt pid directories. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_pid_dirs'($*)) dnl gen_require(` type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t) manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) virt_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_pid_dirs'($*)) dnl ') ######################################## ## ## Manage virt pid files. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_pid_files'($*)) dnl gen_require(` type virt_var_run_t; type virt_lxc_var_run_t; ') files_search_pids($1) manage_files_pattern($1, virt_var_run_t, virt_var_run_t) manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_pid_files'($*)) dnl ') ######################################## ## ## Create objects in the pid directory ## with a private type with a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # define(`virt_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_pid_filetrans'($*)) dnl gen_require(` type virt_var_run_t; ') filetrans_pattern($1, virt_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_pid_filetrans'($*)) dnl ') ######################################## ## ## Search virt lib directories. ## ## ## ## Domain allowed access. ## ## # define(`virt_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_search_lib'($*)) dnl gen_require(` type virt_var_lib_t; ') allow $1 virt_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_search_lib'($*)) dnl ') ######################################## ## ## Read virt lib files. ## ## ## ## Domain allowed access. ## ## # define(`virt_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_lib_files'($*)) dnl gen_require(` type virt_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, virt_var_lib_t, virt_var_lib_t) list_dirs_pattern($1, virt_var_lib_t, virt_var_lib_t) read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_lib_files'($*)) dnl ') ######################################## ## ## Dontaudit inherited read virt lib files. ## ## ## ## Domain to not audit. ## ## # define(`virt_dontaudit_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_lib_files'($*)) dnl gen_require(` type virt_var_lib_t; ') dontaudit $1 virt_var_lib_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## virt lib files. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_lib_files'($*)) dnl gen_require(` type virt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_lib_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read virt's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`virt_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_log'($*)) dnl gen_require(` type virt_log_t; ') logging_search_logs($1) read_files_pattern($1, virt_log_t, virt_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## virt log files. ## ## ## ## Domain allowed access. ## ## # define(`virt_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_append_log'($*)) dnl gen_require(` type virt_log_t; ') logging_search_logs($1) append_files_pattern($1, virt_log_t, virt_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_append_log'($*)) dnl ') ######################################## ## ## Allow domain to manage virt log files ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_log'($*)) dnl gen_require(` type virt_log_t; ') manage_dirs_pattern($1, virt_log_t, virt_log_t) manage_files_pattern($1, virt_log_t, virt_log_t) manage_lnk_files_pattern($1, virt_log_t, virt_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_log'($*)) dnl ') ######################################## ## ## Allow domain to getattr virt image direcories ## ## ## ## Domain allowed access. ## ## # define(`virt_getattr_images',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_getattr_images'($*)) dnl gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_getattr_images'($*)) dnl ') ######################################## ## ## Allow domain to search virt image direcories ## ## ## ## Domain allowed access. ## ## # define(`virt_search_images',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_search_images'($*)) dnl gen_require(` attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_search_images'($*)) dnl ') ######################################## ## ## Allow domain to read virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_read_images',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_images'($*)) dnl gen_require(` type virt_var_lib_t; attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir list_dir_perms; list_dirs_pattern($1, virt_image_type, virt_image_type) read_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) read_blk_files_pattern($1, virt_image_type, virt_image_type) read_chr_files_pattern($1, virt_image_type, virt_image_type) tunable_policy(`virt_use_nfs',` fs_list_nfs($1) fs_read_nfs_files($1) fs_read_nfs_symlinks($1) ') tunable_policy(`virt_use_samba',` fs_list_cifs($1) fs_read_cifs_files($1) fs_read_cifs_symlinks($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_images'($*)) dnl ') ######################################## ## ## Allow domain to read virt blk image files ## ## ## ## Domain allowed access. ## ## # define(`virt_read_blk_images',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_blk_images'($*)) dnl gen_require(` attribute virt_image_type; ') read_blk_files_pattern($1, virt_image_type, virt_image_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_blk_images'($*)) dnl ') ######################################## ## ## Allow domain to read/write virt image chr files ## ## ## ## Domain allowed access. ## ## # define(`virt_rw_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_rw_chr_files'($*)) dnl gen_require(` attribute virt_image_type; ') rw_chr_files_pattern($1, virt_image_type, virt_image_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_rw_chr_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## svirt cache files. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_cache'($*)) dnl gen_require(` type virt_cache_t; ') files_search_var($1) manage_dirs_pattern($1, virt_cache_t, virt_cache_t) manage_files_pattern($1, virt_cache_t, virt_cache_t) manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_cache'($*)) dnl ') ######################################## ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_images',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_images'($*)) dnl gen_require(` type virt_var_lib_t; attribute virt_image_type; ') virt_search_lib($1) allow $1 virt_image_type:dir list_dir_perms; manage_dirs_pattern($1, virt_image_type, virt_image_type) manage_files_pattern($1, virt_image_type, virt_image_type) read_lnk_files_pattern($1, virt_image_type, virt_image_type) rw_blk_files_pattern($1, virt_image_type, virt_image_type) rw_chr_files_pattern($1, virt_image_type, virt_image_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_images'($*)) dnl ') ####################################### ## ## Allow domain to manage virt image files ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_default_image_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_default_image_type'($*)) dnl gen_require(` type virt_var_lib_t; type virt_image_t; ') virt_search_lib($1) manage_dirs_pattern($1, virt_image_t, virt_image_t) manage_files_pattern($1, virt_image_t, virt_image_t) read_lnk_files_pattern($1, virt_image_t, virt_image_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_default_image_type'($*)) dnl ') ######################################## ## ## Execute virt server in the virt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`virt_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_systemctl'($*)) dnl gen_require(` type virtd_unit_file_t; type virtd_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 virtd_unit_file_t:file read_file_perms; allow $1 virtd_unit_file_t:service manage_service_perms; ps_process_pattern($1, virtd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_systemctl'($*)) dnl ') ######################################## ## ## Ptrace the svirt domain ## ## ## ## Domain allowed to transition. ## ## # define(`virt_ptrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_ptrace'($*)) dnl gen_require(` attribute virt_domain; ') allow $1 virt_domain:process ptrace; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_ptrace'($*)) dnl ') ####################################### ## ## Execute Sandbox Files ## ## ## ## Domain allowed access. ## ## # define(`virt_exec_sandbox_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_exec_sandbox_files'($*)) dnl gen_require(` attribute svirt_file_type; ') can_exec($1, svirt_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_exec_sandbox_files'($*)) dnl ') ######################################## ## ## Allow any svirt_file_type to be an entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`virt_sandbox_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_entrypoint'($*)) dnl gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_entrypoint'($*)) dnl ') ####################################### ## ## List Sandbox Dirs ## ## ## ## Domain allowed access. ## ## # define(`virt_list_sandbox_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_list_sandbox_dirs'($*)) dnl gen_require(` type svirt_sandbox_file_t; ') list_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_list_sandbox_dirs'($*)) dnl ') ####################################### ## ## Read Sandbox Files ## ## ## ## Domain allowed access. ## ## # define(`virt_read_sandbox_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_sandbox_files'($*)) dnl gen_require(` attribute svirt_file_type; ') list_dirs_pattern($1, svirt_file_type, svirt_file_type) read_files_pattern($1, svirt_file_type, svirt_file_type) read_lnk_files_pattern($1, svirt_file_type, svirt_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_sandbox_files'($*)) dnl ') ####################################### ## ## Manage Sandbox Files ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_sandbox_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_sandbox_files'($*)) dnl gen_require(` attribute svirt_file_type; ') manage_dirs_pattern($1, svirt_file_type, svirt_file_type) manage_files_pattern($1, svirt_file_type, svirt_file_type) manage_fifo_files_pattern($1, svirt_file_type, svirt_file_type) manage_chr_files_pattern($1, svirt_file_type, svirt_file_type) manage_lnk_files_pattern($1, svirt_file_type, svirt_file_type) allow $1 svirt_file_type:dir_file_class_set { relabelfrom relabelto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_sandbox_files'($*)) dnl ') ####################################### ## ## Getattr Sandbox File systems ## ## ## ## Domain allowed access. ## ## # define(`virt_getattr_sandbox_filesystem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_getattr_sandbox_filesystem'($*)) dnl gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_getattr_sandbox_filesystem'($*)) dnl ') ####################################### ## ## Relabel Sandbox File systems ## ## ## ## Domain allowed access. ## ## # define(`virt_relabel_sandbox_filesystem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_relabel_sandbox_filesystem'($*)) dnl gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:filesystem { relabelfrom relabelto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_relabel_sandbox_filesystem'($*)) dnl ') ####################################### ## ## Mounton Sandbox Files ## ## ## ## Domain allowed access. ## ## # define(`virt_mounton_sandbox_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_mounton_sandbox_file'($*)) dnl gen_require(` attribute svirt_file_type; ') allow $1 svirt_file_type:dir_file_class_set mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_mounton_sandbox_file'($*)) dnl ') ####################################### ## ## Connect to virt over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`virt_stream_connect_sandbox',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_stream_connect_sandbox'($*)) dnl gen_require(` attribute svirt_sandbox_domain; attribute svirt_file_type; ') files_search_pids($1) stream_connect_pattern($1, svirt_file_type, svirt_file_type, svirt_sandbox_domain) ps_process_pattern(svirt_sandbox_domain, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_stream_connect_sandbox'($*)) dnl ') ######################################## ## ## Execute qemu in the svirt domain, and ## allow the specified role the svirt domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## ## # define(`virt_transition_svirt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_transition_svirt'($*)) dnl gen_require(` attribute virt_domain; type virt_bridgehelper_t; type svirt_image_t; type svirt_socket_t; ') allow $1 virt_domain:process transition; role $2 types virt_domain; role $2 types virt_bridgehelper_t; role $2 types svirt_socket_t; allow $1 virt_domain:process { sigkill sigstop signull signal }; allow $1 svirt_image_t:file { relabelfrom relabelto }; allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto }; allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto }; allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms; optional_policy(` ptchown_run(virt_domain, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_transition_svirt'($*)) dnl ') ######################################## ## ## Do not audit attempts to write virt daemon unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`virt_dontaudit_write_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dontaudit_write_pipes'($*)) dnl gen_require(` type virtd_t; ') dontaudit $1 virtd_t:fd use; dontaudit $1 virtd_t:fifo_file write_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dontaudit_write_pipes'($*)) dnl ') ######################################## ## ## Send a sigkill to virtual machines ## ## ## ## Domain allowed access. ## ## # define(`virt_kill_svirt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_kill_svirt'($*)) dnl gen_require(` attribute virt_domain; ') allow $1 virt_domain:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_kill_svirt'($*)) dnl ') ######################################## ## ## Send a sigkill to virtd daemon. ## ## ## ## Domain allowed access. ## ## # define(`virt_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_kill'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_kill'($*)) dnl ') ######################################## ## ## Send a signal to virtd daemon. ## ## ## ## Domain allowed access. ## ## # define(`virt_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_signal'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_signal'($*)) dnl ') ######################################## ## ## Send null signal to virtd daemon. ## ## ## ## Domain allowed access. ## ## # define(`virt_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_signull'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_signull'($*)) dnl ') ######################################## ## ## Send a signal to virtual machines ## ## ## ## Domain allowed access. ## ## # define(`virt_signal_svirt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_signal_svirt'($*)) dnl gen_require(` attribute virt_domain; ') allow $1 virt_domain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_signal_svirt'($*)) dnl ') ######################################## ## ## Send a signal to sandbox domains ## ## ## ## Domain allowed access. ## ## # define(`virt_signal_sandbox',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_signal_sandbox'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_signal_sandbox'($*)) dnl ') ######################################## ## ## Manage virt home files. ## ## ## ## Domain allowed access. ## ## # define(`virt_manage_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_home_files'($*)) dnl gen_require(` type virt_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, virt_home_t, virt_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_home_files'($*)) dnl ') ######################################## ## ## allow domain to read ## virt tmpfs files ## ## ## ## Domain allowed access ## ## # define(`virt_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_tmpfs_files'($*)) dnl gen_require(` attribute virt_tmpfs_type; ') allow $1 virt_tmpfs_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_tmpfs_files'($*)) dnl ') ######################################## ## ## allow domain to manage ## virt tmpfs files ## ## ## ## Domain allowed access ## ## # define(`virt_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_manage_tmpfs_files'($*)) dnl gen_require(` attribute virt_tmpfs_type; ') allow $1 virt_tmpfs_type:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_manage_tmpfs_files'($*)) dnl ') ######################################## ## ## Create .virt directory in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`virt_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_filetrans_home_content'($*)) dnl gen_require(` type virt_home_t; type svirt_home_t; ') userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt") userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst") filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu") optional_policy(` gnome_config_filetrans($1, virt_home_t, dir, "libvirt") gnome_cache_filetrans($1, virt_home_t, dir, "libvirt") gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox") gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes") gnome_data_filetrans($1, svirt_home_t, dir, "images") gnome_data_filetrans($1, svirt_home_t, dir, "boot") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_filetrans_home_content'($*)) dnl ') ######################################## ## ## Dontaudit attempts to Read virt_image_type devices. ## ## ## ## Domain allowed access. ## ## # define(`virt_dontaudit_read_chr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_chr_dev'($*)) dnl gen_require(` attribute virt_image_type; ') dontaudit $1 virt_image_type:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_chr_dev'($*)) dnl ') ######################################## ## ## Creates types and rules for a basic ## virt_lxc process domain. ## ## ## ## Prefix for the domain. ## ## # define(`virt_sandbox_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_domain_template'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') type $1_t, svirt_sandbox_domain; domain_type($1_t) domain_user_exemption_target($1_t) mls_rangetrans_target($1_t) mcs_constrained($1_t) role system_r types $1_t; logging_send_syslog_msg($1_t) kernel_read_system_state($1_t) kernel_read_all_proc($1_t) # optional_policy(` # container_runtime_typebounds($1_t) # ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_domain_template'($*)) dnl ') ######################################## ## ## Make the specified type usable as a lxc domain ## ## ## ## Type to be used as a lxc domain ## ## # define(`virt_sandbox_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_domain'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') typeattribute $1 svirt_sandbox_domain; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_domain'($*)) dnl ') ######################################## ## ## Make the specified type usable as a lxc network domain ## ## ## ## Type to be used as a lxc network domain ## ## # define(`virt_sandbox_net_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_net_domain'($*)) dnl gen_require(` attribute sandbox_net_domain; ') virt_sandbox_domain($1) typeattribute $1 sandbox_net_domain; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_net_domain'($*)) dnl ') ######################################## ## ## Execute a qemu_exec_t in the callers domain ## ## ## ## Domain allowed access. ## ## # define(`virt_exec_qemu',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_exec_qemu'($*)) dnl gen_require(` type qemu_exec_t; ') can_exec($1, qemu_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_exec_qemu'($*)) dnl ') ######################################## ## ## Transition to virt named content ## ## ## ## Domain allowed access. ## ## # define(`virt_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_filetrans_named_content'($*)) dnl gen_require(` type virt_lxc_var_run_t; type virt_var_run_t; ') files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox") files_pid_filetrans($1, virt_var_run_t, dir, "libvirt") files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_filetrans_named_content'($*)) dnl ') ######################################## ## ## Execute qemu in the svirt domain, and ## allow the specified role the svirt domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the sandbox domain. ## ## ## # define(`virt_transition_svirt_sandbox',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_transition_svirt_sandbox'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') allow $1 svirt_sandbox_domain:process { transition signal_perms }; role $2 types svirt_sandbox_domain; allow $1 svirt_sandbox_domain:unix_dgram_socket sendto; allow svirt_sandbox_domain $1:fd use; allow svirt_sandbox_domain $1:process sigchld; ps_process_pattern($1, svirt_sandbox_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_transition_svirt_sandbox'($*)) dnl ') ######################################## ## ## Read the process state of virt sandbox containers ## ## ## ## Domain allowed access. ## ## # define(`virt_sandbox_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_read_state'($*)) dnl gen_require(` attribute svirt_sandbox_domain; ') ps_process_pattern($1, svirt_sandbox_domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_read_state'($*)) dnl ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # define(`virt_rw_svirt_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_rw_svirt_dev'($*)) dnl gen_require(` type svirt_image_t; ') allow $1 svirt_image_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_rw_svirt_dev'($*)) dnl ') ######################################## ## ## Read and write to svirt_image files. ## ## ## ## Domain allowed access. ## ## # define(`virt_rw_svirt_image',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_rw_svirt_image'($*)) dnl gen_require(` type svirt_image_t; ') allow $1 svirt_image_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_rw_svirt_image'($*)) dnl ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # define(`virt_rlimitinh',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_rlimitinh'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:process { rlimitinh }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_rlimitinh'($*)) dnl ') ######################################## ## ## Read and write to svirt_image devices. ## ## ## ## Domain allowed access. ## ## # define(`virt_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_noatsecure'($*)) dnl gen_require(` type virtd_t; ') allow $1 virtd_t:process { noatsecure rlimitinh }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_noatsecure'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an virt environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`virt_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_admin'($*)) dnl gen_require(` attribute virt_domain; attribute virt_system_domain; attribute svirt_file_type; attribute virt_file_type; type virtd_initrc_exec_t; ') allow $1 virt_system_domain:process signal_perms; allow $1 virt_domain:process signal_perms; ps_process_pattern($1, virt_system_domain) ps_process_pattern($1, virt_domain) tunable_policy(`deny_ptrace',`',` allow $1 virt_system_domain:process ptrace; allow $1 virt_domain:process ptrace; ') init_labeled_script_domtrans($1, virtd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 virtd_initrc_exec_t system_r; allow $2 system_r; allow $1 virt_domain:process signal_perms; admin_pattern($1, virt_file_type) admin_pattern($1, svirt_file_type) virt_systemctl($1) allow $1 virtd_unit_file_t:service all_service_perms; virt_stream_connect_sandbox($1) virt_stream_connect_svirt($1) virt_stream_connect($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_admin'($*)) dnl ') ####################################### ## ## Getattr on virt executable. ## ## ## ## Domain allowed to transition. ## ## # define(`virt_default_capabilities',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_default_capabilities'($*)) dnl gen_require(` attribute sandbox_caps_domain; ') typeattribute $1 sandbox_caps_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_default_capabilities'($*)) dnl ') ######################################## ## ## Send and receive messages from ## virt over dbus. ## ## ## ## Domain allowed access. ## ## # define(`virt_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dbus_chat'($*)) dnl gen_require(` type virtd_t; class dbus send_msg; ') allow $1 virtd_t:dbus send_msg; allow virtd_t $1:dbus send_msg; ps_process_pattern(virtd_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dbus_chat'($*)) dnl ') ######################################## ## ## Execute a file in a sandbox directory ## in the specified domain. ## ## ##

## Execute a file in a sandbox directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`virt_sandbox_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_sandbox_domtrans'($*)) dnl gen_require(` type container_file_t; ') domtrans_pattern($1,container_file_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_sandbox_domtrans'($*)) dnl ') ######################################## ## ## Dontaudit read the process state (/proc/pid) of libvirt ## ## ## ## Domain allowed access. ## ## # define(`virt_dontaudit_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dontaudit_read_state'($*)) dnl gen_require(` type virtd_t; ') dontaudit $1 virtd_t:dir search_dir_perms; dontaudit $1 virtd_t:file read_file_perms; dontaudit $1 virtd_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dontaudit_read_state'($*)) dnl ') ####################################### ## ## Send to libvirt with a unix dgram socket. ## ## ## ## Domain allowed access. ## ## # define(`virt_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_dgram_send'($*)) dnl gen_require(` type virtd_t, virt_var_run_t; ') files_search_pids($1) dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_dgram_send'($*)) dnl ') ######################################## ## ## Manage svirt tmp files,dirs and sockfiles. ## ## ## ## Domain allowed access. ## ## # define(`virt_svirt_manage_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_svirt_manage_tmp'($*)) dnl gen_require(` type svirt_tmp_t; ') manage_files_pattern($1, svirt_tmp_t, svirt_tmp_t) manage_dirs_pattern($1, svirt_tmp_t, svirt_tmp_t) manage_sock_files_pattern($1, svirt_tmp_t, svirt_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_svirt_manage_tmp'($*)) dnl ') ######################################## ## ## Read qemu PID files. ## ## ## ## Domain allowed access. ## ## # define(`virt_read_qemu_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `virt_read_qemu_pid_files'($*)) dnl gen_require(` type qemu_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, qemu_var_run_t, qemu_var_run_t) read_files_pattern($1, qemu_var_run_t, qemu_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `virt_read_qemu_pid_files'($*)) dnl ') ## Lock one or more sessions on the Linux console. ####################################### ## ## Execute vlock in the vlock domain. ## ## ## ## Domain allowed to transition. ## ## # define(`vlock_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vlock_domtrans'($*)) dnl gen_require(` type vlock_t, vlock_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vlock_exec_t, vlock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vlock_domtrans'($*)) dnl ') ######################################## ## ## Execute vlock in the vlock domain, ## and allow the specified role ## the vlock domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed to access. ## ## ## # define(`vlock_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vlock_run'($*)) dnl gen_require(` attribute_role vlock_roles; ') vlock_domtrans($1) roleattribute $2 vlock_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vlock_run'($*)) dnl ') ## VMware Tools daemon ######################################## ## ## Execute vmtools in the vmtools domin. ## ## ## ## Domain allowed to transition. ## ## # define(`vmtools_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_domtrans'($*)) dnl gen_require(` type vmtools_t, vmtools_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vmtools_exec_t, vmtools_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_domtrans'($*)) dnl ') ######################################## ## ## Execute vmtools in the vmtools domin. ## ## ## ## Domain allowed to transition. ## ## # define(`vmtools_domtrans_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_domtrans_helper'($*)) dnl gen_require(` type vmtools_helper_t, vmtools_helper_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_domtrans_helper'($*)) dnl ') ######################################## ## ## Execute vmtools helpers in the vmtools_heler domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the mozilla_plugin domain. ## ## # define(`vmtools_run_helper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_run_helper'($*)) dnl gen_require(` attribute_role vmtools_helper_roles; ') vmtools_domtrans_helper($1) roleattribute $2 vmtools_helper_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_run_helper'($*)) dnl ') ######################################## ## ## Execute vmtools server in the vmtools domain. ## ## ## ## Domain allowed to transition. ## ## # define(`vmtools_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_systemctl'($*)) dnl gen_require(` type vmtools_t; type vmtools_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) systemd_read_fifo_file_passwd_run($1) allow $1 vmtools_unit_file_t:file read_file_perms; allow $1 vmtools_unit_file_t:service manage_service_perms; ps_process_pattern($1, vmtools_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an vmtools environment ## ## ## ## Domain allowed access. ## ## ## # define(`vmtools_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_admin'($*)) dnl gen_require(` type vmtools_t; type vmtools_unit_file_t; ') allow $1 vmtools_t:process { signal_perms }; ps_process_pattern($1, vmtools_t) tunable_policy(`deny_ptrace',`',` allow $1 vmtools_t:process ptrace; ') vmtools_systemctl($1) admin_pattern($1, vmtools_unit_file_t) allow $1 vmtools_unit_file_t:service all_service_perms; optional_policy(` systemd_passwd_agent_exec($1) systemd_read_fifo_file_passwd_run($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_admin'($*)) dnl ') ######################################## ## ## Send and receive messages from ## vmtools_unconfined over dbus. ## ## ## ## Domain allowed access. ## ## # define(`vmtools_unconfined_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmtools_unconfined_dbus_chat'($*)) dnl gen_require(` type vmtools_unconfined_t; class dbus send_msg; ') allow $1 vmtools_unconfined_t:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmtools_unconfined_dbus_chat'($*)) dnl ') ## VMWare Workstation virtual machines. ######################################## ## ## Role access for vmware. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`vmware_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_role'($*)) dnl gen_require(` type vmware_t, vmware_exec_t, vmware_file_t; type vmware_conf_t, vmware_tmp_t, vmware_tmpfs_t; ') role $1 types vmware_t; domtrans_pattern($2, vmware_exec_t, vmware_t) ps_process_pattern($2, vmware_t) allow $2 vmware_t:process signal_perms; tunable_policy(`deny_ptrace',`',` allow $2 vmware_t:process ptrace; ') allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 { vmware_tmp_t vmware_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 vmware_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 vmware_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; userdom_user_home_dir_filetrans($2, vmware_file_t, dir, ".vmware") userdom_user_home_dir_filetrans($2, vmware_file_t, dir, "vmware") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_role'($*)) dnl ') ######################################## ## ## Execute vmware host executables ## ## ## ## Domain allowed access. ## ## # define(`vmware_exec_host',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_exec_host'($*)) dnl gen_require(` type vmware_host_exec_t; ') corecmd_search_bin($1) can_exec($1, vmware_host_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_exec_host'($*)) dnl ') ######################################## ## ## Read vmware system configuration files. ## ## ## ## Domain allowed access. ## ## # define(`vmware_read_system_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_read_system_config'($*)) dnl gen_require(` type vmware_sys_conf_t; ') files_search_etc($1) allow $1 vmware_sys_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_read_system_config'($*)) dnl ') ######################################## ## ## Append vmware system configuration files. ## ## ## ## Domain allowed access. ## ## # define(`vmware_append_system_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_append_system_config'($*)) dnl gen_require(` type vmware_sys_conf_t; ') files_search_etc($1) allow $1 vmware_sys_conf_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_append_system_config'($*)) dnl ') ######################################## ## ## Append vmware log files. ## ## ## ## Domain allowed access. ## ## # define(`vmware_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_append_log'($*)) dnl gen_require(` type vmware_log_t; ') logging_search_logs($1) append_files_pattern($1, vmware_log_t, vmware_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_append_log'($*)) dnl ') ######################################## ## ## Transition to vmware content ## ## ## ## Domain allowed access. ## ## # define(`vmware_filetrans_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_filetrans_content'($*)) dnl gen_require(` type vmware_log_t; ') logging_log_filetrans($1, vmware_log_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_filetrans_content'($*)) dnl ') ######################################## ## ## Manage vmware log files. ## ## ## ## Domain allowed access. ## ## # define(`vmware_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vmware_manage_log'($*)) dnl gen_require(` type vmware_log_t; ') manage_files_pattern($1, vmware_log_t, vmware_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vmware_manage_log'($*)) dnl ') ## Console network traffic monitor. ######################################## ## ## Execute a domain transition to run vnstat. ## ## ## ## Domain allowed to transition. ## ## # define(`vnstatd_domtrans_vnstat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans_vnstat'($*)) dnl gen_require(` type vnstat_t, vnstat_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vnstat_exec_t, vnstat_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_domtrans_vnstat'($*)) dnl ') ######################################## ## ## Execute vnstat in the vnstat domain, ## and allow the specified role ## the vnstat domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`vnstatd_run_vnstat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_run_vnstat'($*)) dnl gen_require(` attribute_role vnstat_roles; ') vnstatd_domtrans_vnstat($1) roleattribute $2 vnstat_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_run_vnstat'($*)) dnl ') ######################################## ## ## Execute a domain transition to run vnstatd. ## ## ## ## Domain allowed to transition. ## ## # define(`vnstatd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_domtrans'($*)) dnl gen_require(` type vnstatd_t, vnstatd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_domtrans'($*)) dnl ') ######################################## ## ## Search vnstatd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`vnstatd_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_search_lib'($*)) dnl gen_require(` type vnstatd_var_lib_t; ') files_search_var_lib($1) allow $1 vnstatd_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_search_lib'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## vnstatd lib directories. ## ## ## ## Domain allowed access. ## ## # define(`vnstatd_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_dirs'($*)) dnl gen_require(` type vnstatd_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Read vnstatd lib files. ## ## ## ## Domain allowed access. ## ## # define(`vnstatd_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_read_lib_files'($*)) dnl gen_require(` type vnstatd_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_read_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## vnstatd lib files. ## ## ## ## Domain allowed access. ## ## # define(`vnstatd_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_manage_lib_files'($*)) dnl gen_require(` type vnstatd_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, vnstatd_var_lib_t, vnstatd_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_manage_lib_files'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an vnstatd environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # define(`vnstatd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vnstatd_admin'($*)) dnl gen_require(` type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t; type vnstatd_var_run_t; ') allow $1 vnstatd_t:process signal_perms; ps_process_pattern($1, vnstatd_t) tunable_policy(`deny_ptrace',`',` allow $1 vnstatd_t:process ptrace; ') init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 vnstatd_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, vnstatd_var_run_t) files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) vnstatd_run_vnstat($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vnstatd_admin'($*)) dnl ') ## Virtual Private Networking client ######################################## ## ## Execute VPN clients in the vpnc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`vpn_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_domtrans'($*)) dnl gen_require(` type vpnc_t, vpnc_exec_t; ') domtrans_pattern($1, vpnc_exec_t, vpnc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_domtrans'($*)) dnl ') ######################################## ## ## Execute VPN clients in the vpnc domain, and ## allow the specified role the vpnc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`vpn_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_run'($*)) dnl gen_require(` attribute_role vpnc_roles; type vpnc_t; ') vpn_domtrans($1) roleattribute $2 vpnc_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_run'($*)) dnl ') ######################################## ## ## Send VPN clients the kill signal. ## ## ## ## Domain allowed access. ## ## # define(`vpn_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_kill'($*)) dnl gen_require(` type vpnc_t; ') allow $1 vpnc_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_kill'($*)) dnl ') ######################################## ## ## Send generic signals to VPN clients. ## ## ## ## Domain allowed access. ## ## # define(`vpn_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_signal'($*)) dnl gen_require(` type vpnc_t; ') allow $1 vpnc_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_signal'($*)) dnl ') ######################################## ## ## Send signull to VPN clients. ## ## ## ## Domain allowed access. ## ## # define(`vpn_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_signull'($*)) dnl gen_require(` type vpnc_t; ') allow $1 vpnc_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_signull'($*)) dnl ') ######################################## ## ## Send and receive messages from ## Vpnc over dbus. ## ## ## ## Domain allowed access. ## ## # define(`vpn_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_dbus_chat'($*)) dnl gen_require(` type vpnc_t; class dbus send_msg; ') allow $1 vpnc_t:dbus send_msg; allow vpnc_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_dbus_chat'($*)) dnl ') ######################################## ## ## Read vpnc PID dirs. ## ## ## ## Domain allowed access. ## ## # define(`vpnc_manage_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid_dirs'($*)) dnl gen_require(` type vpnc_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, vpnc_var_run_t, vpnc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpnc_manage_pid_dirs'($*)) dnl ') ######################################## ## ## Read vpnc PID files. ## ## ## ## Domain allowed access. ## ## # define(`vpnc_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpnc_read_pid_files'($*)) dnl gen_require(` type vpnc_var_run_t; ') files_search_pids($1) read_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpnc_read_pid_files'($*)) dnl ') ######################################## ## ## Read vpnc PID files. ## ## ## ## Domain allowed access. ## ## # define(`vpnc_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid_files'($*)) dnl gen_require(` type vpnc_var_run_t; ') files_search_pids($1) manage_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpnc_manage_pid_files'($*)) dnl ') ######################################## ## ## Read vpnc PID files. ## ## ## ## Domain allowed access. ## ## # define(`vpnc_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpnc_manage_pid'($*)) dnl gen_require(` type vpnc_var_run_t; ') files_search_pids($1) manage_files_pattern($1, vpnc_var_run_t, vpnc_var_run_t) manage_dirs_pattern($1, vpnc_var_run_t, vpnc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpnc_manage_pid'($*)) dnl ') ######################################## ## ## Relabelfrom from vpnc socket. ## ## ## ## Domain allowed access. ## ## # define(`vpn_relabelfrom_tun_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `vpn_relabelfrom_tun_socket'($*)) dnl gen_require(` type vpnc_t; ') allow $1 vpnc_t:tun_socket relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `vpn_relabelfrom_tun_socket'($*)) dnl ') ## W3C Markup Validator. ## Software watchdog. ######################################## ## ## All of the rules required to ## administrate an watchdog environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`watchdog_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `watchdog_admin'($*)) dnl gen_require(` type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t; type watchdog_var_run_t; ') allow $1 watchdog_t:process { ptrace signal_perms }; ps_process_pattern($1, watchdog_t) init_labeled_script_domtrans($1, watchdog_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 watchdog_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, watchdog_log_t) files_search_pids($1) admin_pattern($1, watchdog_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `watchdog_admin'($*)) dnl ') ####################################### ## ## Allow read watchdog_unconfined_t lnk files. ## ## ## ## Domain allowed access. ## ## # define(`watchdog_unconfined_exec_read_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `watchdog_unconfined_exec_read_lnk_files'($*)) dnl gen_require(` type watchdog_unconfined_exec_t; ') read_lnk_files_pattern($1,watchdog_unconfined_exec_t, watchdog_unconfined_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `watchdog_unconfined_exec_read_lnk_files'($*)) dnl ') ## watchdog multiplexing daemon ######################################## ## ## Execute a domain transition to run wdmd. ## ## ## ## Domain allowed access. ## ## # define(`wdmd_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_domtrans'($*)) dnl gen_require(` type wdmd_t, wdmd_exec_t; ') domtrans_pattern($1, wdmd_exec_t, wdmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_domtrans'($*)) dnl ') ######################################## ## ## Execute wdmd server in the wdmd domain. ## ## ## ## The type of the process performing this action. ## ## # define(`wdmd_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_initrc_domtrans'($*)) dnl gen_require(` type wdmd_initrc_exec_t; ') init_labeled_script_domtrans($1, wdmd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_initrc_domtrans'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an wdmd environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`wdmd_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_admin'($*)) dnl gen_require(` type wdmd_t; type wdmd_initrc_exec_t; ') allow $1 wdmd_t:process signal_perms; ps_process_pattern($1, wdmd_t) tunable_policy(`deny_ptrace',`',` allow $1 wdmd_t:process ptrace; ') wdmd_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 wdmd_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_admin'($*)) dnl ') ###################################### ## ## Create, read, write, and delete wdmd PID files. ## ## ## ## Domain allowed access. ## ## # define(`wdmd_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_manage_pid_files'($*)) dnl gen_require(` type wdmd_var_run_t; ') files_search_pids($1) manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_manage_pid_files'($*)) dnl ') ######################################## ## ## Connect to wdmd over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`wdmd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_stream_connect'($*)) dnl gen_require(` type wdmd_t, wdmd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_stream_connect'($*)) dnl ') #################################### ## ## Allow the specified domain to read/write wdmd's tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`wdmd_rw_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wdmd_rw_tmpfs'($*)) dnl gen_require(` type wdmd_tmpfs_t; ') rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wdmd_rw_tmpfs'($*)) dnl ') ## Web administrator role. ######################################## ## ## Change to the web administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`webadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `webadm_role_change'($*)) dnl gen_require(` role webadm_r; ') allow $1 webadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `webadm_role_change'($*)) dnl ') ######################################## ## ## Change from the web administrator role. ## ## ##

## Change from the web administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`webadm_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `webadm_role_change_to'($*)) dnl gen_require(` role webadm_r; ') allow webadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `webadm_role_change_to'($*)) dnl ') ## Web server log analysis. ######################################## ## ## Execute webalizer in the webalizer domain. ## ## ## ## Domain allowed to transition. ## ## # define(`webalizer_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `webalizer_domtrans'($*)) dnl gen_require(` type webalizer_t, webalizer_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, webalizer_exec_t, webalizer_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `webalizer_domtrans'($*)) dnl ') ######################################## ## ## Execute webalizer in the webalizer ## domain, and allow the specified ## role the webalizer domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`webalizer_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `webalizer_run'($*)) dnl gen_require(` attribute_role webalizer_roles; ') webalizer_domtrans($1) roleattribute $2 webalizer_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `webalizer_run'($*)) dnl ') ## Wine Is Not an Emulator. Run Windows programs in Linux. ####################################### ## ## The per role template for the wine module. ## ## ##

## This template creates a derived domains which are used ## for wine applications. ##

##
## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`wine_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_role'($*)) dnl gen_require(` type wine_t; type wine_home_t; type wine_exec_t; ') role $1 types wine_t; domain_auto_trans($2, wine_exec_t, wine_t) # Unrestricted inheritance from the caller. allow $2 wine_t:process { noatsecure siginh rlimitinh }; allow wine_t $2:fd use; allow wine_t $2:process { sigchld signull }; allow wine_t $2:unix_stream_socket connectto; # Allow the user domain to signal/ps. ps_process_pattern($2, wine_t) allow $2 wine_t:process signal_perms; allow $2 wine_t:fd use; allow $2 wine_t:shm { associate getattr unix_read unix_write }; allow $2 wine_t:unix_stream_socket connectto; # X access, Home files manage_dirs_pattern($2, wine_home_t, wine_home_t) manage_files_pattern($2, wine_home_t, wine_home_t) manage_lnk_files_pattern($2, wine_home_t, wine_home_t) relabel_dirs_pattern($2, wine_home_t, wine_home_t) relabel_files_pattern($2, wine_home_t, wine_home_t) relabel_lnk_files_pattern($2, wine_home_t, wine_home_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_role'($*)) dnl ') ####################################### ## ## The role template for the wine module. ## ## ##

## This template creates a derived domains which are used ## for wine applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`wine_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_role_template'($*)) dnl gen_require(` type wine_t; attribute wine_domain; type wine_exec_t; ') type $1_wine_t, wine_domain; domain_type($1_wine_t) domain_entry_file($1_wine_t, wine_exec_t) ubac_constrained($1_wine_t) role $2 types $1_wine_t; allow $3 $1_wine_t:process { getattr noatsecure signal_perms }; domtrans_pattern($3, wine_exec_t, $1_wine_t) corecmd_bin_domtrans($1_wine_t, $1_t) userdom_unpriv_usertype($1, $1_wine_t) userdom_manage_tmp_role($2, $1_wine_t) userdom_manage_home_role($2 ,$1_wine_t) domain_mmap_low($1_wine_t) optional_policy(` xserver_role($1_r, $1_wine_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_role_template'($*)) dnl ') ######################################## ## ## Execute the wine program in the wine domain. ## ## ## ## Domain allowed to transition. ## ## # define(`wine_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_domtrans'($*)) dnl gen_require(` type wine_t, wine_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, wine_exec_t, wine_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_domtrans'($*)) dnl ') ######################################## ## ## Execute wine in the wine domain, and ## allow the specified role the wine domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`wine_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_run'($*)) dnl gen_require(` type wine_t; ') wine_domtrans($1) role $2 types wine_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_run'($*)) dnl ') ######################################## ## ## Read and write wine Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`wine_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_rw_shm'($*)) dnl gen_require(` type wine_t; ') allow $1 wine_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_rw_shm'($*)) dnl ') ######################################## ## ## Transition to wine named content ## ## ## ## Domain allowed access. ## ## # define(`wine_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wine_filetrans_named_content'($*)) dnl gen_require(` type wine_home_t; ') userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wine_filetrans_named_content'($*)) dnl ') ## Wireshark packet capture tool. ############################################################ ## ## Role access for wireshark. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`wireshark_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wireshark_role'($*)) dnl gen_require(` attribute_role wireshark_roles; type wireshark_t, wireshark_exec_t, wireshark_home_t; type wireshark_tmp_t, wireshark_tmpfs_t; ') roleattribute $1 wireshark_roles; domtrans_pattern($2, wireshark_exec_t, wireshark_t) allow $2 wireshark_t:process { ptrace signal_perms }; ps_process_pattern($2, wireshark_t) allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { wireshark_tmp_t wireshark_home_t wireshark_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 { wireshark_home_t wireshark_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 wireshark_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $2 wireshark_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; userdom_user_home_dir_filetrans($2, wireshark_home_t, dir, ".wireshark") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wireshark_role'($*)) dnl ') ######################################## ## ## Execute wireshark in wireshark domain. ## ## ## ## Domain allowed to transition. ## ## # define(`wireshark_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wireshark_domtrans'($*)) dnl gen_require(` type wireshark_t, wireshark_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, wireshark_exec_t, wireshark_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wireshark_domtrans'($*)) dnl ') ######################################## ## ## Read and write wireshark Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`wireshark_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wireshark_rw_shm'($*)) dnl gen_require(` type wireshark_t; ') allow $1 wireshark_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wireshark_rw_shm'($*)) dnl ') ## X Window Managers ####################################### ## ## The role template for the wm module. ## ## ##

## This template creates a derived domains which are used ## for window manager applications. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`wm_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wm_role_template'($*)) dnl gen_require(` type wm_exec_t; class dbus send_msg; attribute wm_domain; ') type $1_wm_t, wm_domain; domain_type($1_wm_t) domain_entry_file($1_wm_t, wm_exec_t) role $2 types $1_wm_t; allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; allow $3 $1_wm_t:process { signal sigchld signull }; allow $1_wm_t $3:process { signull sigkill }; allow $1_wm_t $3:dbus send_msg; allow $3 $1_wm_t:dbus send_msg; userdom_manage_home_role($2, $1_wm_t) userdom_manage_tmp_role($2, $1_wm_t) userdom_exec_user_tmp_files($1_wm_t) domtrans_pattern($3, wm_exec_t, $1_wm_t) corecmd_bin_domtrans($1_wm_t, $3) corecmd_shell_domtrans($1_wm_t, $3) auth_use_nsswitch($1_wm_t) kernel_read_system_state($1_wm_t) auth_use_nsswitch($1_wm_t) mls_file_read_all_levels($1_wm_t) mls_file_write_all_levels($1_wm_t) mls_xwin_read_all_levels($1_wm_t) mls_xwin_write_all_levels($1_wm_t) mls_fd_use_all_levels($1_wm_t) optional_policy(` pulseaudio_run($1_wm_t, $2) ') optional_policy(` xserver_role($2, $1_wm_t) xserver_manage_core_devices($1_wm_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wm_role_template'($*)) dnl ') ######################################## ## ## Execute the wm program in the wm domain. ## ## ## ## Domain allowed access. ## ## # define(`wm_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `wm_exec'($*)) dnl gen_require(` type wm_exec_t; ') can_exec($1, wm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `wm_exec'($*)) dnl ') ## Xen hypervisor ######################################## ## ## Execute a domain transition to run xend. ## ## ## ## Domain allowed to transition. ## ## # define(`xen_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_domtrans'($*)) dnl gen_require(` type xend_t, xend_exec_t; ') domtrans_pattern($1, xend_exec_t, xend_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_domtrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute xend ## in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`xen_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_exec'($*)) dnl gen_require(` type xend_exec_t; ') can_exec($1, xend_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_exec'($*)) dnl ') ######################################## ## ## Inherit and use xen file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`xen_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_use_fds'($*)) dnl gen_require(` type xend_t; ') allow $1 xend_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit ## xen file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`xen_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_dontaudit_use_fds'($*)) dnl gen_require(` type xend_t; ') dontaudit $1 xend_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_dontaudit_use_fds'($*)) dnl ') ####################################### ## ## Read xend pid files. ## ## ## ## Domain allowed access. ## ## # define(`xen_read_pid_files_xenstored',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_read_pid_files_xenstored'($*)) dnl gen_require(` type xenstored_var_run_t; ') files_search_pids($1) read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_read_pid_files_xenstored'($*)) dnl ') ######################################## ## ## Read xend lib files. ## ## ## ## Domain allowed access. ## ## # define(`xen_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_read_lib_files'($*)) dnl gen_require(` type xend_var_lib_t; ') files_list_var_lib($1) read_files_pattern($1, xend_var_lib_t, xend_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_read_lib_files'($*)) dnl ') ######################################## ## ## Read xend image files. ## ## ## ## Domain allowed access. ## ## # define(`xen_read_image_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_read_image_files'($*)) dnl gen_require(` type xen_image_t, xend_var_lib_t; ') files_list_var_lib($1) list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_read_image_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to read/write ## xend image files. ## ## ## ## Domain allowed access. ## ## # define(`xen_manage_image_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_manage_image_dirs'($*)) dnl gen_require(` type xend_var_lib_t; ') files_list_var_lib($1) manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_manage_image_dirs'($*)) dnl ') ######################################## ## ## Allow the specified domain to read/write ## xend image files. ## ## ## ## Domain allowed to transition. ## ## # define(`xen_rw_image_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_rw_image_files'($*)) dnl gen_require(` type xen_image_t, xend_var_lib_t; ') files_list_var_lib($1) allow $1 xend_var_lib_t:dir search_dir_perms; rw_files_pattern($1, xen_image_t, xen_image_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_rw_image_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## xend log files. ## ## ## ## Domain allowed access. ## ## # define(`xen_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_append_log'($*)) dnl gen_require(` type xend_var_log_t; ') logging_search_logs($1) append_files_pattern($1, xend_var_log_t, xend_var_log_t) dontaudit $1 xend_var_log_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_append_log'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the ## xend log files. ## ## ## ## Domain allowed access. ## ## # define(`xen_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_manage_log'($*)) dnl gen_require(` type xend_var_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, xend_var_log_t, xend_var_log_t) manage_files_pattern($1, xend_var_log_t, xend_var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_manage_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## Xen unix domain stream sockets. These ## are leaked file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`xen_dontaudit_rw_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl gen_require(` type xend_t; ') dontaudit $1 xend_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_dontaudit_rw_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Connect to xenstored over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xen_stream_connect_xenstore',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xenstore'($*)) dnl gen_require(` type xenstored_t, xenstored_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xenstored_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_stream_connect_xenstore'($*)) dnl ') ######################################## ## ## Connect to xend over a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xen_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_stream_connect'($*)) dnl gen_require(` type xend_t, xend_var_run_t, xend_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, xend_var_run_t, xend_var_run_t, xend_t) files_search_var_lib($1) stream_connect_pattern($1, xend_var_lib_t, xend_var_lib_t, xend_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_stream_connect'($*)) dnl ') ######################################## ## ## Execute a domain transition to run xm. ## ## ## ## Domain allowed to transition. ## ## # define(`xen_domtrans_xm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_domtrans_xm'($*)) dnl gen_require(` type xm_t, xm_exec_t; attribute virsh_transition_domain; ') typeattribute $1 virsh_transition_domain; domtrans_pattern($1, xm_exec_t, xm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_domtrans_xm'($*)) dnl ') ######################################## ## ## Connect to xm over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xen_stream_connect_xm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xen_stream_connect_xm'($*)) dnl gen_require(` type xm_t, xenstored_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, xenstored_var_run_t, xenstored_var_run_t, xm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xen_stream_connect_xm'($*)) dnl ') ## X Windows Font Server. ######################################## ## ## Read xfs temporary sock files. ## ## ## ## Domain allowed access. ## ## # define(`xfs_read_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xfs_read_sockets'($*)) dnl gen_require(` type xfs_tmp_t; ') files_search_tmp($1) read_sock_files_pattern($1, xfs_tmp_t, xfs_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xfs_read_sockets'($*)) dnl ') ######################################## ## ## Connect to xfs with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xfs_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xfs_stream_connect'($*)) dnl gen_require(` type xfs_tmp_t, xfs_t; ') files_search_tmp($1) stream_connect_pattern($1, xfs_tmp_t, xfs_tmp_t, xfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xfs_stream_connect'($*)) dnl ') ######################################## ## ## Execute xfs in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`xfs_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xfs_exec'($*)) dnl gen_require(` type xfs_exec_t; ') corecmd_search_bin($1) can_exec($1, xfs_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xfs_exec'($*)) dnl ') ######################################## ## ## All of the rules required to ## administrate an xfs environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`xfs_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xfs_admin'($*)) dnl gen_require(` type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; type xfs_tmp_t; ') allow $1 xfs_t:process { ptrace signal_perms }; ps_process_pattern($1, xfs_t) init_labeled_script_domtrans($1, xfs_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 xfs_initrc_exec_t system_r; allow $2 system_r; files_search_pids($1) admin_pattern($1, xfs_var_run_t) files_search_tmp($1) admin_pattern($1, xfs_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xfs_admin'($*)) dnl ') ## Least privileged xwindows user role. ######################################## ## ## Change to the xguest role. ## ## ## ## Role allowed access. ## ## ## # define(`xguest_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xguest_role_change'($*)) dnl gen_require(` role xguest_r; ') allow $1 xguest_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xguest_role_change'($*)) dnl ') ######################################## ## ## Change from the xguest role. ## ## ##

## Change from the xguest role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`xguest_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xguest_role_change_to'($*)) dnl gen_require(` role xguest_r; ') allow xguest_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xguest_role_change_to'($*)) dnl ') ## Modular screen saver and locker for X11. ######################################## ## ## Role access for xscreensaver. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # define(`xscreensaver_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xscreensaver_role'($*)) dnl gen_require(` attribute_role xscreensaver_roles; type xscreensaver_t, xscreensaver_exec_t, xscreensaver_tmpfs_t; ') roleattribute $1 xscreensaver_roles; domtrans_pattern($2, xscreensaver_exec_t, xscreensaver_t) allow $2 xscreensaver_t:process { ptrace signal_perms }; ps_process_pattern($2, xscreensaver_t) allow $2 xscreensaver_tmpfs_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 xscreensaver_tmpfs_t:file { manage_file_perms relabel_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xscreensaver_role'($*)) dnl ') ## Distributed infrastructure monitoring ######################################## ## ## Execute a domain transition to run zabbix. ## ## ## ## Domain allowed to transition. ## ## # define(`zabbix_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_domtrans'($*)) dnl gen_require(` type zabbix_t, zabbix_exec_t; ') domtrans_pattern($1, zabbix_exec_t, zabbix_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run zabbix_script. ## ## ## ## Domain allowed to transition. ## ## # define(`zabbix_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_script_domtrans'($*)) dnl gen_require(` type zabbix_script_t, zabbix_script_exec_t; ') domtrans_pattern($1, zabbix_script_exec_t, zabbix_script_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_script_domtrans'($*)) dnl ') ######################################## ## ## Allow connectivity to the zabbix server ## ## ## ## Domain allowed access. ## ## # define(`zabbix_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_tcp_connect'($*)) dnl gen_require(` type zabbix_t; ') corenet_sendrecv_zabbix_agent_client_packets($1) corenet_tcp_connect_zabbix_port($1) corenet_tcp_recvfrom_labeled($1, zabbix_t) corenet_tcp_sendrecv_zabbix_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_tcp_connect'($*)) dnl ') ######################################## ## ## Allow the specified domain to read zabbix's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`zabbix_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_read_log'($*)) dnl gen_require(` type zabbix_log_t; ') logging_search_logs($1) read_files_pattern($1, zabbix_log_t, zabbix_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_read_log'($*)) dnl ') ######################################## ## ## Allow the specified domain to read zabbix's tmp files. ## ## ## ## Domain allowed access. ## ## ## # define(`zabbix_read_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_read_tmp'($*)) dnl gen_require(` type zabbix_tmp_t; ') files_search_tmp($1) read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_read_tmp'($*)) dnl ') ######################################## ## ## Allow the specified domain to append ## zabbix log files. ## ## ## ## Domain allowed access. ## ## # define(`zabbix_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_append_log'($*)) dnl gen_require(` type zabbix_log_t; ') logging_search_logs($1) append_files_pattern($1, zabbix_log_t, zabbix_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_append_log'($*)) dnl ') ######################################## ## ## Read zabbix PID files. ## ## ## ## Domain allowed access. ## ## # define(`zabbix_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_read_pid_files'($*)) dnl gen_require(` type zabbix_var_run_t; ') files_search_pids($1) allow $1 zabbix_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_read_pid_files'($*)) dnl ') ######################################## ## ## Allow connectivity to a zabbix agent ## ## ## ## Domain allowed access. ## ## # define(`zabbix_agent_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_agent_tcp_connect'($*)) dnl gen_require(` type zabbix_t, zabbix_agent_t; ') corenet_sendrecv_zabbix_agent_client_packets($1) corenet_tcp_connect_zabbix_agent_port($1) corenet_tcp_recvfrom_labeled($1, zabbix_t) corenet_tcp_sendrecv_zabbix_agent_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_agent_tcp_connect'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an zabbix environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the zabbix domain. ## ## ## # define(`zabbix_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zabbix_admin'($*)) dnl gen_require(` type zabbix_t, zabbix_log_t, zabbix_var_run_t; type zabbix_initrc_exec_t; ') allow $1 zabbix_t:process signal_perms; ps_process_pattern($1, zabbix_t) tunable_policy(`deny_ptrace',`',` allow $1 zabbix_t:process ptrace; ') init_labeled_script_domtrans($1, zabbix_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 zabbix_initrc_exec_t system_r; allow $2 system_r; logging_list_logs($1) admin_pattern($1, zabbix_log_t) files_list_pids($1) admin_pattern($1, zabbix_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zabbix_admin'($*)) dnl ') ## Zarafa collaboration platform. ###################################### ## ## Creates types and rules for a basic ## zararfa init daemon domain. ## ## ## ## Prefix for the domain. ## ## # define(`zarafa_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_domain_template'($*)) dnl gen_require(` attribute zarafa_domain; ') ############################## # # $1_t declarations # type zarafa_$1_t, zarafa_domain; type zarafa_$1_exec_t; init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) type zarafa_$1_log_t; logging_log_file(zarafa_$1_log_t) type zarafa_$1_var_run_t; files_pid_file(zarafa_$1_var_run_t) ############################## # # $1_t local policy # manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) kernel_read_system_state(zarafa_$1_t) auth_use_nsswitch(zarafa_$1_t) logging_send_syslog_msg(zarafa_$1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_domain_template'($*)) dnl ') ###################################### ## ## Allow the specified domain to search ## zarafa configuration dirs. ## ## ## ## Domain allowed access. ## ## # define(`zarafa_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_search_config'($*)) dnl gen_require(` type zarafa_etc_t; ') files_search_etc($1) allow $1 zarafa_etc_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_search_config'($*)) dnl ') ######################################## ## ## Execute a domain transition to run zarafa_deliver. ## ## ## ## Domain allowed to transition. ## ## # define(`zarafa_domtrans_deliver',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_deliver'($*)) dnl gen_require(` type zarafa_deliver_t, zarafa_deliver_exec_t; ') domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_domtrans_deliver'($*)) dnl ') ######################################## ## ## Execute a domain transition to run zarafa_server. ## ## ## ## Domain allowed to transition. ## ## # define(`zarafa_domtrans_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_domtrans_server'($*)) dnl gen_require(` type zarafa_server_t, zarafa_server_exec_t; ') domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_domtrans_server'($*)) dnl ') ####################################### ## ## Connect to zarafa-server unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`zarafa_stream_connect_server',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_stream_connect_server'($*)) dnl gen_require(` type zarafa_server_t, zarafa_server_var_run_t; ') files_search_var_lib($1) stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_stream_connect_server'($*)) dnl ') #################################### ## ## Allow the specified domain to manage ## zarafa /var/lib files. ## ## ## ## Domain allowed access. ## ## # define(`zarafa_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zarafa_manage_lib_files'($*)) dnl gen_require(` type zarafa_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zarafa_manage_lib_files'($*)) dnl ') ## Zebra border gateway protocol network routing service ######################################## ## ## Read the configuration files for zebra. ## ## ## ## Domain allowed access. ## ## ## # define(`zebra_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zebra_read_config'($*)) dnl gen_require(` type zebra_conf_t; ') files_search_etc($1) allow $1 zebra_conf_t:dir list_dir_perms; read_files_pattern($1, zebra_conf_t, zebra_conf_t) read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zebra_read_config'($*)) dnl ') ######################################## ## ## Connect to zebra over an unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`zebra_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zebra_stream_connect'($*)) dnl gen_require(` type zebra_t, zebra_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zebra_stream_connect'($*)) dnl ') ####################################### ## ## Execute zebra services in the zebra domain. ## ## ## ## Domain allowed to transition. ## ## # define(`zebra_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zebra_systemctl'($*)) dnl gen_require(` type zebra_t; type zebra_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 zebra_unit_file_t:file read_file_perms; allow $1 zebra_unit_file_t:service manage_service_perms; ps_process_pattern($1, zebra_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zebra_systemctl'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an zebra environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the zebra domain. ## ## ## # define(`zebra_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zebra_admin'($*)) dnl gen_require(` type zebra_t, zebra_tmp_t, zebra_log_t; type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t; ') allow $1 zebra_t:process signal_perms; ps_process_pattern($1, zebra_t) tunable_policy(`deny_ptrace',`',` allow $1 zebra_t:process ptrace; ') init_labeled_script_domtrans($1, zebra_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 zebra_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, zebra_conf_t) logging_list_logs($1) admin_pattern($1, zebra_log_t) files_list_tmp($1) admin_pattern($1, zebra_tmp_t) files_list_pids($1) admin_pattern($1, zebra_var_run_t) zebra_systemctl($1) admin_pattern($1, zebra_unit_file_t) allow $1 zebra_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zebra_admin'($*)) dnl ') ## policy for zoneminder ######################################## ## ## Transition to zoneminder. ## ## ## ## Domain allowed to transition. ## ## # define(`zoneminder_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_domtrans'($*)) dnl gen_require(` type zoneminder_t, zoneminder_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, zoneminder_exec_t, zoneminder_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_domtrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to execute zoneminder ## in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`zoneminder_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_exec'($*)) dnl gen_require(` type zoneminder_exec_t; ') corecmd_search_bin($1) can_exec($1, zoneminder_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_exec'($*)) dnl ') ######################################## ## ## Execute zoneminder server in the zoneminder domain. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_initrc_domtrans'($*)) dnl gen_require(` type zoneminder_initrc_exec_t; ') init_labeled_script_domtrans($1, zoneminder_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_initrc_domtrans'($*)) dnl ') ######################################## ## ## Read zoneminder's log files. ## ## ## ## Domain allowed access. ## ## ## # define(`zoneminder_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_read_log'($*)) dnl gen_require(` type zoneminder_log_t; ') logging_search_logs($1) read_files_pattern($1, zoneminder_log_t, zoneminder_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_read_log'($*)) dnl ') ######################################## ## ## Append to zoneminder log files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_append_log'($*)) dnl gen_require(` type zoneminder_log_t; ') logging_search_logs($1) append_files_pattern($1, zoneminder_log_t, zoneminder_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_append_log'($*)) dnl ') ######################################## ## ## Manage zoneminder log files ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_log'($*)) dnl gen_require(` type zoneminder_log_t; ') logging_search_logs($1) manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t) manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t) manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_log'($*)) dnl ') ######################################## ## ## Search zoneminder lib directories. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_search_lib'($*)) dnl gen_require(` type zoneminder_var_lib_t; ') allow $1 zoneminder_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_search_lib'($*)) dnl ') ######################################## ## ## Read zoneminder lib files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_read_lib_files'($*)) dnl gen_require(` type zoneminder_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_read_lib_files'($*)) dnl ') ######################################## ## ## Manage zoneminder lib files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_files'($*)) dnl gen_require(` type zoneminder_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_files'($*)) dnl ') ######################################## ## ## Manage zoneminder lib directories. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_dirs'($*)) dnl gen_require(` type zoneminder_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Manage zoneminder sock_files files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_lib_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_lib_sock_files'($*)) dnl gen_require(` type zoneminder_var_lib_t; ') files_search_var_lib($1) manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_lib_sock_files'($*)) dnl ') ######################################## ## ## Search zoneminder spool directories. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_search_spool'($*)) dnl gen_require(` type zoneminder_spool_t; ') allow $1 zoneminder_spool_t:dir search_dir_perms; files_search_spool($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_search_spool'($*)) dnl ') ######################################## ## ## Read zoneminder spool files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_read_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_read_spool_files'($*)) dnl gen_require(` type zoneminder_spool_t; ') files_search_spool($1) read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_read_spool_files'($*)) dnl ') ######################################## ## ## Manage zoneminder spool files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_spool_files'($*)) dnl gen_require(` type zoneminder_spool_t; ') files_search_spool($1) manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_spool_files'($*)) dnl ') ######################################## ## ## Manage zoneminder spool dirs. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_manage_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_manage_spool_dirs'($*)) dnl gen_require(` type zoneminder_spool_t; ') files_search_spool($1) manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_manage_spool_dirs'($*)) dnl ') ######################################## ## ## Connect to zoneminder over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_stream_connect'($*)) dnl gen_require(` type zoneminder_t, zoneminder_var_lib_t; ') files_search_pids($1) stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_stream_connect'($*)) dnl ') ###################################### ## ## Read/write zonerimender tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`zoneminder_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_rw_tmpfs_files'($*)) dnl gen_require(` type zoneminder_tmpfs_t; ') fs_search_tmpfs($1) rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## an zoneminder environment ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # define(`zoneminder_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zoneminder_admin'($*)) dnl gen_require(` type zoneminder_t; type zoneminder_initrc_exec_t; type zoneminder_log_t; type zoneminder_var_lib_t; type zoneminder_spool_t; ') allow $1 zoneminder_t:process { ptrace signal_perms }; ps_process_pattern($1, zoneminder_t) zoneminder_initrc_domtrans($1) domain_system_change_exemption($1) role_transition $2 zoneminder_initrc_exec_t system_r; allow $2 system_r; logging_search_logs($1) admin_pattern($1, zoneminder_log_t) files_search_var_lib($1) admin_pattern($1, zoneminder_var_lib_t) files_search_spool($1) admin_pattern($1, zoneminder_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zoneminder_admin'($*)) dnl ') ## z/OS Remote-services Audit dispatcher plugin. ######################################## ## ## Execute a domain transition to run audispd-zos-remote. ## ## ## ## Domain allowed to transition. ## ## # define(`zosremote_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zosremote_domtrans'($*)) dnl gen_require(` type zos_remote_t, zos_remote_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zosremote_domtrans'($*)) dnl ') ######################################## ## ## Execute zos remote in the zos remote ## domain, and allow the specified role ## the zos remote domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`zosremote_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `zosremote_run'($*)) dnl gen_require(` attribute_role zos_remote_roles; ') zosremote_domtrans($1) roleattribute $2 zos_remote_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `zosremote_run'($*)) dnl ') ## ## Core policy for shells, and generic programs ## in /bin, /sbin, /usr/bin, and /usr/sbin. ## ## ## Contains the base bin and sbin directory types ## which need to be searched for the kernel to ## run init. ## ##################################### ## ## corecmd stub bin_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`corecmd_stub_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_stub_bin'($*)) dnl gen_require(` type bin_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_stub_bin'($*)) dnl ') ######################################## ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # define(`corecmd_executable_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_executable_file'($*)) dnl gen_require(` attribute exec_type; ') typeattribute $1 exec_type; files_type($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_executable_file'($*)) dnl ') ######################################## ## ## Create a aliased type to generic bin files. (Deprecated) ## ## ##

## Create a aliased type to generic bin files. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## Alias type for bin_t. ## ## # define(`corecmd_bin_alias',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_bin_alias'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_bin_alias'($*)) dnl ') ######################################## ## ## Make general progams in bin an entrypoint for ## the specified domain. ## ## ## ## The domain for which bin_t is an entrypoint. ## ## # define(`corecmd_bin_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_bin_entry_type'($*)) dnl gen_require(` type bin_t; type usr_t; ') domain_entry_file($1, bin_t) domain_entry_file($1, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_bin_entry_type'($*)) dnl ') ######################################## ## ## Make general progams in sbin an entrypoint for ## the specified domain. (Deprecated) ## ## ## ## The domain for which sbin programs are an entrypoint. ## ## # define(`corecmd_sbin_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_sbin_entry_type'($*)) dnl corecmd_bin_entry_type($1) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_entry_type() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_sbin_entry_type'($*)) dnl ') ######################################## ## ## Make the shell an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # define(`corecmd_shell_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_shell_entry_type'($*)) dnl gen_require(` type shell_exec_t; ') domain_entry_file($1, shell_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_shell_entry_type'($*)) dnl ') ######################################## ## ## Search the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_search_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_search_bin'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) search_dirs_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_search_bin'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the contents of bin directories. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_search_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_bin'($*)) dnl gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_bin'($*)) dnl ') ######################################## ## ## List the contents of bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_list_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_list_bin'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) list_dirs_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_list_bin'($*)) dnl ') ######################################## ## ## Do not audit attempts to write bin directories. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_write_bin_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_dirs'($*)) dnl gen_require(` type bin_t; ') dontaudit $1 bin_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_getattr_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_getattr_bin_files'($*)) dnl gen_require(` type bin_t; ') getattr_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_getattr_bin_files'($*)) dnl ') ######################################## ## ## Get the attributes of files in bin directories. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_getattr_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_bin_files'($*)) dnl gen_require(` type bin_t; ') dontaudit $1 bin_t:dir search_dir_perms; dontaudit $1 bin_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_bin_files'($*)) dnl ') ######################################## ## ## Read files in bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_files'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) read_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_bin_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write bin files. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_write_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_bin_files'($*)) dnl gen_require(` type bin_t; ') dontaudit $1 bin_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_bin_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to access check bin files. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_access_check_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_access_check_bin'($*)) dnl gen_require(` type bin_t; ') dontaudit $1 bin_t:file audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_access_check_bin'($*)) dnl ') ######################################## ## ## Read symbolic links in bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_bin_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_symlinks'($*)) dnl gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_bin_symlinks'($*)) dnl ') ######################################## ## ## Read pipes in bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_bin_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_pipes'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks(bin_t) read_fifo_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_bin_pipes'($*)) dnl ') ######################################## ## ## Read named sockets in bin directories. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_bin_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_bin_sockets'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) read_sock_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_bin_sockets'($*)) dnl ') ######################################## ## ## Execute generic programs in bin directories, ## in the caller domain. ## ## ##

## Allow the specified domain to execute generic programs ## in system bin directories (/bin, /sbin, /usr/bin, ## /usr/sbin) a without domain transition. ##

##

## Typically, this interface should be used when the domain ## executes general system progams within the privileges ## of the source domain. Some examples of these programs ## are ls, cp, sed, python, and tar. This does not include ## shells, such as bash. ##

##

## Related interface: ##

##
    ##
  • corecmd_exec_shell()
  • ##
##
## ## ## Domain allowed access. ## ## # define(`corecmd_exec_bin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_bin'($*)) dnl gen_require(` type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) list_dirs_pattern($1, bin_t, bin_t) can_exec($1, bin_t) ifdef(`enable_mls',`',` files_exec_all_base_ro_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_bin'($*)) dnl ') ######################################## ## ## Create, read, write, and delete bin files. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_manage_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_manage_bin_files'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) manage_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_manage_bin_files'($*)) dnl ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_relabel_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_relabel_bin_files'($*)) dnl gen_require(` type bin_t; ') relabel_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_relabel_bin_files'($*)) dnl ') ######################################## ## ## Mmap a bin file as executable. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_mmap_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_mmap_bin_files'($*)) dnl gen_require(` type bin_t; ') corecmd_read_bin_symlinks($1) mmap_exec_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_mmap_bin_files'($*)) dnl ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`corecmd_bin_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_bin_spec_domtrans'($*)) dnl gen_require(` type bin_t; type usr_t; ') read_lnk_files_pattern($1, bin_t, bin_t) domain_transition_pattern($1, bin_t, $2) read_lnk_files_pattern($1, usr_t, usr_t) domain_transition_pattern($1, usr_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_bin_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute a file in a bin directory ## in the specified domain. ## ## ##

## Execute a file in a bin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`corecmd_bin_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_bin_domtrans'($*)) dnl gen_require(` type bin_t; type usr_t; ') corecmd_bin_spec_domtrans($1, $2) type_transition $1 bin_t:process $2; type_transition $1 usr_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_bin_domtrans'($*)) dnl ') ######################################## ## ## Search the contents of sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_search_sbin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_search_sbin'($*)) dnl corecmd_search_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_search_bin() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_search_sbin'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## sbin directories. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_search_sbin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_search_sbin'($*)) dnl corecmd_dontaudit_search_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_search_bin() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_search_sbin'($*)) dnl ') ######################################## ## ## List the contents of sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_list_sbin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_list_sbin'($*)) dnl corecmd_list_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_list_bin() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_list_sbin'($*)) dnl ') ######################################## ## ## Do not audit attempts to write ## sbin directories. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_write_sbin_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_write_sbin_dirs'($*)) dnl corecmd_dontaudit_write_bin_dirs($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_write_bin_dirs() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_write_sbin_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of sbin files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_getattr_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_getattr_sbin_files'($*)) dnl corecmd_getattr_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_getattr_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_getattr_sbin_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attibutes ## of sbin files. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_getattr_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_getattr_sbin_files'($*)) dnl corecmd_dontaudit_getattr_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_dontaudit_getattr_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_getattr_sbin_files'($*)) dnl ') ######################################## ## ## Read files in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_files'($*)) dnl corecmd_read_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_files'($*)) dnl ') ######################################## ## ## Read symbolic links in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_sbin_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_symlinks'($*)) dnl corecmd_read_bin_symlinks($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_symlinks() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_symlinks'($*)) dnl ') ######################################## ## ## Read named pipes in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_sbin_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_pipes'($*)) dnl corecmd_read_bin_pipes($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_pipes() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_pipes'($*)) dnl ') ######################################## ## ## Read named sockets in sbin directories. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_read_sbin_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_sbin_sockets'($*)) dnl corecmd_read_bin_sockets($1) refpolicywarn(`$0() has been deprecated, please use corecmd_read_bin_sockets() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_sbin_sockets'($*)) dnl ') ######################################## ## ## Execute generic programs in sbin directories, ## in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_exec_sbin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_sbin'($*)) dnl corecmd_exec_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_sbin'($*)) dnl ') ######################################## ## ## Create, read, write, and delete sbin files. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`corecmd_manage_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_manage_sbin_files'($*)) dnl corecmd_manage_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_manage_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_manage_sbin_files'($*)) dnl ') ######################################## ## ## Relabel to and from the sbin type. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`corecmd_relabel_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_relabel_sbin_files'($*)) dnl corecmd_relabel_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_relabel_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_relabel_sbin_files'($*)) dnl ') ######################################## ## ## Mmap a sbin file as executable. (Deprecated) ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`corecmd_mmap_sbin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_mmap_sbin_files'($*)) dnl corecmd_mmap_bin_files($1) refpolicywarn(`$0() has been deprecated, please use corecmd_mmap_bin_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_mmap_sbin_files'($*)) dnl ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain. (Deprecated) ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. (Deprecated) ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`corecmd_sbin_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_sbin_domtrans'($*)) dnl corecmd_bin_domtrans($1, $2) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_domtrans() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_sbin_domtrans'($*)) dnl ') ######################################## ## ## Execute a file in a sbin directory ## in the specified domain but do not ## do it automatically. This is an explicit ## transition, requiring the caller to use setexeccon(). (Deprecated) ## ## ##

## Execute a file in a sbin directory ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. (Deprecated) ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## the userhelper policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`corecmd_sbin_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_sbin_spec_domtrans'($*)) dnl corecmd_bin_spec_domtrans($1, $2) refpolicywarn(`$0() has been deprecated, please use corecmd_bin_spec_domtrans() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_sbin_spec_domtrans'($*)) dnl ') ######################################## ## ## Check if a shell is executable (DAC-wise). ## ## ## ## Domain allowed access. ## ## # define(`corecmd_check_exec_shell',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_check_exec_shell'($*)) dnl gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) allow $1 shell_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_check_exec_shell'($*)) dnl ') ######################################## ## ## Execute shells in the caller domain. ## ## ##

## Allow the specified domain to execute shells without ## a domain transition. ##

##

## Typically, this interface should be used when the domain ## executes shells within the privileges ## of the source domain. Some examples of these programs ## are bash, tcsh, and zsh. ##

##

## Related interface: ##

##
    ##
  • corecmd_exec_bin()
  • ##
##
## ## ## Domain allowed access. ## ## # define(`corecmd_exec_shell',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_shell'($*)) dnl gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, shell_exec_t) allow $1 shell_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_shell'($*)) dnl ') ######################################## ## ## Execute ls in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`corecmd_exec_ls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_ls'($*)) dnl corecmd_exec_bin($1) refpolicywarn(`$0() has been deprecated, please use corecmd_exec_bin() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_ls'($*)) dnl ') ######################################## ## ## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute a shell in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # define(`corecmd_shell_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_shell_spec_domtrans'($*)) dnl gen_require(` type bin_t, shell_exec_t; ') list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t) domain_transition_pattern($1, shell_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_shell_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute a shell in the specified domain. ## ## ##

## Execute a shell in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # define(`corecmd_shell_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_shell_domtrans'($*)) dnl gen_require(` type shell_exec_t; ') corecmd_shell_spec_domtrans($1, $2) type_transition $1 shell_exec_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_shell_domtrans'($*)) dnl ') ######################################## ## ## Execute chroot in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_exec_chroot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_chroot'($*)) dnl gen_require(` type chroot_exec_t; type bin_t; ') read_lnk_files_pattern($1, bin_t, bin_t) can_exec($1, chroot_exec_t) allow $1 self:capability sys_chroot; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_chroot'($*)) dnl ') ######################################## ## ## Do not audit attempts to access check executable files. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_access_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_access_all_executables'($*)) dnl gen_require(` attribute exec_type; ') dontaudit $1 exec_type:file audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_access_all_executables'($*)) dnl ') ######################################## ## ## Get the attributes of all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_getattr_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_getattr_all_executables'($*)) dnl gen_require(` attribute exec_type; type bin_t; ') allow $1 bin_t:dir list_dir_perms; getattr_files_pattern($1, bin_t, exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_getattr_all_executables'($*)) dnl ') ######################################## ## ## Execute all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_exec_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_exec_all_executables'($*)) dnl gen_require(` attribute exec_type; type bin_t; ') can_exec($1, exec_type) list_dirs_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_exec_all_executables'($*)) dnl ') ######################################## ## ## Do not audit attempts to execute all executables. ## ## ## ## Domain to not audit. ## ## # define(`corecmd_dontaudit_exec_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_dontaudit_exec_all_executables'($*)) dnl gen_require(` attribute exec_type; ') dontaudit $1 exec_type:file { execute execute_no_trans }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_dontaudit_exec_all_executables'($*)) dnl ') ######################################## ## ## Create, read, write, and all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_manage_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_manage_all_executables'($*)) dnl gen_require(` attribute exec_type; type bin_t; ') manage_dirs_pattern($1, bin_t, exec_type) manage_files_pattern($1, bin_t, exec_type) manage_lnk_files_pattern($1, bin_t, bin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_manage_all_executables'($*)) dnl ') ######################################## ## ## Relabel to and from the bin type. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_relabel_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_relabel_all_executables'($*)) dnl gen_require(` attribute exec_type; type bin_t; ') relabel_files_pattern($1, bin_t, exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_relabel_all_executables'($*)) dnl ') ######################################## ## ## Mmap all executables as executable. ## ## ## ## Domain allowed access. ## ## # define(`corecmd_mmap_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_mmap_all_executables'($*)) dnl gen_require(` attribute exec_type; type bin_t; ') mmap_exec_files_pattern($1, bin_t, exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_mmap_all_executables'($*)) dnl ') ######################################## ## ## Read all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_read_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_read_all_executables'($*)) dnl gen_require(` attribute exec_type; ') read_files_pattern($1, exec_type, exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_read_all_executables'($*)) dnl ') ######################################## ## ## Read all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`corecmd_entrypoint_all_executables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_entrypoint_all_executables'($*)) dnl gen_require(` attribute exec_type; ') allow $1 exec_type:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_entrypoint_all_executables'($*)) dnl ') ######################################## ## ## Create objects in the /bin directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`corecmd_bin_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corecmd_bin_filetrans'($*)) dnl gen_require(` type bin_t; ') filetrans_pattern($1, bin_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corecmd_bin_filetrans'($*)) dnl ') # # This is a generated file! Instead of modifying this file, the # corenetwork.if.in or corenetwork.if.m4 file should be modified. # ## Policy controlling access to network objects ## ## Contains the initial SIDs for network objects. ## ######################################## ## ## Define type to be a network port type ## ## ##

## Define type to be a network port type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # define(`corenet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_port'($*)) dnl gen_require(` attribute port_type; ') typeattribute $1 port_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_port'($*)) dnl ') ######################################## ## ## Define network type to be a reserved port (lt 1024) ## ## ##

## Define network type to be a reserved port (lt 1024) ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # define(`corenet_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_reserved_port'($*)) dnl gen_require(` attribute reserved_port_type; ') typeattribute $1 reserved_port_type; corenet_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_reserved_port'($*)) dnl ') ######################################## ## ## Define network type to be a rpc port ( 512 lt PORT lt 1024) ## ## ##

## Define network type to be a rpc port ( 512 lt PORT lt 1024) ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network ports. ## ## # define(`corenet_rpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_rpc_port'($*)) dnl gen_require(` attribute rpc_port_type; ') typeattribute $1 rpc_port_type; corenet_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_rpc_port'($*)) dnl ') ######################################## ## ## Define type to be a network node type ## ## ##

## Define type to be a network node type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for network nodes. ## ## # define(`corenet_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_node'($*)) dnl gen_require(` attribute node_type; ') typeattribute $1 node_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_node'($*)) dnl ') ######################################## ## ## Define type to be a network packet type ## ## ##

## Define type to be a network packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network packet. ## ## # define(`corenet_packet',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_packet'($*)) dnl gen_require(` attribute packet_type; ') typeattribute $1 packet_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_packet'($*)) dnl ') ######################################## ## ## Define type to be a network client packet type ## ## ##

## Define type to be a network client packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network client packet. ## ## # define(`corenet_client_packet',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_client_packet'($*)) dnl gen_require(` attribute packet_type, client_packet_type; ') typeattribute $1 client_packet_type, packet_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_client_packet'($*)) dnl ') ######################################## ## ## Define type to be a network server packet type ## ## ##

## Define type to be a network server packet type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for a network server packet. ## ## # define(`corenet_server_packet',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_server_packet'($*)) dnl gen_require(` attribute packet_type, server_packet_type; ') typeattribute $1 server_packet_type, packet_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_server_packet'($*)) dnl ') ######################################## ## ## Make the specified type usable ## for labeled ipsec. ## ## ## ## Type to be used for labeled ipsec. ## ## # define(`corenet_spd_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_spd_type'($*)) dnl gen_require(` attribute ipsec_spd_type; ') typeattribute $1 ipsec_spd_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_spd_type'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on generic interfaces. ## ## ##

## Allow the specified domain to send and receive TCP network ## traffic on generic network interfaces. ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_node()
  • ##
  • corenet_tcp_sendrecv_all_ports()
  • ##
  • corenet_tcp_connect_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif { tcp_send tcp_recv egress ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_if'($*)) dnl ') ######################################## ## ## Send UDP network traffic on generic interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif { udp_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_if'($*)) dnl ') ######################################## ## ## Dontaudit attempts to send UDP network traffic ## on generic interfaces. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_send_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_generic_if'($*)) dnl gen_require(` type netif_t; ') dontaudit $1 netif_t:netif { udp_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_generic_if'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on generic interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif { udp_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_if'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP network ## traffic on generic interfaces. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_receive_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_generic_if'($*)) dnl gen_require(` type netif_t; ') dontaudit $1 netif_t:netif { udp_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_generic_if'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on generic interfaces. ## ## ##

## Allow the specified domain to send and receive UDP network ## traffic on generic network interfaces. ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_udp_sendrecv_generic_node()
  • ##
  • corenet_udp_sendrecv_all_ports()
  • ##
##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_if'($*)) dnl corenet_udp_send_generic_if($1) corenet_udp_receive_generic_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_if'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive UDP network ## traffic on generic interfaces. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_sendrecv_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl corenet_dontaudit_udp_send_generic_if($1) corenet_dontaudit_udp_receive_generic_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_generic_if'($*)) dnl ') ######################################## ## ## Send raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_send_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif { rawip_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_if'($*)) dnl ') ######################################## ## ## Receive raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_receive_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif { rawip_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_if'($*)) dnl ') ######################################## ## ## Send and receive raw IP packets on generic interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_sendrecv_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_if'($*)) dnl corenet_raw_send_generic_if($1) corenet_raw_receive_generic_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_if'($*)) dnl ') ######################################## ## ## Allow outgoing network traffic on the generic interfaces. ## ## ## ## The peer label of the outgoing network traffic. ## ## ## # define(`corenet_out_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_out_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif egress; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_out_generic_if'($*)) dnl ') ######################################## ## ## Allow incoming traffic on the generic interfaces. ## ## ## ## The peer label of the incoming network traffic. ## ## ## # define(`corenet_in_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_in_generic_if'($*)) dnl gen_require(` type netif_t; ') allow $1 netif_t:netif ingress; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_in_generic_if'($*)) dnl ') ######################################## ## ## Allow incoming and outgoing network traffic on the generic interfaces. ## ## ## ## The peer label of the network traffic. ## ## ## # define(`corenet_inout_generic_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_if'($*)) dnl corenet_in_generic_if($1) corenet_out_generic_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_inout_generic_if'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_sendrecv_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_if'($*)) dnl gen_require(` attribute netif_type; ') allow $1 netif_type:netif { tcp_send tcp_recv egress ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_if'($*)) dnl ') ######################################## ## ## Send UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_if'($*)) dnl gen_require(` attribute netif_type; ') allow $1 netif_type:netif { udp_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_if'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_if'($*)) dnl gen_require(` attribute netif_type; ') allow $1 netif_type:netif { udp_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_if'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_sendrecv_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_if'($*)) dnl corenet_udp_send_all_if($1) corenet_udp_receive_all_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_if'($*)) dnl ') ######################################## ## ## Send raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_send_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_if'($*)) dnl gen_require(` attribute netif_type; ') allow $1 netif_type:netif { rawip_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_if'($*)) dnl ') ######################################## ## ## Send and receive SCTP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_sendrecv_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_generic_node'($*)) dnl ') ######################################## ## ## Receive raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_receive_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_if'($*)) dnl gen_require(` attribute netif_type; ') allow $1 netif_type:netif { rawip_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_if'($*)) dnl ') ######################################## ## ## Send and receive raw IP packets on all interfaces. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_sendrecv_all_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_if'($*)) dnl corenet_raw_send_all_if($1) corenet_raw_receive_all_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_if'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_generic_node'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on generic nodes. ## ## ##

## Allow the specified domain to send and receive TCP network ## traffic to/from generic network nodes (hostnames/networks). ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_all_ports()
  • ##
  • corenet_tcp_connect_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { tcp_send tcp_recv sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_node'($*)) dnl ') ######################################## ## ## Send UDP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { udp_send sendto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_node'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { udp_recv recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_node'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on generic nodes. ## ## ##

## Allow the specified domain to send and receive UDP network ## traffic to/from generic network nodes (hostnames/networks). ##

##

## Related interface: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_udp_sendrecv_generic_if()
  • ##
  • corenet_udp_sendrecv_all_ports()
  • ##
##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_node'($*)) dnl corenet_udp_send_generic_node($1) corenet_udp_receive_generic_node($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_node'($*)) dnl ') ######################################## ## ## Send raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_send_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_send_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { rawip_send sendto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_send_generic_node'($*)) dnl ') ######################################## ## ## Receive raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_receive_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node { rawip_recv recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_receive_generic_node'($*)) dnl ') ######################################## ## ## Send and receive raw IP packets on generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_sendrecv_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_generic_node'($*)) dnl corenet_raw_send_generic_node($1) corenet_raw_receive_generic_node($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_generic_node'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:dccp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_generic_node'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:sctp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_node'($*)) dnl ') ######################################## ## ## Bind ICMP sockets to generic nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_icmp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_icmp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:icmp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_icmp_bind_generic_node'($*)) dnl ') ######################################## ## ## Bind TCP sockets to generic nodes. ## ## ##

## Bind TCP sockets to generic nodes. This is ## necessary for binding a socket so it ## can be used for servers to listen ## for incoming connections. ##

##

## Related interface: ##

##
    ##
  • corenet_udp_bind_generic_node()
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:tcp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_node'($*)) dnl ') ######################################## ## ## Bind UDP sockets to generic nodes. ## ## ##

## Bind UDP sockets to generic nodes. This is ## necessary for binding a socket so it ## can be used for servers to listen ## for incoming connections. ##

##

## Related interface: ##

##
    ##
  • corenet_tcp_bind_generic_node()
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:udp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_node'($*)) dnl ') ######################################## ## ## Dontaudit attempts to bind TCP sockets to generic nodes. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_tcp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') dontaudit $1 node_t:tcp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_node'($*)) dnl ') ######################################## ## ## Dontaudit attempts to bind UDP sockets to generic nodes. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_generic_node'($*)) dnl gen_require(` type node_t; ') dontaudit $1 node_t:udp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_generic_node'($*)) dnl ') ######################################## ## ## Bind raw sockets to genric nodes. ## ## ## ## Domain allowed access. ## ## # rawip_socket node_bind does not make much sense. # cjp: vmware hits this too define(`corenet_raw_bind_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:rawip_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_bind_generic_node'($*)) dnl ') ######################################## ## ## Allow outgoing network traffic to generic nodes. ## ## ## ## The peer label of the outgoing network traffic. ## ## ## # define(`corenet_out_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_out_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_out_generic_node'($*)) dnl ') ######################################## ## ## Allow incoming network traffic from generic nodes. ## ## ## ## The peer label of the incoming network traffic. ## ## ## # define(`corenet_in_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_in_generic_node'($*)) dnl gen_require(` type node_t; ') allow $1 node_t:node recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_in_generic_node'($*)) dnl ') ######################################## ## ## Allow incoming and outgoing network traffic with generic nodes. ## ## ## ## The peer label of the network traffic. ## ## ## # define(`corenet_inout_generic_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_inout_generic_node'($*)) dnl corenet_in_generic_node($1) corenet_out_generic_node($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_inout_generic_node'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { tcp_send tcp_recv sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Send UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { udp_send sendto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_nodes'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP network ## traffic on any nodes. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_send_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_all_nodes'($*)) dnl gen_require(` attribute node_type; ') dontaudit $1 node_type:node { udp_send sendto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_all_nodes'($*)) dnl ') ######################################## ## ## Send and receive SCTP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_sendrecv_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { udp_recv recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_nodes'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP ## network traffic on all nodes. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_receive_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl gen_require(` attribute node_type; ') dontaudit $1 node_type:node { udp_recv recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_all_nodes'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_nodes'($*)) dnl corenet_udp_send_all_nodes($1) corenet_udp_receive_all_nodes($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive UDP ## network traffic on any nodes nodes. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl corenet_dontaudit_udp_send_all_nodes($1) corenet_dontaudit_udp_receive_all_nodes($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Send raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_send_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_send_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { rawip_send sendto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_send_all_nodes'($*)) dnl ') ######################################## ## ## Receive raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_receive_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:node { rawip_recv recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_receive_all_nodes'($*)) dnl ') ######################################## ## ## Send and receive raw IP packets on all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_sendrecv_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_all_nodes'($*)) dnl corenet_raw_send_all_nodes($1) corenet_raw_receive_all_nodes($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_all_nodes'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:dccp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_nodes'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:tcp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_nodes'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:udp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_nodes'($*)) dnl ') ######################################## ## ## Bind raw sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # rawip_socket node_bind does not make much sense. # cjp: vmware hits this too define(`corenet_raw_bind_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_bind_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:rawip_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_bind_all_nodes'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_generic_port'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_sendrecv_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_generic_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and ## receive DCCP network traffic on ## generic ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_sendrecv_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_sendrecv_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_sendrecv_generic_port'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to all nodes. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_all_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_nodes'($*)) dnl gen_require(` attribute node_type; ') allow $1 node_type:sctp_socket node_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_nodes'($*)) dnl ') ######################################## ## ## Do not audit send and receive TCP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_sendrecv_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_sendrecv_generic_port'($*)) dnl ') ######################################## ## ## Send UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_generic_port'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_generic_port'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_sendrecv_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_generic_port'($*)) dnl corenet_udp_send_generic_port($1) corenet_udp_receive_generic_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_generic_port'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; dontaudit $1 defined_port_type:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_generic_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; dontaudit $1 defined_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_generic_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind DCCP ## sockets to generic ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_generic_port'($*)) dnl ') ######################################## ## ## Do not audit bind TCP sockets to generic ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_generic_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:udp_socket name_bind; dontaudit $1 defined_port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_generic_port'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t,ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_generic_port'($*)) dnl ') ######################################## ## ## Connect TCP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_generic_port'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:dccp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_ports'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on all ports. ## ## ##

## Send and receive TCP network traffic on all ports. ## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_generic_node()
  • ##
  • corenet_tcp_connect_all_ports()
  • ##
  • corenet_tcp_bind_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_ports'($*)) dnl ') ######################################## ## ## Send UDP network traffic on all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_ports'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; attribute defined_port_type; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; dontaudit $1 defined_port_type:sctp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_generic_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind SCTP ## sockets to generic ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_sctp_bind_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t, ephemeral_port_t; ') dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_generic_port'($*)) dnl ') ######################################## ## ## Do not audit attepts to bind SCTP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_sctp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:sctp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect SCTP sockets ## to all ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_sctp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_ports'($*)) dnl ') ######################################## ## ## Connect SCTP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_connect_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Connect SCTP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_ports'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:sctp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_ports'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on all ports. ## ## ##

## Send and receive UDP network traffic on all ports. ## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_udp_sendrecv_generic_if()
  • ##
  • corenet_udp_sendrecv_generic_node()
  • ##
  • corenet_udp_bind_all_ports()
  • ##
##

## Example client being able to send to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:udp_socket create_socket_perms; ## corenet_udp_sendrecv_generic_if(myclient_t) ## corenet_udp_sendrecv_generic_node(myclient_t) ## corenet_udp_sendrecv_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_ports'($*)) dnl corenet_udp_send_all_ports($1) corenet_udp_receive_all_ports($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_ports'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:dccp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ports'($*)) dnl ') ######################################## ## ## Do not audit attepts to bind DCCP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_ports'($*)) dnl ') ######################################## ## ## Do not audit attepts to bind TCP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ports'($*)) dnl ') ######################################## ## ## Connect SCTP sockets to generic ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_connect_generic_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_generic_port'($*)) dnl gen_require(` type port_t, unreserved_port_t,ephemeral_port_t; ') allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_generic_port'($*)) dnl ') ######################################## ## ## Do not audit attepts to bind UDP sockets to any ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_ports'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_ports'($*)) dnl ') ######################################## ## ## Connect TCP sockets to all ports. ## ## ##

## Connect TCP sockets to all ports ##

##

## Related interfaces: ##

##
    ##
  • corenet_all_recvfrom_unlabeled()
  • ##
  • corenet_tcp_sendrecv_generic_if()
  • ##
  • corenet_tcp_sendrecv_generic_node()
  • ##
  • corenet_tcp_sendrecv_all_ports()
  • ##
  • corenet_tcp_bind_all_ports()
  • ##
##

## Example client being able to connect to all ports over ## generic nodes, without labeled networking: ##

##

## allow myclient_t self:tcp_socket create_stream_socket_perms; ## corenet_tcp_sendrecv_generic_if(myclient_t) ## corenet_tcp_sendrecv_generic_node(myclient_t) ## corenet_tcp_sendrecv_all_ports(myclient_t) ## corenet_tcp_connect_all_ports(myclient_t) ## corenet_all_recvfrom_unlabeled(myclient_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect DCCP sockets ## to all ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## to all ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_connect_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl gen_require(` attribute port_type; ') dontaudit $1 port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_ports'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:dccp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_reserved_port'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_sendrecv_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_reserved_port'($*)) dnl ') ######################################## ## ## Send UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_reserved_port'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_reserved_port'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_sendrecv_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_reserved_port'($*)) dnl corenet_udp_send_reserved_port($1) corenet_udp_receive_reserved_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_reserved_port'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:dccp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_reserved_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_reserved_port'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to all ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_all_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_ports'($*)) dnl gen_require(` attribute port_type; ') allow $1 port_type:sctp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_reserved_port'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_reserved_port'($*)) dnl ') ######################################## ## ## Connect TCP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_reserved_port'($*)) dnl ') ######################################## ## ## Send and receive DCCP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_sendrecv_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_sendrecv_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:dccp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_sendrecv_all_reserved_ports'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_sendrecv_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_all_reserved_ports'($*)) dnl ') ######################################## ## ## Send UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_send_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_all_reserved_ports'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_receive_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_all_reserved_ports'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_sendrecv_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl corenet_udp_send_all_reserved_ports($1) corenet_udp_receive_all_reserved_ports($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_all_reserved_ports'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:dccp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind DCCP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind TCP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind UDP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_unreserved_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all ports > 32768. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_ephemeral_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_ephemeral_ports'($*)) dnl gen_require(` attribute ephemeral_port_type; ') allow $1 ephemeral_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_ephemeral_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all ports > 32768. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_ephemeral_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_ephemeral_ports'($*)) dnl gen_require(` attribute ephemeral_port_type; ') allow $1 ephemeral_port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_ephemeral_ports'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Connect TCP sockets to reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_unreserved_ports'($*)) dnl ') ####################################### ## ## Connect TCP sockets to ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_unreserved_ports'($*)) dnl gen_require(` type unreserved_port_t; ') allow $1 unreserved_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_unreserved_ports'($*)) dnl ') ######################################## ## ## Connect TCP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Connect TCP sockets to all ports > 32768. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_all_ephemeral_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_ephemeral_ports'($*)) dnl gen_require(` attribute ephemeral_port_type; ') allow $1 ephemeral_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_ephemeral_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect DCCP sockets ## all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Connect DCCP sockets to rpc ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_connect_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_connect_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_connect_all_rpc_ports'($*)) dnl ') ######################################## ## ## Connect TCP sockets to rpc ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_all_rpc_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect DCCP sockets ## all rpc ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_connect_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_connect_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:dccp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_connect_all_rpc_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect TCP sockets ## all rpc ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_connect_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_all_rpc_ports'($*)) dnl ') ######################################## ## ## Read and write the TUN/TAP virtual network device. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:sctp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_reserved_port'($*)) dnl ') ######################################## ## ## ## ## ## The domain allowed access. ## ## # define(`corenet_rw_tun_tap_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_rw_tun_tap_dev'($*)) dnl gen_require(` type tun_tap_device_t; ') dev_list_all_dev_nodes($1) allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_rw_tun_tap_dev'($*)) dnl ') ######################################## ## ## Relabel to and from the TUN/TAP virtual network device. ## ## ## ## The domain allowed access. ## ## # define(`corenet_relabel_tun_tap_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabel_tun_tap_dev'($*)) dnl gen_require(` type tun_tap_device_t; ') relabel_chr_files_pattern($1, tun_tap_device_t, tun_tap_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabel_tun_tap_dev'($*)) dnl ') ######################################## ## ## Read and write inherited TUN/TAP virtual network device. ## ## ## ## The domain allowed access. ## ## # define(`corenet_rw_inherited_tun_tap_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_rw_inherited_tun_tap_dev'($*)) dnl gen_require(` type tun_tap_device_t; ') allow $1 tun_tap_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_rw_inherited_tun_tap_dev'($*)) dnl ') ######################################## ## ## Connect SCTP sockets to generic reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_connect_reserved_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_reserved_port'($*)) dnl gen_require(` type reserved_port_t; ') allow $1 reserved_port_t:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_reserved_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write the TUN/TAP ## virtual network device. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_rw_tun_tap_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl gen_require(` type tun_tap_device_t; ') dontaudit $1 tun_tap_device_t:chr_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_rw_tun_tap_dev'($*)) dnl ') ######################################## ## ## Getattr the point-to-point device. ## ## ## ## The domain allowed access. ## ## # define(`corenet_getattr_ppp_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_getattr_ppp_dev'($*)) dnl gen_require(` type ppp_device_t; ') allow $1 ppp_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_getattr_ppp_dev'($*)) dnl ') ######################################## ## ## Read and write the point-to-point device. ## ## ## ## The domain allowed access. ## ## # define(`corenet_rw_ppp_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_rw_ppp_dev'($*)) dnl gen_require(` type ppp_device_t; ') dev_list_all_dev_nodes($1) allow $1 ppp_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_rw_ppp_dev'($*)) dnl ') ######################################## ## ## Bind DCCP sockets to all RPC ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:dccp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Bind TCP sockets to all RPC ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind DCCP sockets to all RPC ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:dccp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind TCP sockets to all RPC ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Bind UDP sockets to all RPC ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') allow $1 rpc_port_type:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind UDP sockets to all RPC ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_bind_all_rpc_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl gen_require(` attribute rpc_port_type; ') dontaudit $1 rpc_port_type:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_all_rpc_ports'($*)) dnl ') ######################################## ## ## Send and receive messages on a ## non-encrypted (no IPSEC) network ## session. ## ## ##

## Send and receive messages on a ## non-encrypted (no IPSEC) network ## session. (Deprecated) ##

##

## The corenet_all_recvfrom_unlabeled() interface should be used instead ## of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`corenet_non_ipsec_sendrecv',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_non_ipsec_sendrecv'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.') corenet_all_recvfrom_unlabeled($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_non_ipsec_sendrecv'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## messages on a non-encrypted (no IPSEC) network ## session. ## ## ##

## Do not audit attempts to send and receive ## messages on a non-encrypted (no IPSEC) network ## session. ##

##

## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be ## used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_non_ipsec_sendrecv',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.') corenet_dontaudit_all_recvfrom_unlabeled($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_non_ipsec_sendrecv'($*)) dnl ') ######################################## ## ## Receive TCP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.') corenet_tcp_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_recv_netlabel'($*)) dnl ') ######################################## ## ## Receive DCCP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:dccp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Receive TCP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:tcp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Receive DCCP packets from an unlabled connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dccp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_unlabeled'($*)) dnl gen_require(` attribute corenet_unlabeled_type; ') kernel_dccp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) typeattribute $1 corenet_unlabeled_type; # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to bind SCTP sockets to all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_sctp_bind_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:sctp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_bind_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.') corenet_dontaudit_tcp_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recv_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive DCCP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:dccp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive TCP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:tcp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive DCCP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_dccp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl kernel_dontaudit_dccp_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_tcp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive UDP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.') corenet_udp_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_recv_netlabel'($*)) dnl ') ######################################## ## ## Receive UDP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:udp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Receive UDP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_udp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_unlabeled'($*)) dnl kernel_udp_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Bind SCTP sockets to all ports > 1024. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_bind_all_unreserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_bind_all_unreserved_ports'($*)) dnl gen_require(` attribute unreserved_port_type; ') allow $1 unreserved_port_type:sctp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_bind_all_unreserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.') corenet_dontaudit_udp_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recv_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:udp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_udp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive Raw IP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.') corenet_raw_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_recv_netlabel'($*)) dnl ') ######################################## ## ## Receive Raw IP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; allow $1 netlabel_peer_t:rawip_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Receive Raw IP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_raw_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_unlabeled'($*)) dnl kernel_raw_recvfrom_unlabeled($1) kernel_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_raw_recv_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recv_netlabel'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.') corenet_dontaudit_raw_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recv_netlabel'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_raw_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:rawip_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Connect SCTP sockets to reserved ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') allow $1 reserved_port_type:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_raw_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl kernel_dontaudit_raw_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_raw_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive packets from an unlabeled connection. ## ## ##

## Allow the specified domain to receive packets from an ## unlabeled connection. On machines that do not utilize ## labeled networking, this will be required on all ## networking domains. On machines tha do utilize ## labeled networking, this will be required for any ## networking domain that is allowed to receive ## network traffic that does not have a label. ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_all_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_unlabeled'($*)) dnl gen_require(` attribute corenet_unlabeled_type; ') typeattribute $1 corenet_unlabeled_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive packets from a NetLabel connection. ## ## ##

## Allow the specified domain to receive NetLabel ## network traffic, which utilizes the Commercial IP ## Security Option (CIPSO) to set the MLS level ## of the network packets. This is required for ## all networking domains that receive NetLabel ## network traffic. ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_all_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_netlabel'($*)) dnl gen_require(` attribute netlabel_peer_type; ') typeattribute $1 netlabel_peer_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Enable unlabeled net packets ## ## ##

## Allow unlabeled_packet_t to be used by all domains that use the network ##

##
## ## ## Domain allowed access. ## ## ## # define(`corenet_enable_unlabeled_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_enable_unlabeled_packets'($*)) dnl gen_require(` attribute corenet_unlabeled_type; ') kernel_sendrecv_unlabeled_association(corenet_unlabeled_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_enable_unlabeled_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_all_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl kernel_dontaudit_dccp_recvfrom_unlabeled($1) kernel_dontaudit_tcp_recvfrom_unlabeled($1) kernel_dontaudit_udp_recvfrom_unlabeled($1) kernel_dontaudit_raw_recvfrom_unlabeled($1) kernel_dontaudit_recvfrom_unlabeled_peer($1) # XXX - at some point the oubound/send access check will be removed # but for right now we need to keep this in place so as not to break # older systems kernel_dontaudit_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to connect SCTP sockets ## all reserved ports. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_sctp_connect_all_reserved_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl gen_require(` attribute reserved_port_type; ') dontaudit $1 reserved_port_type:sctp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sctp_connect_all_reserved_ports'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive packets from a NetLabel ## connection. ## ## ## ## Domain to not audit. ## ## # define(`corenet_dontaudit_all_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') dontaudit $1 netlabel_peer_t:peer recv; dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_all_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Rules for receiving labeled DCCP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_dccp_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dccp_recvfrom_labeled'($*)) dnl allow { $1 $2 } self:association sendto; allow $1 $2:{ association dccp_socket } recvfrom; allow $2 $1:{ association dccp_socket } recvfrom; allow $1 $2:peer recv; allow $2 $1:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_dccp_recvfrom_netlabel($1) corenet_dccp_recvfrom_netlabel($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dccp_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Rules for receiving labeled TCP packets. ## ## ##

## Rules for receiving labeled TCP packets. ##

##

## Due to the nature of TCP, this is bidirectional. ##

##
## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_tcp_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_recvfrom_labeled'($*)) dnl allow { $1 $2 } self:association sendto; allow $1 $2:{ association tcp_socket } recvfrom; allow $2 $1:{ association tcp_socket } recvfrom; allow $1 $2:peer recv; allow $2 $1:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_tcp_recvfrom_netlabel($1) corenet_tcp_recvfrom_netlabel($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Rules for receiving labeled UDP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_udp_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_recvfrom_labeled'($*)) dnl allow $2 self:association sendto; allow $1 $2:{ association udp_socket } recvfrom; allow $1 $2:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_udp_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Rules for receiving labeled raw IP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_raw_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_recvfrom_labeled'($*)) dnl allow $2 self:association sendto; allow $1 $2:{ association rawip_socket } recvfrom; allow $1 $2:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_raw_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Rules for receiving labeled packets via TCP, UDP and raw IP. ## ## ##

## Rules for receiving labeled packets via TCP, UDP and raw IP. ##

##

## Due to the nature of TCP, the rules (for TCP ## networking only) are bidirectional. ##

##
## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_all_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_all_recvfrom_labeled'($*)) dnl corenet_sctp_recvfrom_labeled($1, $2) corenet_tcp_recvfrom_labeled($1, $2) corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_all_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Make the specified type usable ## for labeled ipsec. ## ## ## ## Type to be used for labeled ipsec. ## ## # define(`corenet_setcontext_all_spds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_setcontext_all_spds'($*)) dnl gen_require(` attribute ipsec_spd_type; ') allow $1 ipsec_spd_type:association setcontext; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_setcontext_all_spds'($*)) dnl ') ######################################## ## ## Send generic client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_send_generic_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_generic_client_packets'($*)) dnl gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_generic_client_packets'($*)) dnl ') ######################################## ## ## Receive generic client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_receive_generic_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_client_packets'($*)) dnl gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_generic_client_packets'($*)) dnl ') ######################################## ## ## Send and receive generic client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_generic_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_client_packets'($*)) dnl corenet_send_generic_client_packets($1) corenet_receive_generic_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to the generic client packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_generic_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_client_packets'($*)) dnl gen_require(` type client_packet_t; ') allow $1 client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_client_packets'($*)) dnl ') ######################################## ## ## Send generic server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_send_generic_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_generic_server_packets'($*)) dnl gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_generic_server_packets'($*)) dnl ') ######################################## ## ## Receive generic server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_receive_generic_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_generic_server_packets'($*)) dnl gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_generic_server_packets'($*)) dnl ') ######################################## ## ## Send and receive generic server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_generic_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_generic_server_packets'($*)) dnl corenet_send_generic_server_packets($1) corenet_receive_generic_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_generic_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to the generic server packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_generic_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_generic_server_packets'($*)) dnl gen_require(` type server_packet_t; ') allow $1 server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_generic_server_packets'($*)) dnl ') ######################################## ## ## Send and receive unlabeled packets. ## ## ##

## Send and receive unlabeled packets. ## These packets do not match any netfilter ## SECMARK rules. ##

##
## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_unlabeled_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_unlabeled_packets'($*)) dnl kernel_sendrecv_unlabeled_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_unlabeled_packets'($*)) dnl ') ######################################## ## ## Send all client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_send_all_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_all_client_packets'($*)) dnl gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_all_client_packets'($*)) dnl ') ######################################## ## ## Receive all client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_receive_all_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_all_client_packets'($*)) dnl gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_all_client_packets'($*)) dnl ') ######################################## ## ## Send and receive all client packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_all_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_client_packets'($*)) dnl corenet_send_all_client_packets($1) corenet_receive_all_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to any client packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_all_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_client_packets'($*)) dnl gen_require(` attribute client_packet_type; ') allow $1 client_packet_type:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_client_packets'($*)) dnl ') ######################################## ## ## Send all server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_send_all_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_all_server_packets'($*)) dnl gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_all_server_packets'($*)) dnl ') ######################################## ## ## Receive SCTP packets from a NetLabel connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_recvfrom_netlabel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_netlabel'($*)) dnl gen_require(` type netlabel_peer_t; ') allow $1 netlabel_peer_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_netlabel'($*)) dnl ') ######################################## ## ## Receive all server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_receive_all_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_all_server_packets'($*)) dnl gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_all_server_packets'($*)) dnl ') ######################################## ## ## Send and receive all server packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_all_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_server_packets'($*)) dnl corenet_send_all_server_packets($1) corenet_receive_all_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to any server packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_all_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_server_packets'($*)) dnl gen_require(` attribute server_packet_type; ') allow $1 server_packet_type:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_server_packets'($*)) dnl ') ######################################## ## ## Receive SCTP packets from an unlabled connection. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sctp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_unlabeled'($*)) dnl gen_require(` attribute corenet_unlabeled_type; ') kernel_recvfrom_unlabeled_peer($1) typeattribute $1 corenet_unlabeled_type; kernel_sendrecv_unlabeled_association($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Send all packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_send_all_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_all_packets'($*)) dnl gen_require(` attribute packet_type; ') allow $1 packet_type:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_all_packets'($*)) dnl ') ######################################## ## ## Receive all packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_receive_all_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_all_packets'($*)) dnl gen_require(` attribute packet_type; ') allow $1 packet_type:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_all_packets'($*)) dnl ') ######################################## ## ## Send and receive all packets. ## ## ## ## Domain allowed access. ## ## # define(`corenet_sendrecv_all_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_all_packets'($*)) dnl corenet_send_all_packets($1) corenet_receive_all_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_all_packets'($*)) dnl ') ######################################## ## ## Relabel packets to any packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_all_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_all_packets'($*)) dnl gen_require(` attribute packet_type; ') allow $1 packet_type:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_all_packets'($*)) dnl ') ######################################## ## ## Unconfined access to network objects. ## ## ## ## The domain allowed access. ## ## # define(`corenet_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_unconfined'($*)) dnl gen_require(` attribute corenet_unconfined_type; ') typeattribute $1 corenet_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_unconfined'($*)) dnl ') ######################################## ## ## Dontaudit bind tcp sockets to defined ports. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_bind_all_defined_ports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_bind_all_defined_ports'($*)) dnl gen_require(` attribute defined_port_type; ') dontaudit $1 defined_port_type:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_bind_all_defined_ports'($*)) dnl ') ######################################## ## ## Create all network named devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`corenet_filetrans_all_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_filetrans_all_named_dev'($*)) dnl gen_require(` type tun_tap_device_t; type ppp_device_t; ') dev_filetrans($1, tun_tap_device_t, chr_file, "tap0") dev_filetrans($1, tun_tap_device_t, chr_file, "tap1") dev_filetrans($1, tun_tap_device_t, chr_file, "tap2") dev_filetrans($1, tun_tap_device_t, chr_file, "tap3") dev_filetrans($1, tun_tap_device_t, chr_file, "tap4") dev_filetrans($1, tun_tap_device_t, chr_file, "tap5") dev_filetrans($1, tun_tap_device_t, chr_file, "tap6") dev_filetrans($1, tun_tap_device_t, chr_file, "tap7") dev_filetrans($1, tun_tap_device_t, chr_file, "tap8") dev_filetrans($1, tun_tap_device_t, chr_file, "tap9") dev_filetrans($1, tun_tap_device_t, chr_file, "tap10") dev_filetrans($1, tun_tap_device_t, chr_file, "tap11") dev_filetrans($1, tun_tap_device_t, chr_file, "tap12") dev_filetrans($1, tun_tap_device_t, chr_file, "tap13") dev_filetrans($1, tun_tap_device_t, chr_file, "tap14") dev_filetrans($1, tun_tap_device_t, chr_file, "tap15") dev_filetrans($1, tun_tap_device_t, chr_file, "tap16") dev_filetrans($1, tun_tap_device_t, chr_file, "tap17") dev_filetrans($1, tun_tap_device_t, chr_file, "tap18") dev_filetrans($1, tun_tap_device_t, chr_file, "tap19") dev_filetrans($1, tun_tap_device_t, chr_file, "tap20") dev_filetrans($1, tun_tap_device_t, chr_file, "tap21") dev_filetrans($1, tun_tap_device_t, chr_file, "tap22") dev_filetrans($1, tun_tap_device_t, chr_file, "tap23") dev_filetrans($1, tun_tap_device_t, chr_file, "tap24") dev_filetrans($1, tun_tap_device_t, chr_file, "tap25") dev_filetrans($1, tun_tap_device_t, chr_file, "tap26") dev_filetrans($1, tun_tap_device_t, chr_file, "tap27") dev_filetrans($1, tun_tap_device_t, chr_file, "tap28") dev_filetrans($1, tun_tap_device_t, chr_file, "tap29") dev_filetrans($1, ppp_device_t, chr_file, "ppp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_filetrans_all_named_dev'($*)) dnl ') ######################################## ## ## Define type to be an infiniband pkey type ## ## ##

## Define type to be an infiniband pkey type ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for infiniband pkeys. ## ## # define(`corenet_ib_pkey',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_pkey'($*)) dnl gen_require(` attribute ibpkey_type; ') typeattribute $1 ibpkey_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_pkey'($*)) dnl ') ######################################## ## ## Access unlabeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # define(`corenet_ib_access_unlabeled_pkeys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_access_unlabeled_pkeys'($*)) dnl kernel_ib_access_unlabeled_pkeys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_access_unlabeled_pkeys'($*)) dnl ') ######################################## ## ## Access all labeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # define(`corenet_ib_access_all_pkeys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_access_all_pkeys'($*)) dnl gen_require(` attribute ibpkey_type; ') allow $1 ibpkey_type:infiniband_pkey access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_access_all_pkeys'($*)) dnl ') ######################################## ## ## Define type to be an infiniband endport ## ## ##

## Define type to be an infiniband endport ##

##

## This is for supporting third party modules and its ## use is not allowed in upstream reference policy. ##

##
## ## ## Type to be used for infiniband endports. ## ## # define(`corenet_ib_endport',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_endport'($*)) dnl gen_require(` attribute ibendport_type; ') typeattribute $1 ibendport_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_endport'($*)) dnl ') ######################################## ## ## Manage subnets on all labeled Infiniband endports ## ## ## ## Domain allowed access. ## ## # define(`corenet_ib_manage_subnet_all_endports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_all_endports'($*)) dnl gen_require(` attribute ibendport_type; ') allow $1 ibendport_type:infiniband_endport manage_subnet; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_all_endports'($*)) dnl ') ######################################## ## ## Rules for receiving labeled SCTP packets. ## ## ## ## Domain allowed access. ## ## ## ## ## Peer domain. ## ## # define(`corenet_sctp_recvfrom_labeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sctp_recvfrom_labeled'($*)) dnl allow { $1 $2 } self:association sendto; allow $1 $2:association recvfrom; allow $2 $1:association recvfrom; allow $1 $2:peer recv; allow $2 $1:peer recv; # allow receiving packets from MLS-only peers using NetLabel corenet_sctp_recvfrom_netlabel($1) corenet_sctp_recvfrom_netlabel($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sctp_recvfrom_labeled'($*)) dnl ') ######################################## ## ## Manage subnet on all unlabeled Infiniband endports ## ## ## ## Domain allowed access. ## ## # define(`corenet_ib_manage_subnet_unlabeled_endports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl kernel_ib_manage_subnet_unlabeled_endports($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_ib_manage_subnet_unlabeled_endports'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_bos_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_bos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs_bos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') dontaudit $1 afs_bos_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_bos_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_bos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs_bos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') dontaudit $1 afs_bos_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_bos_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_bos_port'($*)) dnl corenet_udp_send_afs_bos_port($1) corenet_udp_receive_afs_bos_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_bos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs_bos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl corenet_dontaudit_udp_send_afs_bos_port($1) corenet_dontaudit_udp_receive_afs_bos_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_bos_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_bos_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs_bos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_bos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs_bos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') dontaudit $1 afs_bos_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_bos_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs_bos port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') allow $1 afs_bos_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_bos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs_bos port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs_bos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_bos_port'($*)) dnl gen_require(` type afs_bos_port_t; ') dontaudit $1 afs_bos_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_bos_port'($*)) dnl ') ######################################## ## ## Send afs_bos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_client_packets'($*)) dnl gen_require(` type afs_bos_client_packet_t; ') allow $1 afs_bos_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_bos_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl gen_require(` type afs_bos_client_packet_t; ') dontaudit $1 afs_bos_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Receive afs_bos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_client_packets'($*)) dnl gen_require(` type afs_bos_client_packet_t; ') allow $1 afs_bos_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_bos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl gen_require(` type afs_bos_client_packet_t; ') dontaudit $1 afs_bos_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_bos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_client_packets'($*)) dnl corenet_send_afs_bos_client_packets($1) corenet_receive_afs_bos_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_bos_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl corenet_dontaudit_send_afs_bos_client_packets($1) corenet_dontaudit_receive_afs_bos_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_bos_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_bos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_client_packets'($*)) dnl gen_require(` type afs_bos_client_packet_t; ') allow $1 afs_bos_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_client_packets'($*)) dnl ') ######################################## ## ## Send afs_bos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_bos_server_packets'($*)) dnl gen_require(` type afs_bos_server_packet_t; ') allow $1 afs_bos_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_bos_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl gen_require(` type afs_bos_server_packet_t; ') dontaudit $1 afs_bos_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Receive afs_bos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_bos_server_packets'($*)) dnl gen_require(` type afs_bos_server_packet_t; ') allow $1 afs_bos_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_bos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl gen_require(` type afs_bos_server_packet_t; ') dontaudit $1 afs_bos_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_bos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_bos_server_packets'($*)) dnl corenet_send_afs_bos_server_packets($1) corenet_receive_afs_bos_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_bos_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl corenet_dontaudit_send_afs_bos_server_packets($1) corenet_dontaudit_receive_afs_bos_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_bos_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_bos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_bos_server_packets'($*)) dnl gen_require(` type afs_bos_server_packet_t; ') allow $1 afs_bos_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_bos_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_fs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_fs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs_fs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') dontaudit $1 afs_fs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_fs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_fs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs_fs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') dontaudit $1 afs_fs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_fs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_fs_port'($*)) dnl corenet_udp_send_afs_fs_port($1) corenet_udp_receive_afs_fs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_fs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs_fs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl corenet_dontaudit_udp_send_afs_fs_port($1) corenet_dontaudit_udp_receive_afs_fs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_fs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_fs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs_fs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_fs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs_fs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') dontaudit $1 afs_fs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_fs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs_fs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') allow $1 afs_fs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_fs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs_fs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs_fs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_fs_port'($*)) dnl gen_require(` type afs_fs_port_t; ') dontaudit $1 afs_fs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_fs_port'($*)) dnl ') ######################################## ## ## Send afs_fs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_client_packets'($*)) dnl gen_require(` type afs_fs_client_packet_t; ') allow $1 afs_fs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_fs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl gen_require(` type afs_fs_client_packet_t; ') dontaudit $1 afs_fs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Receive afs_fs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_client_packets'($*)) dnl gen_require(` type afs_fs_client_packet_t; ') allow $1 afs_fs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_fs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl gen_require(` type afs_fs_client_packet_t; ') dontaudit $1 afs_fs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_fs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_client_packets'($*)) dnl corenet_send_afs_fs_client_packets($1) corenet_receive_afs_fs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_fs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl corenet_dontaudit_send_afs_fs_client_packets($1) corenet_dontaudit_receive_afs_fs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_fs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_fs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_client_packets'($*)) dnl gen_require(` type afs_fs_client_packet_t; ') allow $1 afs_fs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_client_packets'($*)) dnl ') ######################################## ## ## Send afs_fs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_fs_server_packets'($*)) dnl gen_require(` type afs_fs_server_packet_t; ') allow $1 afs_fs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_fs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl gen_require(` type afs_fs_server_packet_t; ') dontaudit $1 afs_fs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Receive afs_fs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_fs_server_packets'($*)) dnl gen_require(` type afs_fs_server_packet_t; ') allow $1 afs_fs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_fs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl gen_require(` type afs_fs_server_packet_t; ') dontaudit $1 afs_fs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_fs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_fs_server_packets'($*)) dnl corenet_send_afs_fs_server_packets($1) corenet_receive_afs_fs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_fs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl corenet_dontaudit_send_afs_fs_server_packets($1) corenet_dontaudit_receive_afs_fs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_fs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_fs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_fs_server_packets'($*)) dnl gen_require(` type afs_fs_server_packet_t; ') allow $1 afs_fs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_fs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_ka_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_ka_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs_ka port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') dontaudit $1 afs_ka_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_ka_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_ka_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs_ka port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') dontaudit $1 afs_ka_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_ka_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_ka_port'($*)) dnl corenet_udp_send_afs_ka_port($1) corenet_udp_receive_afs_ka_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_ka_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs_ka port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl corenet_dontaudit_udp_send_afs_ka_port($1) corenet_dontaudit_udp_receive_afs_ka_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_ka_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_ka_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs_ka port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_ka_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs_ka port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') dontaudit $1 afs_ka_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_ka_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs_ka port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') allow $1 afs_ka_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_ka_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs_ka port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs_ka_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_ka_port'($*)) dnl gen_require(` type afs_ka_port_t; ') dontaudit $1 afs_ka_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_ka_port'($*)) dnl ') ######################################## ## ## Send afs_ka_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_client_packets'($*)) dnl gen_require(` type afs_ka_client_packet_t; ') allow $1 afs_ka_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_ka_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl gen_require(` type afs_ka_client_packet_t; ') dontaudit $1 afs_ka_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Receive afs_ka_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_client_packets'($*)) dnl gen_require(` type afs_ka_client_packet_t; ') allow $1 afs_ka_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_ka_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl gen_require(` type afs_ka_client_packet_t; ') dontaudit $1 afs_ka_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_ka_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_client_packets'($*)) dnl corenet_send_afs_ka_client_packets($1) corenet_receive_afs_ka_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_ka_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl corenet_dontaudit_send_afs_ka_client_packets($1) corenet_dontaudit_receive_afs_ka_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_ka_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_ka_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_client_packets'($*)) dnl gen_require(` type afs_ka_client_packet_t; ') allow $1 afs_ka_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_client_packets'($*)) dnl ') ######################################## ## ## Send afs_ka_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_ka_server_packets'($*)) dnl gen_require(` type afs_ka_server_packet_t; ') allow $1 afs_ka_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_ka_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl gen_require(` type afs_ka_server_packet_t; ') dontaudit $1 afs_ka_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Receive afs_ka_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_ka_server_packets'($*)) dnl gen_require(` type afs_ka_server_packet_t; ') allow $1 afs_ka_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_ka_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl gen_require(` type afs_ka_server_packet_t; ') dontaudit $1 afs_ka_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_ka_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_ka_server_packets'($*)) dnl corenet_send_afs_ka_server_packets($1) corenet_receive_afs_ka_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_ka_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl corenet_dontaudit_send_afs_ka_server_packets($1) corenet_dontaudit_receive_afs_ka_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_ka_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_ka_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_ka_server_packets'($*)) dnl gen_require(` type afs_ka_server_packet_t; ') allow $1 afs_ka_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_ka_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_pt_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_pt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs_pt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') dontaudit $1 afs_pt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_pt_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_pt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs_pt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') dontaudit $1 afs_pt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_pt_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_pt_port'($*)) dnl corenet_udp_send_afs_pt_port($1) corenet_udp_receive_afs_pt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_pt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs_pt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl corenet_dontaudit_udp_send_afs_pt_port($1) corenet_dontaudit_udp_receive_afs_pt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_pt_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_pt_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs_pt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_pt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs_pt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') dontaudit $1 afs_pt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_pt_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs_pt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') allow $1 afs_pt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_pt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs_pt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs_pt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_pt_port'($*)) dnl gen_require(` type afs_pt_port_t; ') dontaudit $1 afs_pt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_pt_port'($*)) dnl ') ######################################## ## ## Send afs_pt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_client_packets'($*)) dnl gen_require(` type afs_pt_client_packet_t; ') allow $1 afs_pt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_pt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl gen_require(` type afs_pt_client_packet_t; ') dontaudit $1 afs_pt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Receive afs_pt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_client_packets'($*)) dnl gen_require(` type afs_pt_client_packet_t; ') allow $1 afs_pt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_pt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl gen_require(` type afs_pt_client_packet_t; ') dontaudit $1 afs_pt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_pt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_client_packets'($*)) dnl corenet_send_afs_pt_client_packets($1) corenet_receive_afs_pt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_pt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl corenet_dontaudit_send_afs_pt_client_packets($1) corenet_dontaudit_receive_afs_pt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_pt_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_pt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_client_packets'($*)) dnl gen_require(` type afs_pt_client_packet_t; ') allow $1 afs_pt_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_client_packets'($*)) dnl ') ######################################## ## ## Send afs_pt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_pt_server_packets'($*)) dnl gen_require(` type afs_pt_server_packet_t; ') allow $1 afs_pt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_pt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl gen_require(` type afs_pt_server_packet_t; ') dontaudit $1 afs_pt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Receive afs_pt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_pt_server_packets'($*)) dnl gen_require(` type afs_pt_server_packet_t; ') allow $1 afs_pt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_pt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl gen_require(` type afs_pt_server_packet_t; ') dontaudit $1 afs_pt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_pt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_pt_server_packets'($*)) dnl corenet_send_afs_pt_server_packets($1) corenet_receive_afs_pt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_pt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl corenet_dontaudit_send_afs_pt_server_packets($1) corenet_dontaudit_receive_afs_pt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_pt_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_pt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_pt_server_packets'($*)) dnl gen_require(` type afs_pt_server_packet_t; ') allow $1 afs_pt_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_pt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs_vl_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs_vl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs_vl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') dontaudit $1 afs_vl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs_vl_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs_vl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs_vl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') dontaudit $1 afs_vl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs_vl_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs_vl_port'($*)) dnl corenet_udp_send_afs_vl_port($1) corenet_udp_receive_afs_vl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs_vl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs_vl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl corenet_dontaudit_udp_send_afs_vl_port($1) corenet_dontaudit_udp_receive_afs_vl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs_vl_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs_vl_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs_vl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs_vl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs_vl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') dontaudit $1 afs_vl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs_vl_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs_vl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') allow $1 afs_vl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs_vl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs_vl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs_vl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs_vl_port'($*)) dnl gen_require(` type afs_vl_port_t; ') dontaudit $1 afs_vl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs_vl_port'($*)) dnl ') ######################################## ## ## Send afs_vl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_client_packets'($*)) dnl gen_require(` type afs_vl_client_packet_t; ') allow $1 afs_vl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_vl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl gen_require(` type afs_vl_client_packet_t; ') dontaudit $1 afs_vl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Receive afs_vl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_client_packets'($*)) dnl gen_require(` type afs_vl_client_packet_t; ') allow $1 afs_vl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_vl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl gen_require(` type afs_vl_client_packet_t; ') dontaudit $1 afs_vl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_vl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_client_packets'($*)) dnl corenet_send_afs_vl_client_packets($1) corenet_receive_afs_vl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_vl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl corenet_dontaudit_send_afs_vl_client_packets($1) corenet_dontaudit_receive_afs_vl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_vl_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_vl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_client_packets'($*)) dnl gen_require(` type afs_vl_client_packet_t; ') allow $1 afs_vl_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_client_packets'($*)) dnl ') ######################################## ## ## Send afs_vl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs_vl_server_packets'($*)) dnl gen_require(` type afs_vl_server_packet_t; ') allow $1 afs_vl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs_vl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl gen_require(` type afs_vl_server_packet_t; ') dontaudit $1 afs_vl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Receive afs_vl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs_vl_server_packets'($*)) dnl gen_require(` type afs_vl_server_packet_t; ') allow $1 afs_vl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs_vl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl gen_require(` type afs_vl_server_packet_t; ') dontaudit $1 afs_vl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs_vl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs_vl_server_packets'($*)) dnl corenet_send_afs_vl_server_packets($1) corenet_receive_afs_vl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs_vl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl corenet_dontaudit_send_afs_vl_server_packets($1) corenet_dontaudit_receive_afs_vl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs_vl_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs_vl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs_vl_server_packets'($*)) dnl gen_require(` type afs_vl_server_packet_t; ') allow $1 afs_vl_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs_vl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_afs3_callback_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_afs3_callback_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the afs3_callback port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') dontaudit $1 afs3_callback_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_afs3_callback_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_afs3_callback_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the afs3_callback port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') dontaudit $1 afs3_callback_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_afs3_callback_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl corenet_udp_send_afs3_callback_port($1) corenet_udp_receive_afs3_callback_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_afs3_callback_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the afs3_callback port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl corenet_dontaudit_udp_send_afs3_callback_port($1) corenet_dontaudit_udp_receive_afs3_callback_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_afs3_callback_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_afs3_callback_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the afs3_callback port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_afs3_callback_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to afs3_callback port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') dontaudit $1 afs3_callback_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_afs3_callback_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the afs3_callback port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') allow $1 afs3_callback_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_afs3_callback_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to afs3_callback port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_afs3_callback_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_afs3_callback_port'($*)) dnl gen_require(` type afs3_callback_port_t; ') dontaudit $1 afs3_callback_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_afs3_callback_port'($*)) dnl ') ######################################## ## ## Send afs3_callback_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_client_packets'($*)) dnl gen_require(` type afs3_callback_client_packet_t; ') allow $1 afs3_callback_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs3_callback_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl gen_require(` type afs3_callback_client_packet_t; ') dontaudit $1 afs3_callback_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Receive afs3_callback_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_client_packets'($*)) dnl gen_require(` type afs3_callback_client_packet_t; ') allow $1 afs3_callback_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs3_callback_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl gen_require(` type afs3_callback_client_packet_t; ') dontaudit $1 afs3_callback_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Send and receive afs3_callback_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl corenet_send_afs3_callback_client_packets($1) corenet_receive_afs3_callback_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs3_callback_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl corenet_dontaudit_send_afs3_callback_client_packets($1) corenet_dontaudit_receive_afs3_callback_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs3_callback_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs3_callback_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_client_packets'($*)) dnl gen_require(` type afs3_callback_client_packet_t; ') allow $1 afs3_callback_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_client_packets'($*)) dnl ') ######################################## ## ## Send afs3_callback_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_afs3_callback_server_packets'($*)) dnl gen_require(` type afs3_callback_server_packet_t; ') allow $1 afs3_callback_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send afs3_callback_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl gen_require(` type afs3_callback_server_packet_t; ') dontaudit $1 afs3_callback_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Receive afs3_callback_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_afs3_callback_server_packets'($*)) dnl gen_require(` type afs3_callback_server_packet_t; ') allow $1 afs3_callback_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive afs3_callback_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl gen_require(` type afs3_callback_server_packet_t; ') dontaudit $1 afs3_callback_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Send and receive afs3_callback_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl corenet_send_afs3_callback_server_packets($1) corenet_receive_afs3_callback_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive afs3_callback_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl corenet_dontaudit_send_afs3_callback_server_packets($1) corenet_dontaudit_receive_afs3_callback_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to afs3_callback_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_afs3_callback_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_afs3_callback_server_packets'($*)) dnl gen_require(` type afs3_callback_server_packet_t; ') allow $1 afs3_callback_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_afs3_callback_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_agentx_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_agentx_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the agentx port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') dontaudit $1 agentx_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_agentx_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_agentx_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the agentx port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') dontaudit $1 agentx_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_agentx_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_agentx_port'($*)) dnl corenet_udp_send_agentx_port($1) corenet_udp_receive_agentx_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_agentx_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the agentx port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl corenet_dontaudit_udp_send_agentx_port($1) corenet_dontaudit_udp_receive_agentx_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_agentx_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_agentx_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the agentx port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_agentx_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to agentx port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') dontaudit $1 agentx_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_agentx_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the agentx port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') allow $1 agentx_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_agentx_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to agentx port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_agentx_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_agentx_port'($*)) dnl gen_require(` type agentx_port_t; ') dontaudit $1 agentx_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_agentx_port'($*)) dnl ') ######################################## ## ## Send agentx_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_client_packets'($*)) dnl gen_require(` type agentx_client_packet_t; ') allow $1 agentx_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_agentx_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send agentx_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_client_packets'($*)) dnl gen_require(` type agentx_client_packet_t; ') dontaudit $1 agentx_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_client_packets'($*)) dnl ') ######################################## ## ## Receive agentx_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_client_packets'($*)) dnl gen_require(` type agentx_client_packet_t; ') allow $1 agentx_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive agentx_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl gen_require(` type agentx_client_packet_t; ') dontaudit $1 agentx_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_client_packets'($*)) dnl ') ######################################## ## ## Send and receive agentx_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_client_packets'($*)) dnl corenet_send_agentx_client_packets($1) corenet_receive_agentx_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive agentx_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl corenet_dontaudit_send_agentx_client_packets($1) corenet_dontaudit_receive_agentx_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to agentx_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_agentx_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_client_packets'($*)) dnl gen_require(` type agentx_client_packet_t; ') allow $1 agentx_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_client_packets'($*)) dnl ') ######################################## ## ## Send agentx_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_agentx_server_packets'($*)) dnl gen_require(` type agentx_server_packet_t; ') allow $1 agentx_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_agentx_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send agentx_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_agentx_server_packets'($*)) dnl gen_require(` type agentx_server_packet_t; ') dontaudit $1 agentx_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_agentx_server_packets'($*)) dnl ') ######################################## ## ## Receive agentx_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_agentx_server_packets'($*)) dnl gen_require(` type agentx_server_packet_t; ') allow $1 agentx_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_agentx_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive agentx_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl gen_require(` type agentx_server_packet_t; ') dontaudit $1 agentx_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_agentx_server_packets'($*)) dnl ') ######################################## ## ## Send and receive agentx_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_agentx_server_packets'($*)) dnl corenet_send_agentx_server_packets($1) corenet_receive_agentx_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_agentx_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive agentx_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl corenet_dontaudit_send_agentx_server_packets($1) corenet_dontaudit_receive_agentx_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_agentx_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to agentx_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_agentx_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_agentx_server_packets'($*)) dnl gen_require(` type agentx_server_packet_t; ') allow $1 agentx_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_agentx_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amanda_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_amanda_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the amanda port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') dontaudit $1 amanda_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amanda_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amanda_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the amanda port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') dontaudit $1 amanda_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amanda_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amanda_port'($*)) dnl corenet_udp_send_amanda_port($1) corenet_udp_receive_amanda_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amanda_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the amanda port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl corenet_dontaudit_udp_send_amanda_port($1) corenet_dontaudit_udp_receive_amanda_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amanda_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amanda_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the amanda port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amanda_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to amanda port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') dontaudit $1 amanda_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amanda_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the amanda port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') allow $1 amanda_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amanda_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to amanda port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_amanda_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amanda_port'($*)) dnl gen_require(` type amanda_port_t; ') dontaudit $1 amanda_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amanda_port'($*)) dnl ') ######################################## ## ## Send amanda_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_client_packets'($*)) dnl gen_require(` type amanda_client_packet_t; ') allow $1 amanda_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amanda_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amanda_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_client_packets'($*)) dnl gen_require(` type amanda_client_packet_t; ') dontaudit $1 amanda_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_client_packets'($*)) dnl ') ######################################## ## ## Receive amanda_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_client_packets'($*)) dnl gen_require(` type amanda_client_packet_t; ') allow $1 amanda_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amanda_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl gen_require(` type amanda_client_packet_t; ') dontaudit $1 amanda_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_client_packets'($*)) dnl ') ######################################## ## ## Send and receive amanda_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_client_packets'($*)) dnl corenet_send_amanda_client_packets($1) corenet_receive_amanda_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amanda_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl corenet_dontaudit_send_amanda_client_packets($1) corenet_dontaudit_receive_amanda_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amanda_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amanda_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_client_packets'($*)) dnl gen_require(` type amanda_client_packet_t; ') allow $1 amanda_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_client_packets'($*)) dnl ') ######################################## ## ## Send amanda_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amanda_server_packets'($*)) dnl gen_require(` type amanda_server_packet_t; ') allow $1 amanda_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amanda_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amanda_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amanda_server_packets'($*)) dnl gen_require(` type amanda_server_packet_t; ') dontaudit $1 amanda_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amanda_server_packets'($*)) dnl ') ######################################## ## ## Receive amanda_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amanda_server_packets'($*)) dnl gen_require(` type amanda_server_packet_t; ') allow $1 amanda_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amanda_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amanda_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl gen_require(` type amanda_server_packet_t; ') dontaudit $1 amanda_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amanda_server_packets'($*)) dnl ') ######################################## ## ## Send and receive amanda_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amanda_server_packets'($*)) dnl corenet_send_amanda_server_packets($1) corenet_receive_amanda_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amanda_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amanda_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl corenet_dontaudit_send_amanda_server_packets($1) corenet_dontaudit_receive_amanda_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amanda_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amanda_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amanda_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amanda_server_packets'($*)) dnl gen_require(` type amanda_server_packet_t; ') allow $1 amanda_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amanda_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the amavisd_recv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') dontaudit $1 amavisd_recv_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the amavisd_recv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') dontaudit $1 amavisd_recv_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl corenet_udp_send_amavisd_recv_port($1) corenet_udp_receive_amavisd_recv_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the amavisd_recv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl corenet_dontaudit_udp_send_amavisd_recv_port($1) corenet_dontaudit_udp_receive_amavisd_recv_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to amavisd_recv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') dontaudit $1 amavisd_recv_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the amavisd_recv port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') allow $1 amavisd_recv_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to amavisd_recv port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_amavisd_recv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amavisd_recv_port'($*)) dnl gen_require(` type amavisd_recv_port_t; ') dontaudit $1 amavisd_recv_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amavisd_recv_port'($*)) dnl ') ######################################## ## ## Send amavisd_recv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_client_packets'($*)) dnl gen_require(` type amavisd_recv_client_packet_t; ') allow $1 amavisd_recv_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amavisd_recv_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl gen_require(` type amavisd_recv_client_packet_t; ') dontaudit $1 amavisd_recv_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Receive amavisd_recv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_client_packets'($*)) dnl gen_require(` type amavisd_recv_client_packet_t; ') allow $1 amavisd_recv_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amavisd_recv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl gen_require(` type amavisd_recv_client_packet_t; ') dontaudit $1 amavisd_recv_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Send and receive amavisd_recv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl corenet_send_amavisd_recv_client_packets($1) corenet_receive_amavisd_recv_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amavisd_recv_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl corenet_dontaudit_send_amavisd_recv_client_packets($1) corenet_dontaudit_receive_amavisd_recv_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amavisd_recv_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amavisd_recv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl gen_require(` type amavisd_recv_client_packet_t; ') allow $1 amavisd_recv_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_client_packets'($*)) dnl ') ######################################## ## ## Send amavisd_recv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_recv_server_packets'($*)) dnl gen_require(` type amavisd_recv_server_packet_t; ') allow $1 amavisd_recv_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amavisd_recv_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl gen_require(` type amavisd_recv_server_packet_t; ') dontaudit $1 amavisd_recv_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Receive amavisd_recv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_recv_server_packets'($*)) dnl gen_require(` type amavisd_recv_server_packet_t; ') allow $1 amavisd_recv_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amavisd_recv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl gen_require(` type amavisd_recv_server_packet_t; ') dontaudit $1 amavisd_recv_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Send and receive amavisd_recv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl corenet_send_amavisd_recv_server_packets($1) corenet_receive_amavisd_recv_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amavisd_recv_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl corenet_dontaudit_send_amavisd_recv_server_packets($1) corenet_dontaudit_receive_amavisd_recv_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amavisd_recv_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amavisd_recv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl gen_require(` type amavisd_recv_server_packet_t; ') allow $1 amavisd_recv_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_recv_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amavisd_send_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_amavisd_send_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the amavisd_send port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') dontaudit $1 amavisd_send_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amavisd_send_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amavisd_send_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the amavisd_send port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') dontaudit $1 amavisd_send_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amavisd_send_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl corenet_udp_send_amavisd_send_port($1) corenet_udp_receive_amavisd_send_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amavisd_send_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the amavisd_send port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl corenet_dontaudit_udp_send_amavisd_send_port($1) corenet_dontaudit_udp_receive_amavisd_send_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amavisd_send_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amavisd_send_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the amavisd_send port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amavisd_send_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to amavisd_send port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') dontaudit $1 amavisd_send_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amavisd_send_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the amavisd_send port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') allow $1 amavisd_send_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amavisd_send_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to amavisd_send port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_amavisd_send_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amavisd_send_port'($*)) dnl gen_require(` type amavisd_send_port_t; ') dontaudit $1 amavisd_send_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amavisd_send_port'($*)) dnl ') ######################################## ## ## Send amavisd_send_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_client_packets'($*)) dnl gen_require(` type amavisd_send_client_packet_t; ') allow $1 amavisd_send_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amavisd_send_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl gen_require(` type amavisd_send_client_packet_t; ') dontaudit $1 amavisd_send_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Receive amavisd_send_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_client_packets'($*)) dnl gen_require(` type amavisd_send_client_packet_t; ') allow $1 amavisd_send_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amavisd_send_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl gen_require(` type amavisd_send_client_packet_t; ') dontaudit $1 amavisd_send_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Send and receive amavisd_send_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl corenet_send_amavisd_send_client_packets($1) corenet_receive_amavisd_send_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amavisd_send_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl corenet_dontaudit_send_amavisd_send_client_packets($1) corenet_dontaudit_receive_amavisd_send_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amavisd_send_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amavisd_send_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_client_packets'($*)) dnl gen_require(` type amavisd_send_client_packet_t; ') allow $1 amavisd_send_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_client_packets'($*)) dnl ') ######################################## ## ## Send amavisd_send_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amavisd_send_server_packets'($*)) dnl gen_require(` type amavisd_send_server_packet_t; ') allow $1 amavisd_send_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amavisd_send_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl gen_require(` type amavisd_send_server_packet_t; ') dontaudit $1 amavisd_send_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Receive amavisd_send_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amavisd_send_server_packets'($*)) dnl gen_require(` type amavisd_send_server_packet_t; ') allow $1 amavisd_send_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amavisd_send_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl gen_require(` type amavisd_send_server_packet_t; ') dontaudit $1 amavisd_send_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Send and receive amavisd_send_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl corenet_send_amavisd_send_server_packets($1) corenet_receive_amavisd_send_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amavisd_send_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl corenet_dontaudit_send_amavisd_send_server_packets($1) corenet_dontaudit_receive_amavisd_send_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amavisd_send_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amavisd_send_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amavisd_send_server_packets'($*)) dnl gen_require(` type amavisd_send_server_packet_t; ') allow $1 amavisd_send_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amavisd_send_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_amqp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_amqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the amqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') dontaudit $1 amqp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_amqp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_amqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the amqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') dontaudit $1 amqp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_amqp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_amqp_port'($*)) dnl corenet_udp_send_amqp_port($1) corenet_udp_receive_amqp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_amqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the amqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl corenet_dontaudit_udp_send_amqp_port($1) corenet_dontaudit_udp_receive_amqp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_amqp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_amqp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the amqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_amqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to amqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') dontaudit $1 amqp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_amqp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the amqp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') allow $1 amqp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_amqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to amqp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_amqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_amqp_port'($*)) dnl gen_require(` type amqp_port_t; ') dontaudit $1 amqp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_amqp_port'($*)) dnl ') ######################################## ## ## Send amqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_client_packets'($*)) dnl gen_require(` type amqp_client_packet_t; ') allow $1 amqp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amqp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_client_packets'($*)) dnl gen_require(` type amqp_client_packet_t; ') dontaudit $1 amqp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_client_packets'($*)) dnl ') ######################################## ## ## Receive amqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_client_packets'($*)) dnl gen_require(` type amqp_client_packet_t; ') allow $1 amqp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl gen_require(` type amqp_client_packet_t; ') dontaudit $1 amqp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive amqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_client_packets'($*)) dnl corenet_send_amqp_client_packets($1) corenet_receive_amqp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amqp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl corenet_dontaudit_send_amqp_client_packets($1) corenet_dontaudit_receive_amqp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amqp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_client_packets'($*)) dnl gen_require(` type amqp_client_packet_t; ') allow $1 amqp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_client_packets'($*)) dnl ') ######################################## ## ## Send amqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_amqp_server_packets'($*)) dnl gen_require(` type amqp_server_packet_t; ') allow $1 amqp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_amqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send amqp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_amqp_server_packets'($*)) dnl gen_require(` type amqp_server_packet_t; ') dontaudit $1 amqp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_amqp_server_packets'($*)) dnl ') ######################################## ## ## Receive amqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_amqp_server_packets'($*)) dnl gen_require(` type amqp_server_packet_t; ') allow $1 amqp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_amqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive amqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl gen_require(` type amqp_server_packet_t; ') dontaudit $1 amqp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_amqp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive amqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_amqp_server_packets'($*)) dnl corenet_send_amqp_server_packets($1) corenet_receive_amqp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_amqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive amqp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl corenet_dontaudit_send_amqp_server_packets($1) corenet_dontaudit_receive_amqp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_amqp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to amqp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_amqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_amqp_server_packets'($*)) dnl gen_require(` type amqp_server_packet_t; ') allow $1 amqp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_amqp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_aol_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_aol_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the aol port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_aol_port'($*)) dnl gen_require(` type aol_port_t; ') dontaudit $1 aol_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_aol_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_aol_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the aol port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_aol_port'($*)) dnl gen_require(` type aol_port_t; ') dontaudit $1 aol_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_aol_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_aol_port'($*)) dnl corenet_udp_send_aol_port($1) corenet_udp_receive_aol_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_aol_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the aol port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl corenet_dontaudit_udp_send_aol_port($1) corenet_dontaudit_udp_receive_aol_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_aol_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_aol_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the aol port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_aol_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to aol port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_aol_port'($*)) dnl gen_require(` type aol_port_t; ') dontaudit $1 aol_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_aol_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the aol port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_aol_port'($*)) dnl gen_require(` type aol_port_t; ') allow $1 aol_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_aol_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to aol port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_aol_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_aol_port'($*)) dnl gen_require(` type aol_port_t; ') dontaudit $1 aol_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_aol_port'($*)) dnl ') ######################################## ## ## Send aol_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_aol_client_packets'($*)) dnl gen_require(` type aol_client_packet_t; ') allow $1 aol_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_aol_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send aol_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_client_packets'($*)) dnl gen_require(` type aol_client_packet_t; ') dontaudit $1 aol_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_client_packets'($*)) dnl ') ######################################## ## ## Receive aol_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_client_packets'($*)) dnl gen_require(` type aol_client_packet_t; ') allow $1 aol_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_aol_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive aol_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_client_packets'($*)) dnl gen_require(` type aol_client_packet_t; ') dontaudit $1 aol_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_client_packets'($*)) dnl ') ######################################## ## ## Send and receive aol_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_client_packets'($*)) dnl corenet_send_aol_client_packets($1) corenet_receive_aol_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive aol_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl corenet_dontaudit_send_aol_client_packets($1) corenet_dontaudit_receive_aol_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to aol_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_aol_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_client_packets'($*)) dnl gen_require(` type aol_client_packet_t; ') allow $1 aol_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_client_packets'($*)) dnl ') ######################################## ## ## Send aol_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_aol_server_packets'($*)) dnl gen_require(` type aol_server_packet_t; ') allow $1 aol_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_aol_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send aol_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_aol_server_packets'($*)) dnl gen_require(` type aol_server_packet_t; ') dontaudit $1 aol_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_aol_server_packets'($*)) dnl ') ######################################## ## ## Receive aol_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_aol_server_packets'($*)) dnl gen_require(` type aol_server_packet_t; ') allow $1 aol_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_aol_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive aol_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_aol_server_packets'($*)) dnl gen_require(` type aol_server_packet_t; ') dontaudit $1 aol_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_aol_server_packets'($*)) dnl ') ######################################## ## ## Send and receive aol_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_aol_server_packets'($*)) dnl corenet_send_aol_server_packets($1) corenet_receive_aol_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_aol_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive aol_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl corenet_dontaudit_send_aol_server_packets($1) corenet_dontaudit_receive_aol_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_aol_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to aol_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_aol_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_aol_server_packets'($*)) dnl gen_require(` type aol_server_packet_t; ') allow $1 aol_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_aol_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_apc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the apc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apc_port'($*)) dnl gen_require(` type apc_port_t; ') dontaudit $1 apc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the apc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apc_port'($*)) dnl gen_require(` type apc_port_t; ') dontaudit $1 apc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apc_port'($*)) dnl corenet_udp_send_apc_port($1) corenet_udp_receive_apc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the apc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apc_port'($*)) dnl corenet_dontaudit_udp_send_apc_port($1) corenet_dontaudit_udp_receive_apc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the apc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to apc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apc_port'($*)) dnl gen_require(` type apc_port_t; ') dontaudit $1 apc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the apc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apc_port'($*)) dnl gen_require(` type apc_port_t; ') allow $1 apc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to apc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_apc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apc_port'($*)) dnl gen_require(` type apc_port_t; ') dontaudit $1 apc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apc_port'($*)) dnl ') ######################################## ## ## Send apc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apc_client_packets'($*)) dnl gen_require(` type apc_client_packet_t; ') allow $1 apc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apc_client_packets'($*)) dnl gen_require(` type apc_client_packet_t; ') dontaudit $1 apc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apc_client_packets'($*)) dnl ') ######################################## ## ## Receive apc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apc_client_packets'($*)) dnl gen_require(` type apc_client_packet_t; ') allow $1 apc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apc_client_packets'($*)) dnl gen_require(` type apc_client_packet_t; ') dontaudit $1 apc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive apc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apc_client_packets'($*)) dnl corenet_send_apc_client_packets($1) corenet_receive_apc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apc_client_packets'($*)) dnl corenet_dontaudit_send_apc_client_packets($1) corenet_dontaudit_receive_apc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apc_client_packets'($*)) dnl gen_require(` type apc_client_packet_t; ') allow $1 apc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apc_client_packets'($*)) dnl ') ######################################## ## ## Send apc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apc_server_packets'($*)) dnl gen_require(` type apc_server_packet_t; ') allow $1 apc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apc_server_packets'($*)) dnl gen_require(` type apc_server_packet_t; ') dontaudit $1 apc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apc_server_packets'($*)) dnl ') ######################################## ## ## Receive apc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apc_server_packets'($*)) dnl gen_require(` type apc_server_packet_t; ') allow $1 apc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apc_server_packets'($*)) dnl gen_require(` type apc_server_packet_t; ') dontaudit $1 apc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive apc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apc_server_packets'($*)) dnl corenet_send_apc_server_packets($1) corenet_receive_apc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apc_server_packets'($*)) dnl corenet_dontaudit_send_apc_server_packets($1) corenet_dontaudit_receive_apc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apc_server_packets'($*)) dnl gen_require(` type apc_server_packet_t; ') allow $1 apc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apcupsd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_apcupsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the apcupsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') dontaudit $1 apcupsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apcupsd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apcupsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the apcupsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') dontaudit $1 apcupsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apcupsd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apcupsd_port'($*)) dnl corenet_udp_send_apcupsd_port($1) corenet_udp_receive_apcupsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apcupsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the apcupsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl corenet_dontaudit_udp_send_apcupsd_port($1) corenet_dontaudit_udp_receive_apcupsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apcupsd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apcupsd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the apcupsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apcupsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to apcupsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') dontaudit $1 apcupsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apcupsd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the apcupsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') allow $1 apcupsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apcupsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to apcupsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_apcupsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apcupsd_port'($*)) dnl gen_require(` type apcupsd_port_t; ') dontaudit $1 apcupsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apcupsd_port'($*)) dnl ') ######################################## ## ## Send apcupsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_client_packets'($*)) dnl gen_require(` type apcupsd_client_packet_t; ') allow $1 apcupsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apcupsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl gen_require(` type apcupsd_client_packet_t; ') dontaudit $1 apcupsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Receive apcupsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_client_packets'($*)) dnl gen_require(` type apcupsd_client_packet_t; ') allow $1 apcupsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apcupsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl gen_require(` type apcupsd_client_packet_t; ') dontaudit $1 apcupsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive apcupsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_client_packets'($*)) dnl corenet_send_apcupsd_client_packets($1) corenet_receive_apcupsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apcupsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl corenet_dontaudit_send_apcupsd_client_packets($1) corenet_dontaudit_receive_apcupsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apcupsd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apcupsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_client_packets'($*)) dnl gen_require(` type apcupsd_client_packet_t; ') allow $1 apcupsd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_client_packets'($*)) dnl ') ######################################## ## ## Send apcupsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apcupsd_server_packets'($*)) dnl gen_require(` type apcupsd_server_packet_t; ') allow $1 apcupsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apcupsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl gen_require(` type apcupsd_server_packet_t; ') dontaudit $1 apcupsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Receive apcupsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apcupsd_server_packets'($*)) dnl gen_require(` type apcupsd_server_packet_t; ') allow $1 apcupsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apcupsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl gen_require(` type apcupsd_server_packet_t; ') dontaudit $1 apcupsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive apcupsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apcupsd_server_packets'($*)) dnl corenet_send_apcupsd_server_packets($1) corenet_receive_apcupsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apcupsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl corenet_dontaudit_send_apcupsd_server_packets($1) corenet_dontaudit_receive_apcupsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apcupsd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apcupsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apcupsd_server_packets'($*)) dnl gen_require(` type apcupsd_server_packet_t; ') allow $1 apcupsd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apcupsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the apertus_ldp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') dontaudit $1 apertus_ldp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the apertus_ldp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') dontaudit $1 apertus_ldp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl corenet_udp_send_apertus_ldp_port($1) corenet_udp_receive_apertus_ldp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the apertus_ldp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl corenet_dontaudit_udp_send_apertus_ldp_port($1) corenet_dontaudit_udp_receive_apertus_ldp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to apertus_ldp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') dontaudit $1 apertus_ldp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the apertus_ldp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') allow $1 apertus_ldp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to apertus_ldp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_apertus_ldp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_apertus_ldp_port'($*)) dnl gen_require(` type apertus_ldp_port_t; ') dontaudit $1 apertus_ldp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_apertus_ldp_port'($*)) dnl ') ######################################## ## ## Send apertus_ldp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_client_packets'($*)) dnl gen_require(` type apertus_ldp_client_packet_t; ') allow $1 apertus_ldp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apertus_ldp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl gen_require(` type apertus_ldp_client_packet_t; ') dontaudit $1 apertus_ldp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Receive apertus_ldp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_client_packets'($*)) dnl gen_require(` type apertus_ldp_client_packet_t; ') allow $1 apertus_ldp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apertus_ldp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl gen_require(` type apertus_ldp_client_packet_t; ') dontaudit $1 apertus_ldp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive apertus_ldp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl corenet_send_apertus_ldp_client_packets($1) corenet_receive_apertus_ldp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apertus_ldp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl corenet_dontaudit_send_apertus_ldp_client_packets($1) corenet_dontaudit_receive_apertus_ldp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apertus_ldp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apertus_ldp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl gen_require(` type apertus_ldp_client_packet_t; ') allow $1 apertus_ldp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_client_packets'($*)) dnl ') ######################################## ## ## Send apertus_ldp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_apertus_ldp_server_packets'($*)) dnl gen_require(` type apertus_ldp_server_packet_t; ') allow $1 apertus_ldp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send apertus_ldp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl gen_require(` type apertus_ldp_server_packet_t; ') dontaudit $1 apertus_ldp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Receive apertus_ldp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_apertus_ldp_server_packets'($*)) dnl gen_require(` type apertus_ldp_server_packet_t; ') allow $1 apertus_ldp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive apertus_ldp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl gen_require(` type apertus_ldp_server_packet_t; ') dontaudit $1 apertus_ldp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive apertus_ldp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl corenet_send_apertus_ldp_server_packets($1) corenet_receive_apertus_ldp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive apertus_ldp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl corenet_dontaudit_send_apertus_ldp_server_packets($1) corenet_dontaudit_receive_apertus_ldp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to apertus_ldp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_apertus_ldp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl gen_require(` type apertus_ldp_server_packet_t; ') allow $1 apertus_ldp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_apertus_ldp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the appswitch_emp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') dontaudit $1 appswitch_emp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the appswitch_emp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') dontaudit $1 appswitch_emp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_appswitch_emp_port'($*)) dnl corenet_udp_send_appswitch_emp_port($1) corenet_udp_receive_appswitch_emp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the appswitch_emp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_appswitch_emp_port'($*)) dnl corenet_dontaudit_udp_send_appswitch_emp_port($1) corenet_dontaudit_udp_receive_appswitch_emp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to appswitch_emp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') dontaudit $1 appswitch_emp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the appswitch_emp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') allow $1 appswitch_emp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to appswitch_emp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_appswitch_emp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_appswitch_emp_port'($*)) dnl gen_require(` type appswitch_emp_port_t; ') dontaudit $1 appswitch_emp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_appswitch_emp_port'($*)) dnl ') ######################################## ## ## Send appswitch_emp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_appswitch_emp_client_packets'($*)) dnl gen_require(` type appswitch_emp_client_packet_t; ') allow $1 appswitch_emp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send appswitch_emp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_appswitch_emp_client_packets'($*)) dnl gen_require(` type appswitch_emp_client_packet_t; ') dontaudit $1 appswitch_emp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Receive appswitch_emp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_appswitch_emp_client_packets'($*)) dnl gen_require(` type appswitch_emp_client_packet_t; ') allow $1 appswitch_emp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive appswitch_emp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_appswitch_emp_client_packets'($*)) dnl gen_require(` type appswitch_emp_client_packet_t; ') dontaudit $1 appswitch_emp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive appswitch_emp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_appswitch_emp_client_packets'($*)) dnl corenet_send_appswitch_emp_client_packets($1) corenet_receive_appswitch_emp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive appswitch_emp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_appswitch_emp_client_packets'($*)) dnl corenet_dontaudit_send_appswitch_emp_client_packets($1) corenet_dontaudit_receive_appswitch_emp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to appswitch_emp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_appswitch_emp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_appswitch_emp_client_packets'($*)) dnl gen_require(` type appswitch_emp_client_packet_t; ') allow $1 appswitch_emp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_appswitch_emp_client_packets'($*)) dnl ') ######################################## ## ## Send appswitch_emp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_appswitch_emp_server_packets'($*)) dnl gen_require(` type appswitch_emp_server_packet_t; ') allow $1 appswitch_emp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send appswitch_emp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_appswitch_emp_server_packets'($*)) dnl gen_require(` type appswitch_emp_server_packet_t; ') dontaudit $1 appswitch_emp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Receive appswitch_emp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_appswitch_emp_server_packets'($*)) dnl gen_require(` type appswitch_emp_server_packet_t; ') allow $1 appswitch_emp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive appswitch_emp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_appswitch_emp_server_packets'($*)) dnl gen_require(` type appswitch_emp_server_packet_t; ') dontaudit $1 appswitch_emp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive appswitch_emp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_appswitch_emp_server_packets'($*)) dnl corenet_send_appswitch_emp_server_packets($1) corenet_receive_appswitch_emp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive appswitch_emp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_appswitch_emp_server_packets'($*)) dnl corenet_dontaudit_send_appswitch_emp_server_packets($1) corenet_dontaudit_receive_appswitch_emp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to appswitch_emp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_appswitch_emp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_appswitch_emp_server_packets'($*)) dnl gen_require(` type appswitch_emp_server_packet_t; ') allow $1 appswitch_emp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_appswitch_emp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_asterisk_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_asterisk_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the asterisk port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') dontaudit $1 asterisk_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_asterisk_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_asterisk_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the asterisk port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') dontaudit $1 asterisk_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_asterisk_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_asterisk_port'($*)) dnl corenet_udp_send_asterisk_port($1) corenet_udp_receive_asterisk_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_asterisk_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the asterisk port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl corenet_dontaudit_udp_send_asterisk_port($1) corenet_dontaudit_udp_receive_asterisk_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_asterisk_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_asterisk_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the asterisk port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_asterisk_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to asterisk port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') dontaudit $1 asterisk_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_asterisk_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the asterisk port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') allow $1 asterisk_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_asterisk_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to asterisk port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_asterisk_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_asterisk_port'($*)) dnl gen_require(` type asterisk_port_t; ') dontaudit $1 asterisk_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_asterisk_port'($*)) dnl ') ######################################## ## ## Send asterisk_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_client_packets'($*)) dnl gen_require(` type asterisk_client_packet_t; ') allow $1 asterisk_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send asterisk_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl gen_require(` type asterisk_client_packet_t; ') dontaudit $1 asterisk_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Receive asterisk_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_client_packets'($*)) dnl gen_require(` type asterisk_client_packet_t; ') allow $1 asterisk_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive asterisk_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl gen_require(` type asterisk_client_packet_t; ') dontaudit $1 asterisk_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Send and receive asterisk_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_client_packets'($*)) dnl corenet_send_asterisk_client_packets($1) corenet_receive_asterisk_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive asterisk_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl corenet_dontaudit_send_asterisk_client_packets($1) corenet_dontaudit_receive_asterisk_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to asterisk_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_asterisk_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_client_packets'($*)) dnl gen_require(` type asterisk_client_packet_t; ') allow $1 asterisk_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_client_packets'($*)) dnl ') ######################################## ## ## Send asterisk_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_asterisk_server_packets'($*)) dnl gen_require(` type asterisk_server_packet_t; ') allow $1 asterisk_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send asterisk_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl gen_require(` type asterisk_server_packet_t; ') dontaudit $1 asterisk_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Receive asterisk_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_asterisk_server_packets'($*)) dnl gen_require(` type asterisk_server_packet_t; ') allow $1 asterisk_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive asterisk_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl gen_require(` type asterisk_server_packet_t; ') dontaudit $1 asterisk_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Send and receive asterisk_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_asterisk_server_packets'($*)) dnl corenet_send_asterisk_server_packets($1) corenet_receive_asterisk_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive asterisk_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl corenet_dontaudit_send_asterisk_server_packets($1) corenet_dontaudit_receive_asterisk_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to asterisk_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_asterisk_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_asterisk_server_packets'($*)) dnl gen_require(` type asterisk_server_packet_t; ') allow $1 asterisk_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_asterisk_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_audit_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_audit_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the audit port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_audit_port'($*)) dnl gen_require(` type audit_port_t; ') dontaudit $1 audit_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_audit_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_audit_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the audit port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_audit_port'($*)) dnl gen_require(` type audit_port_t; ') dontaudit $1 audit_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_audit_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_audit_port'($*)) dnl corenet_udp_send_audit_port($1) corenet_udp_receive_audit_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_audit_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the audit port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl corenet_dontaudit_udp_send_audit_port($1) corenet_dontaudit_udp_receive_audit_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_audit_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_audit_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the audit port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_audit_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to audit port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_audit_port'($*)) dnl gen_require(` type audit_port_t; ') dontaudit $1 audit_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_audit_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the audit port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_audit_port'($*)) dnl gen_require(` type audit_port_t; ') allow $1 audit_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_audit_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to audit port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_audit_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_audit_port'($*)) dnl gen_require(` type audit_port_t; ') dontaudit $1 audit_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_audit_port'($*)) dnl ') ######################################## ## ## Send audit_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_audit_client_packets'($*)) dnl gen_require(` type audit_client_packet_t; ') allow $1 audit_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_audit_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send audit_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_client_packets'($*)) dnl gen_require(` type audit_client_packet_t; ') dontaudit $1 audit_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_client_packets'($*)) dnl ') ######################################## ## ## Receive audit_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_client_packets'($*)) dnl gen_require(` type audit_client_packet_t; ') allow $1 audit_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_audit_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive audit_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_client_packets'($*)) dnl gen_require(` type audit_client_packet_t; ') dontaudit $1 audit_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_client_packets'($*)) dnl ') ######################################## ## ## Send and receive audit_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_client_packets'($*)) dnl corenet_send_audit_client_packets($1) corenet_receive_audit_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive audit_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl corenet_dontaudit_send_audit_client_packets($1) corenet_dontaudit_receive_audit_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to audit_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_audit_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_client_packets'($*)) dnl gen_require(` type audit_client_packet_t; ') allow $1 audit_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_client_packets'($*)) dnl ') ######################################## ## ## Send audit_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_audit_server_packets'($*)) dnl gen_require(` type audit_server_packet_t; ') allow $1 audit_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_audit_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send audit_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_audit_server_packets'($*)) dnl gen_require(` type audit_server_packet_t; ') dontaudit $1 audit_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_audit_server_packets'($*)) dnl ') ######################################## ## ## Receive audit_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_audit_server_packets'($*)) dnl gen_require(` type audit_server_packet_t; ') allow $1 audit_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_audit_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive audit_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_audit_server_packets'($*)) dnl gen_require(` type audit_server_packet_t; ') dontaudit $1 audit_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_audit_server_packets'($*)) dnl ') ######################################## ## ## Send and receive audit_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_audit_server_packets'($*)) dnl corenet_send_audit_server_packets($1) corenet_receive_audit_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_audit_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive audit_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl corenet_dontaudit_send_audit_server_packets($1) corenet_dontaudit_receive_audit_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_audit_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to audit_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_audit_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_audit_server_packets'($*)) dnl gen_require(` type audit_server_packet_t; ') allow $1 audit_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_audit_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_auth_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_auth_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the auth port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_auth_port'($*)) dnl gen_require(` type auth_port_t; ') dontaudit $1 auth_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_auth_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_auth_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the auth port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_auth_port'($*)) dnl gen_require(` type auth_port_t; ') dontaudit $1 auth_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_auth_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_auth_port'($*)) dnl corenet_udp_send_auth_port($1) corenet_udp_receive_auth_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_auth_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the auth port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl corenet_dontaudit_udp_send_auth_port($1) corenet_dontaudit_udp_receive_auth_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_auth_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_auth_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the auth port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_auth_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to auth port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_auth_port'($*)) dnl gen_require(` type auth_port_t; ') dontaudit $1 auth_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_auth_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the auth port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_auth_port'($*)) dnl gen_require(` type auth_port_t; ') allow $1 auth_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_auth_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to auth port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_auth_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_auth_port'($*)) dnl gen_require(` type auth_port_t; ') dontaudit $1 auth_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_auth_port'($*)) dnl ') ######################################## ## ## Send auth_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_auth_client_packets'($*)) dnl gen_require(` type auth_client_packet_t; ') allow $1 auth_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_auth_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send auth_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_client_packets'($*)) dnl gen_require(` type auth_client_packet_t; ') dontaudit $1 auth_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_client_packets'($*)) dnl ') ######################################## ## ## Receive auth_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_client_packets'($*)) dnl gen_require(` type auth_client_packet_t; ') allow $1 auth_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_auth_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive auth_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_client_packets'($*)) dnl gen_require(` type auth_client_packet_t; ') dontaudit $1 auth_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_client_packets'($*)) dnl ') ######################################## ## ## Send and receive auth_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_client_packets'($*)) dnl corenet_send_auth_client_packets($1) corenet_receive_auth_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive auth_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl corenet_dontaudit_send_auth_client_packets($1) corenet_dontaudit_receive_auth_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to auth_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_auth_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_client_packets'($*)) dnl gen_require(` type auth_client_packet_t; ') allow $1 auth_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_client_packets'($*)) dnl ') ######################################## ## ## Send auth_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_auth_server_packets'($*)) dnl gen_require(` type auth_server_packet_t; ') allow $1 auth_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_auth_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send auth_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_auth_server_packets'($*)) dnl gen_require(` type auth_server_packet_t; ') dontaudit $1 auth_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_auth_server_packets'($*)) dnl ') ######################################## ## ## Receive auth_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_auth_server_packets'($*)) dnl gen_require(` type auth_server_packet_t; ') allow $1 auth_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_auth_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive auth_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_auth_server_packets'($*)) dnl gen_require(` type auth_server_packet_t; ') dontaudit $1 auth_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_auth_server_packets'($*)) dnl ') ######################################## ## ## Send and receive auth_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_auth_server_packets'($*)) dnl corenet_send_auth_server_packets($1) corenet_receive_auth_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_auth_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive auth_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl corenet_dontaudit_send_auth_server_packets($1) corenet_dontaudit_receive_auth_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_auth_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to auth_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_auth_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_auth_server_packets'($*)) dnl gen_require(` type auth_server_packet_t; ') allow $1 auth_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_auth_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bacula_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_bacula_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the bacula port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') dontaudit $1 bacula_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bacula_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bacula_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the bacula port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') dontaudit $1 bacula_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bacula_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bacula_port'($*)) dnl corenet_udp_send_bacula_port($1) corenet_udp_receive_bacula_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bacula_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the bacula port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bacula_port'($*)) dnl corenet_dontaudit_udp_send_bacula_port($1) corenet_dontaudit_udp_receive_bacula_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bacula_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bacula_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the bacula port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bacula_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to bacula port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') dontaudit $1 bacula_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bacula_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the bacula port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') allow $1 bacula_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bacula_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to bacula port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_bacula_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bacula_port'($*)) dnl gen_require(` type bacula_port_t; ') dontaudit $1 bacula_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bacula_port'($*)) dnl ') ######################################## ## ## Send bacula_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bacula_client_packets'($*)) dnl gen_require(` type bacula_client_packet_t; ') allow $1 bacula_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bacula_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bacula_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bacula_client_packets'($*)) dnl gen_require(` type bacula_client_packet_t; ') dontaudit $1 bacula_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bacula_client_packets'($*)) dnl ') ######################################## ## ## Receive bacula_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bacula_client_packets'($*)) dnl gen_require(` type bacula_client_packet_t; ') allow $1 bacula_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bacula_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bacula_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bacula_client_packets'($*)) dnl gen_require(` type bacula_client_packet_t; ') dontaudit $1 bacula_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bacula_client_packets'($*)) dnl ') ######################################## ## ## Send and receive bacula_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bacula_client_packets'($*)) dnl corenet_send_bacula_client_packets($1) corenet_receive_bacula_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bacula_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bacula_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bacula_client_packets'($*)) dnl corenet_dontaudit_send_bacula_client_packets($1) corenet_dontaudit_receive_bacula_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bacula_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bacula_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bacula_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bacula_client_packets'($*)) dnl gen_require(` type bacula_client_packet_t; ') allow $1 bacula_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bacula_client_packets'($*)) dnl ') ######################################## ## ## Send bacula_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bacula_server_packets'($*)) dnl gen_require(` type bacula_server_packet_t; ') allow $1 bacula_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bacula_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bacula_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bacula_server_packets'($*)) dnl gen_require(` type bacula_server_packet_t; ') dontaudit $1 bacula_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bacula_server_packets'($*)) dnl ') ######################################## ## ## Receive bacula_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bacula_server_packets'($*)) dnl gen_require(` type bacula_server_packet_t; ') allow $1 bacula_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bacula_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bacula_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bacula_server_packets'($*)) dnl gen_require(` type bacula_server_packet_t; ') dontaudit $1 bacula_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bacula_server_packets'($*)) dnl ') ######################################## ## ## Send and receive bacula_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bacula_server_packets'($*)) dnl corenet_send_bacula_server_packets($1) corenet_receive_bacula_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bacula_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bacula_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bacula_server_packets'($*)) dnl corenet_dontaudit_send_bacula_server_packets($1) corenet_dontaudit_receive_bacula_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bacula_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bacula_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bacula_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bacula_server_packets'($*)) dnl gen_require(` type bacula_server_packet_t; ') allow $1 bacula_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bacula_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_babel_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_babel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the babel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_babel_port'($*)) dnl gen_require(` type babel_port_t; ') dontaudit $1 babel_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_babel_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_babel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the babel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_babel_port'($*)) dnl gen_require(` type babel_port_t; ') dontaudit $1 babel_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_babel_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_babel_port'($*)) dnl corenet_udp_send_babel_port($1) corenet_udp_receive_babel_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_babel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the babel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_babel_port'($*)) dnl corenet_dontaudit_udp_send_babel_port($1) corenet_dontaudit_udp_receive_babel_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_babel_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_babel_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the babel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_babel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to babel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_babel_port'($*)) dnl gen_require(` type babel_port_t; ') dontaudit $1 babel_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_babel_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the babel port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_babel_port'($*)) dnl gen_require(` type babel_port_t; ') allow $1 babel_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_babel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to babel port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_babel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_babel_port'($*)) dnl gen_require(` type babel_port_t; ') dontaudit $1 babel_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_babel_port'($*)) dnl ') ######################################## ## ## Send babel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_babel_client_packets'($*)) dnl gen_require(` type babel_client_packet_t; ') allow $1 babel_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_babel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send babel_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_babel_client_packets'($*)) dnl gen_require(` type babel_client_packet_t; ') dontaudit $1 babel_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_babel_client_packets'($*)) dnl ') ######################################## ## ## Receive babel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_babel_client_packets'($*)) dnl gen_require(` type babel_client_packet_t; ') allow $1 babel_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_babel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive babel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_babel_client_packets'($*)) dnl gen_require(` type babel_client_packet_t; ') dontaudit $1 babel_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_babel_client_packets'($*)) dnl ') ######################################## ## ## Send and receive babel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_babel_client_packets'($*)) dnl corenet_send_babel_client_packets($1) corenet_receive_babel_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_babel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive babel_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_babel_client_packets'($*)) dnl corenet_dontaudit_send_babel_client_packets($1) corenet_dontaudit_receive_babel_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_babel_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to babel_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_babel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_babel_client_packets'($*)) dnl gen_require(` type babel_client_packet_t; ') allow $1 babel_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_babel_client_packets'($*)) dnl ') ######################################## ## ## Send babel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_babel_server_packets'($*)) dnl gen_require(` type babel_server_packet_t; ') allow $1 babel_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_babel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send babel_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_babel_server_packets'($*)) dnl gen_require(` type babel_server_packet_t; ') dontaudit $1 babel_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_babel_server_packets'($*)) dnl ') ######################################## ## ## Receive babel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_babel_server_packets'($*)) dnl gen_require(` type babel_server_packet_t; ') allow $1 babel_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_babel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive babel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_babel_server_packets'($*)) dnl gen_require(` type babel_server_packet_t; ') dontaudit $1 babel_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_babel_server_packets'($*)) dnl ') ######################################## ## ## Send and receive babel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_babel_server_packets'($*)) dnl corenet_send_babel_server_packets($1) corenet_receive_babel_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_babel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive babel_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_babel_server_packets'($*)) dnl corenet_dontaudit_send_babel_server_packets($1) corenet_dontaudit_receive_babel_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_babel_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to babel_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_babel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_babel_server_packets'($*)) dnl gen_require(` type babel_server_packet_t; ') allow $1 babel_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_babel_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bctp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_bctp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the bctp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') dontaudit $1 bctp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bctp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bctp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the bctp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') dontaudit $1 bctp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bctp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bctp_port'($*)) dnl corenet_udp_send_bctp_port($1) corenet_udp_receive_bctp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bctp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the bctp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bctp_port'($*)) dnl corenet_dontaudit_udp_send_bctp_port($1) corenet_dontaudit_udp_receive_bctp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bctp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bctp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the bctp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bctp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to bctp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') dontaudit $1 bctp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bctp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the bctp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') allow $1 bctp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bctp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to bctp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_bctp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bctp_port'($*)) dnl gen_require(` type bctp_port_t; ') dontaudit $1 bctp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bctp_port'($*)) dnl ') ######################################## ## ## Send bctp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bctp_client_packets'($*)) dnl gen_require(` type bctp_client_packet_t; ') allow $1 bctp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bctp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bctp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bctp_client_packets'($*)) dnl gen_require(` type bctp_client_packet_t; ') dontaudit $1 bctp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bctp_client_packets'($*)) dnl ') ######################################## ## ## Receive bctp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bctp_client_packets'($*)) dnl gen_require(` type bctp_client_packet_t; ') allow $1 bctp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bctp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bctp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bctp_client_packets'($*)) dnl gen_require(` type bctp_client_packet_t; ') dontaudit $1 bctp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bctp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive bctp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bctp_client_packets'($*)) dnl corenet_send_bctp_client_packets($1) corenet_receive_bctp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bctp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bctp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bctp_client_packets'($*)) dnl corenet_dontaudit_send_bctp_client_packets($1) corenet_dontaudit_receive_bctp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bctp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bctp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bctp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bctp_client_packets'($*)) dnl gen_require(` type bctp_client_packet_t; ') allow $1 bctp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bctp_client_packets'($*)) dnl ') ######################################## ## ## Send bctp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bctp_server_packets'($*)) dnl gen_require(` type bctp_server_packet_t; ') allow $1 bctp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bctp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bctp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bctp_server_packets'($*)) dnl gen_require(` type bctp_server_packet_t; ') dontaudit $1 bctp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bctp_server_packets'($*)) dnl ') ######################################## ## ## Receive bctp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bctp_server_packets'($*)) dnl gen_require(` type bctp_server_packet_t; ') allow $1 bctp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bctp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bctp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bctp_server_packets'($*)) dnl gen_require(` type bctp_server_packet_t; ') dontaudit $1 bctp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bctp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive bctp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bctp_server_packets'($*)) dnl corenet_send_bctp_server_packets($1) corenet_receive_bctp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bctp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bctp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bctp_server_packets'($*)) dnl corenet_dontaudit_send_bctp_server_packets($1) corenet_dontaudit_receive_bctp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bctp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bctp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bctp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bctp_server_packets'($*)) dnl gen_require(` type bctp_server_packet_t; ') allow $1 bctp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bctp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bfd_control_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_bfd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the bfd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') dontaudit $1 bfd_control_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bfd_control_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bfd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the bfd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') dontaudit $1 bfd_control_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bfd_control_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bfd_control_port'($*)) dnl corenet_udp_send_bfd_control_port($1) corenet_udp_receive_bfd_control_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bfd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the bfd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bfd_control_port'($*)) dnl corenet_dontaudit_udp_send_bfd_control_port($1) corenet_dontaudit_udp_receive_bfd_control_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bfd_control_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bfd_control_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the bfd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bfd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to bfd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') dontaudit $1 bfd_control_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bfd_control_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the bfd_control port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') allow $1 bfd_control_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bfd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to bfd_control port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_bfd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bfd_control_port'($*)) dnl gen_require(` type bfd_control_port_t; ') dontaudit $1 bfd_control_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bfd_control_port'($*)) dnl ') ######################################## ## ## Send bfd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_control_client_packets'($*)) dnl gen_require(` type bfd_control_client_packet_t; ') allow $1 bfd_control_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bfd_control_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_control_client_packets'($*)) dnl gen_require(` type bfd_control_client_packet_t; ') dontaudit $1 bfd_control_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Receive bfd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_control_client_packets'($*)) dnl gen_require(` type bfd_control_client_packet_t; ') allow $1 bfd_control_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bfd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_control_client_packets'($*)) dnl gen_require(` type bfd_control_client_packet_t; ') dontaudit $1 bfd_control_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Send and receive bfd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_control_client_packets'($*)) dnl corenet_send_bfd_control_client_packets($1) corenet_receive_bfd_control_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bfd_control_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_control_client_packets'($*)) dnl corenet_dontaudit_send_bfd_control_client_packets($1) corenet_dontaudit_receive_bfd_control_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bfd_control_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bfd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_control_client_packets'($*)) dnl gen_require(` type bfd_control_client_packet_t; ') allow $1 bfd_control_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_control_client_packets'($*)) dnl ') ######################################## ## ## Send bfd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_control_server_packets'($*)) dnl gen_require(` type bfd_control_server_packet_t; ') allow $1 bfd_control_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bfd_control_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_control_server_packets'($*)) dnl gen_require(` type bfd_control_server_packet_t; ') dontaudit $1 bfd_control_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Receive bfd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_control_server_packets'($*)) dnl gen_require(` type bfd_control_server_packet_t; ') allow $1 bfd_control_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bfd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_control_server_packets'($*)) dnl gen_require(` type bfd_control_server_packet_t; ') dontaudit $1 bfd_control_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Send and receive bfd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_control_server_packets'($*)) dnl corenet_send_bfd_control_server_packets($1) corenet_receive_bfd_control_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bfd_control_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_control_server_packets'($*)) dnl corenet_dontaudit_send_bfd_control_server_packets($1) corenet_dontaudit_receive_bfd_control_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bfd_control_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bfd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_control_server_packets'($*)) dnl gen_require(` type bfd_control_server_packet_t; ') allow $1 bfd_control_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_control_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bfd_echo_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_bfd_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the bfd_echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') dontaudit $1 bfd_echo_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bfd_echo_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bfd_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the bfd_echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') dontaudit $1 bfd_echo_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bfd_echo_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bfd_echo_port'($*)) dnl corenet_udp_send_bfd_echo_port($1) corenet_udp_receive_bfd_echo_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bfd_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the bfd_echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bfd_echo_port'($*)) dnl corenet_dontaudit_udp_send_bfd_echo_port($1) corenet_dontaudit_udp_receive_bfd_echo_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bfd_echo_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bfd_echo_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the bfd_echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bfd_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to bfd_echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') dontaudit $1 bfd_echo_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bfd_echo_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the bfd_echo port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') allow $1 bfd_echo_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bfd_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to bfd_echo port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_bfd_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bfd_echo_port'($*)) dnl gen_require(` type bfd_echo_port_t; ') dontaudit $1 bfd_echo_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bfd_echo_port'($*)) dnl ') ######################################## ## ## Send bfd_echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_echo_client_packets'($*)) dnl gen_require(` type bfd_echo_client_packet_t; ') allow $1 bfd_echo_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bfd_echo_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_echo_client_packets'($*)) dnl gen_require(` type bfd_echo_client_packet_t; ') dontaudit $1 bfd_echo_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Receive bfd_echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_echo_client_packets'($*)) dnl gen_require(` type bfd_echo_client_packet_t; ') allow $1 bfd_echo_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bfd_echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_echo_client_packets'($*)) dnl gen_require(` type bfd_echo_client_packet_t; ') dontaudit $1 bfd_echo_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Send and receive bfd_echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_echo_client_packets'($*)) dnl corenet_send_bfd_echo_client_packets($1) corenet_receive_bfd_echo_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bfd_echo_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_echo_client_packets'($*)) dnl corenet_dontaudit_send_bfd_echo_client_packets($1) corenet_dontaudit_receive_bfd_echo_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bfd_echo_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bfd_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_echo_client_packets'($*)) dnl gen_require(` type bfd_echo_client_packet_t; ') allow $1 bfd_echo_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_echo_client_packets'($*)) dnl ') ######################################## ## ## Send bfd_echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bfd_echo_server_packets'($*)) dnl gen_require(` type bfd_echo_server_packet_t; ') allow $1 bfd_echo_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bfd_echo_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bfd_echo_server_packets'($*)) dnl gen_require(` type bfd_echo_server_packet_t; ') dontaudit $1 bfd_echo_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Receive bfd_echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bfd_echo_server_packets'($*)) dnl gen_require(` type bfd_echo_server_packet_t; ') allow $1 bfd_echo_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bfd_echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bfd_echo_server_packets'($*)) dnl gen_require(` type bfd_echo_server_packet_t; ') dontaudit $1 bfd_echo_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Send and receive bfd_echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bfd_echo_server_packets'($*)) dnl corenet_send_bfd_echo_server_packets($1) corenet_receive_bfd_echo_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bfd_echo_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bfd_echo_server_packets'($*)) dnl corenet_dontaudit_send_bfd_echo_server_packets($1) corenet_dontaudit_receive_bfd_echo_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bfd_echo_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bfd_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bfd_echo_server_packets'($*)) dnl gen_require(` type bfd_echo_server_packet_t; ') allow $1 bfd_echo_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bfd_echo_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_bgp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_bgp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the bgp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') dontaudit $1 bgp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_bgp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_bgp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the bgp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') dontaudit $1 bgp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_bgp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_bgp_port'($*)) dnl corenet_udp_send_bgp_port($1) corenet_udp_receive_bgp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_bgp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the bgp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl corenet_dontaudit_udp_send_bgp_port($1) corenet_dontaudit_udp_receive_bgp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_bgp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_bgp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the bgp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_bgp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to bgp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') dontaudit $1 bgp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_bgp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the bgp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') allow $1 bgp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_bgp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to bgp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_bgp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_bgp_port'($*)) dnl gen_require(` type bgp_port_t; ') dontaudit $1 bgp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_bgp_port'($*)) dnl ') ######################################## ## ## Send bgp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_client_packets'($*)) dnl gen_require(` type bgp_client_packet_t; ') allow $1 bgp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bgp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bgp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_client_packets'($*)) dnl gen_require(` type bgp_client_packet_t; ') dontaudit $1 bgp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_client_packets'($*)) dnl ') ######################################## ## ## Receive bgp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_client_packets'($*)) dnl gen_require(` type bgp_client_packet_t; ') allow $1 bgp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bgp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl gen_require(` type bgp_client_packet_t; ') dontaudit $1 bgp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive bgp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_client_packets'($*)) dnl corenet_send_bgp_client_packets($1) corenet_receive_bgp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bgp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl corenet_dontaudit_send_bgp_client_packets($1) corenet_dontaudit_receive_bgp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bgp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bgp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_client_packets'($*)) dnl gen_require(` type bgp_client_packet_t; ') allow $1 bgp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_client_packets'($*)) dnl ') ######################################## ## ## Send bgp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_bgp_server_packets'($*)) dnl gen_require(` type bgp_server_packet_t; ') allow $1 bgp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_bgp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send bgp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_bgp_server_packets'($*)) dnl gen_require(` type bgp_server_packet_t; ') dontaudit $1 bgp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_bgp_server_packets'($*)) dnl ') ######################################## ## ## Receive bgp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_bgp_server_packets'($*)) dnl gen_require(` type bgp_server_packet_t; ') allow $1 bgp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_bgp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive bgp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl gen_require(` type bgp_server_packet_t; ') dontaudit $1 bgp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_bgp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive bgp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_bgp_server_packets'($*)) dnl corenet_send_bgp_server_packets($1) corenet_receive_bgp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_bgp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive bgp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl corenet_dontaudit_send_bgp_server_packets($1) corenet_dontaudit_receive_bgp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_bgp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to bgp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_bgp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_bgp_server_packets'($*)) dnl gen_require(` type bgp_server_packet_t; ') allow $1 bgp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_bgp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the boinc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') dontaudit $1 boinc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the boinc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') dontaudit $1 boinc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_port'($*)) dnl corenet_udp_send_boinc_port($1) corenet_udp_receive_boinc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the boinc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl corenet_dontaudit_udp_send_boinc_port($1) corenet_dontaudit_udp_receive_boinc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the boinc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to boinc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') dontaudit $1 boinc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_boinc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the boinc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') allow $1 boinc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to boinc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_boinc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_boinc_port'($*)) dnl gen_require(` type boinc_port_t; ') dontaudit $1 boinc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_boinc_port'($*)) dnl ') ######################################## ## ## Send boinc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_packets'($*)) dnl gen_require(` type boinc_client_packet_t; ') allow $1 boinc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send boinc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_packets'($*)) dnl gen_require(` type boinc_client_packet_t; ') dontaudit $1 boinc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_packets'($*)) dnl ') ######################################## ## ## Receive boinc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_packets'($*)) dnl gen_require(` type boinc_client_packet_t; ') allow $1 boinc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive boinc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl gen_require(` type boinc_client_packet_t; ') dontaudit $1 boinc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive boinc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_packets'($*)) dnl corenet_send_boinc_client_packets($1) corenet_receive_boinc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive boinc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl corenet_dontaudit_send_boinc_client_packets($1) corenet_dontaudit_receive_boinc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to boinc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_boinc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_packets'($*)) dnl gen_require(` type boinc_client_packet_t; ') allow $1 boinc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_packets'($*)) dnl ') ######################################## ## ## Send boinc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_server_packets'($*)) dnl gen_require(` type boinc_server_packet_t; ') allow $1 boinc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_boinc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send boinc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_server_packets'($*)) dnl gen_require(` type boinc_server_packet_t; ') dontaudit $1 boinc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_server_packets'($*)) dnl ') ######################################## ## ## Receive boinc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_server_packets'($*)) dnl gen_require(` type boinc_server_packet_t; ') allow $1 boinc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive boinc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl gen_require(` type boinc_server_packet_t; ') dontaudit $1 boinc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive boinc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_server_packets'($*)) dnl corenet_send_boinc_server_packets($1) corenet_receive_boinc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive boinc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl corenet_dontaudit_send_boinc_server_packets($1) corenet_dontaudit_receive_boinc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to boinc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_boinc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_server_packets'($*)) dnl gen_require(` type boinc_server_packet_t; ') allow $1 boinc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_boinc_client_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_boinc_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the boinc_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') dontaudit $1 boinc_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_boinc_client_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_boinc_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the boinc_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') dontaudit $1 boinc_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_boinc_client_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_boinc_client_port'($*)) dnl corenet_udp_send_boinc_client_port($1) corenet_udp_receive_boinc_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_boinc_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the boinc_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl corenet_dontaudit_udp_send_boinc_client_port($1) corenet_dontaudit_udp_receive_boinc_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_boinc_client_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_boinc_client_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the boinc_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_boinc_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to boinc_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') dontaudit $1 boinc_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_boinc_client_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the boinc_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') allow $1 boinc_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_boinc_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to boinc_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_boinc_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_boinc_client_port'($*)) dnl gen_require(` type boinc_client_port_t; ') dontaudit $1 boinc_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_boinc_client_port'($*)) dnl ') ######################################## ## ## Send boinc_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_client_packets'($*)) dnl gen_require(` type boinc_client_client_packet_t; ') allow $1 boinc_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send boinc_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl gen_require(` type boinc_client_client_packet_t; ') dontaudit $1 boinc_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Receive boinc_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_client_packets'($*)) dnl gen_require(` type boinc_client_client_packet_t; ') allow $1 boinc_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive boinc_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl gen_require(` type boinc_client_client_packet_t; ') dontaudit $1 boinc_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Send and receive boinc_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_client_packets'($*)) dnl corenet_send_boinc_client_client_packets($1) corenet_receive_boinc_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive boinc_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl corenet_dontaudit_send_boinc_client_client_packets($1) corenet_dontaudit_receive_boinc_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to boinc_client_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_boinc_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_client_packets'($*)) dnl gen_require(` type boinc_client_client_packet_t; ') allow $1 boinc_client_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_client_packets'($*)) dnl ') ######################################## ## ## Send boinc_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_boinc_client_server_packets'($*)) dnl gen_require(` type boinc_client_server_packet_t; ') allow $1 boinc_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send boinc_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl gen_require(` type boinc_client_server_packet_t; ') dontaudit $1 boinc_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Receive boinc_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_boinc_client_server_packets'($*)) dnl gen_require(` type boinc_client_server_packet_t; ') allow $1 boinc_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive boinc_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl gen_require(` type boinc_client_server_packet_t; ') dontaudit $1 boinc_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive boinc_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_boinc_client_server_packets'($*)) dnl corenet_send_boinc_client_server_packets($1) corenet_receive_boinc_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive boinc_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl corenet_dontaudit_send_boinc_client_server_packets($1) corenet_dontaudit_receive_boinc_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to boinc_client_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_boinc_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_boinc_client_server_packets'($*)) dnl gen_require(` type boinc_client_server_packet_t; ') allow $1 boinc_client_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_boinc_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_brlp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_brlp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the brlp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') dontaudit $1 brlp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_brlp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_brlp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the brlp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') dontaudit $1 brlp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_brlp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_brlp_port'($*)) dnl corenet_udp_send_brlp_port($1) corenet_udp_receive_brlp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_brlp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the brlp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_brlp_port'($*)) dnl corenet_dontaudit_udp_send_brlp_port($1) corenet_dontaudit_udp_receive_brlp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_brlp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_brlp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the brlp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_brlp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to brlp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') dontaudit $1 brlp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_brlp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the brlp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') allow $1 brlp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_brlp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to brlp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_brlp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_brlp_port'($*)) dnl gen_require(` type brlp_port_t; ') dontaudit $1 brlp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_brlp_port'($*)) dnl ') ######################################## ## ## Send brlp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_brlp_client_packets'($*)) dnl gen_require(` type brlp_client_packet_t; ') allow $1 brlp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_brlp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send brlp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_brlp_client_packets'($*)) dnl gen_require(` type brlp_client_packet_t; ') dontaudit $1 brlp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_brlp_client_packets'($*)) dnl ') ######################################## ## ## Receive brlp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_brlp_client_packets'($*)) dnl gen_require(` type brlp_client_packet_t; ') allow $1 brlp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_brlp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive brlp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_brlp_client_packets'($*)) dnl gen_require(` type brlp_client_packet_t; ') dontaudit $1 brlp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_brlp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive brlp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_brlp_client_packets'($*)) dnl corenet_send_brlp_client_packets($1) corenet_receive_brlp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_brlp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive brlp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_brlp_client_packets'($*)) dnl corenet_dontaudit_send_brlp_client_packets($1) corenet_dontaudit_receive_brlp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_brlp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to brlp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_brlp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_brlp_client_packets'($*)) dnl gen_require(` type brlp_client_packet_t; ') allow $1 brlp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_brlp_client_packets'($*)) dnl ') ######################################## ## ## Send brlp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_brlp_server_packets'($*)) dnl gen_require(` type brlp_server_packet_t; ') allow $1 brlp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_brlp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send brlp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_brlp_server_packets'($*)) dnl gen_require(` type brlp_server_packet_t; ') dontaudit $1 brlp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_brlp_server_packets'($*)) dnl ') ######################################## ## ## Receive brlp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_brlp_server_packets'($*)) dnl gen_require(` type brlp_server_packet_t; ') allow $1 brlp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_brlp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive brlp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_brlp_server_packets'($*)) dnl gen_require(` type brlp_server_packet_t; ') dontaudit $1 brlp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_brlp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive brlp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_brlp_server_packets'($*)) dnl corenet_send_brlp_server_packets($1) corenet_receive_brlp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_brlp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive brlp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_brlp_server_packets'($*)) dnl corenet_dontaudit_send_brlp_server_packets($1) corenet_dontaudit_receive_brlp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_brlp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to brlp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_brlp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_brlp_server_packets'($*)) dnl gen_require(` type brlp_server_packet_t; ') allow $1 brlp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_brlp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_biff_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_biff_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the biff port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_biff_port'($*)) dnl gen_require(` type biff_port_t; ') dontaudit $1 biff_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_biff_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_biff_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the biff port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_biff_port'($*)) dnl gen_require(` type biff_port_t; ') dontaudit $1 biff_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_biff_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_biff_port'($*)) dnl corenet_udp_send_biff_port($1) corenet_udp_receive_biff_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_biff_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the biff port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl corenet_dontaudit_udp_send_biff_port($1) corenet_dontaudit_udp_receive_biff_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_biff_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_biff_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the biff port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_biff_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to biff port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_biff_port'($*)) dnl gen_require(` type biff_port_t; ') dontaudit $1 biff_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_biff_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the biff port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_biff_port'($*)) dnl gen_require(` type biff_port_t; ') allow $1 biff_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_biff_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to biff port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_biff_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_biff_port'($*)) dnl gen_require(` type biff_port_t; ') dontaudit $1 biff_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_biff_port'($*)) dnl ') ######################################## ## ## Send biff_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_biff_client_packets'($*)) dnl gen_require(` type biff_client_packet_t; ') allow $1 biff_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_biff_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send biff_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_client_packets'($*)) dnl gen_require(` type biff_client_packet_t; ') dontaudit $1 biff_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_client_packets'($*)) dnl ') ######################################## ## ## Receive biff_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_client_packets'($*)) dnl gen_require(` type biff_client_packet_t; ') allow $1 biff_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_biff_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive biff_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_client_packets'($*)) dnl gen_require(` type biff_client_packet_t; ') dontaudit $1 biff_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_client_packets'($*)) dnl ') ######################################## ## ## Send and receive biff_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_client_packets'($*)) dnl corenet_send_biff_client_packets($1) corenet_receive_biff_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive biff_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl corenet_dontaudit_send_biff_client_packets($1) corenet_dontaudit_receive_biff_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to biff_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_biff_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_client_packets'($*)) dnl gen_require(` type biff_client_packet_t; ') allow $1 biff_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_client_packets'($*)) dnl ') ######################################## ## ## Send biff_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_biff_server_packets'($*)) dnl gen_require(` type biff_server_packet_t; ') allow $1 biff_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_biff_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send biff_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_biff_server_packets'($*)) dnl gen_require(` type biff_server_packet_t; ') dontaudit $1 biff_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_biff_server_packets'($*)) dnl ') ######################################## ## ## Receive biff_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_biff_server_packets'($*)) dnl gen_require(` type biff_server_packet_t; ') allow $1 biff_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_biff_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive biff_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_biff_server_packets'($*)) dnl gen_require(` type biff_server_packet_t; ') dontaudit $1 biff_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_biff_server_packets'($*)) dnl ') ######################################## ## ## Send and receive biff_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_biff_server_packets'($*)) dnl corenet_send_biff_server_packets($1) corenet_receive_biff_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_biff_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive biff_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl corenet_dontaudit_send_biff_server_packets($1) corenet_dontaudit_receive_biff_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_biff_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to biff_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_biff_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_biff_server_packets'($*)) dnl gen_require(` type biff_server_packet_t; ') allow $1 biff_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_biff_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_certmaster_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_certmaster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the certmaster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') dontaudit $1 certmaster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_certmaster_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_certmaster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the certmaster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') dontaudit $1 certmaster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_certmaster_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_certmaster_port'($*)) dnl corenet_udp_send_certmaster_port($1) corenet_udp_receive_certmaster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_certmaster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the certmaster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl corenet_dontaudit_udp_send_certmaster_port($1) corenet_dontaudit_udp_receive_certmaster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_certmaster_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_certmaster_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the certmaster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_certmaster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to certmaster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') dontaudit $1 certmaster_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_certmaster_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the certmaster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') allow $1 certmaster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_certmaster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to certmaster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_certmaster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_certmaster_port'($*)) dnl gen_require(` type certmaster_port_t; ') dontaudit $1 certmaster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_certmaster_port'($*)) dnl ') ######################################## ## ## Send certmaster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_client_packets'($*)) dnl gen_require(` type certmaster_client_packet_t; ') allow $1 certmaster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send certmaster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl gen_require(` type certmaster_client_packet_t; ') dontaudit $1 certmaster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Receive certmaster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_client_packets'($*)) dnl gen_require(` type certmaster_client_packet_t; ') allow $1 certmaster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive certmaster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl gen_require(` type certmaster_client_packet_t; ') dontaudit $1 certmaster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Send and receive certmaster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_client_packets'($*)) dnl corenet_send_certmaster_client_packets($1) corenet_receive_certmaster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive certmaster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl corenet_dontaudit_send_certmaster_client_packets($1) corenet_dontaudit_receive_certmaster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to certmaster_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_certmaster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_client_packets'($*)) dnl gen_require(` type certmaster_client_packet_t; ') allow $1 certmaster_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_client_packets'($*)) dnl ') ######################################## ## ## Send certmaster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_certmaster_server_packets'($*)) dnl gen_require(` type certmaster_server_packet_t; ') allow $1 certmaster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send certmaster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl gen_require(` type certmaster_server_packet_t; ') dontaudit $1 certmaster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Receive certmaster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_certmaster_server_packets'($*)) dnl gen_require(` type certmaster_server_packet_t; ') allow $1 certmaster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive certmaster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl gen_require(` type certmaster_server_packet_t; ') dontaudit $1 certmaster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive certmaster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_certmaster_server_packets'($*)) dnl corenet_send_certmaster_server_packets($1) corenet_receive_certmaster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive certmaster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl corenet_dontaudit_send_certmaster_server_packets($1) corenet_dontaudit_receive_certmaster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to certmaster_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_certmaster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_certmaster_server_packets'($*)) dnl gen_require(` type certmaster_server_packet_t; ') allow $1 certmaster_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_certmaster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_collectd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_collectd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the collectd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') dontaudit $1 collectd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_collectd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_collectd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the collectd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') dontaudit $1 collectd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_collectd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_collectd_port'($*)) dnl corenet_udp_send_collectd_port($1) corenet_udp_receive_collectd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_collectd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the collectd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_collectd_port'($*)) dnl corenet_dontaudit_udp_send_collectd_port($1) corenet_dontaudit_udp_receive_collectd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_collectd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_collectd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the collectd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_collectd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to collectd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') dontaudit $1 collectd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_collectd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the collectd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') allow $1 collectd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_collectd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to collectd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_collectd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_collectd_port'($*)) dnl gen_require(` type collectd_port_t; ') dontaudit $1 collectd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_collectd_port'($*)) dnl ') ######################################## ## ## Send collectd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_collectd_client_packets'($*)) dnl gen_require(` type collectd_client_packet_t; ') allow $1 collectd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_collectd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send collectd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_collectd_client_packets'($*)) dnl gen_require(` type collectd_client_packet_t; ') dontaudit $1 collectd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_collectd_client_packets'($*)) dnl ') ######################################## ## ## Receive collectd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_collectd_client_packets'($*)) dnl gen_require(` type collectd_client_packet_t; ') allow $1 collectd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_collectd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive collectd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_collectd_client_packets'($*)) dnl gen_require(` type collectd_client_packet_t; ') dontaudit $1 collectd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_collectd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive collectd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_collectd_client_packets'($*)) dnl corenet_send_collectd_client_packets($1) corenet_receive_collectd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_collectd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive collectd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_collectd_client_packets'($*)) dnl corenet_dontaudit_send_collectd_client_packets($1) corenet_dontaudit_receive_collectd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_collectd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to collectd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_collectd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_collectd_client_packets'($*)) dnl gen_require(` type collectd_client_packet_t; ') allow $1 collectd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_collectd_client_packets'($*)) dnl ') ######################################## ## ## Send collectd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_collectd_server_packets'($*)) dnl gen_require(` type collectd_server_packet_t; ') allow $1 collectd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_collectd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send collectd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_collectd_server_packets'($*)) dnl gen_require(` type collectd_server_packet_t; ') dontaudit $1 collectd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_collectd_server_packets'($*)) dnl ') ######################################## ## ## Receive collectd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_collectd_server_packets'($*)) dnl gen_require(` type collectd_server_packet_t; ') allow $1 collectd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_collectd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive collectd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_collectd_server_packets'($*)) dnl gen_require(` type collectd_server_packet_t; ') dontaudit $1 collectd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_collectd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive collectd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_collectd_server_packets'($*)) dnl corenet_send_collectd_server_packets($1) corenet_receive_collectd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_collectd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive collectd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_collectd_server_packets'($*)) dnl corenet_dontaudit_send_collectd_server_packets($1) corenet_dontaudit_receive_collectd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_collectd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to collectd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_collectd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_collectd_server_packets'($*)) dnl gen_require(` type collectd_server_packet_t; ') allow $1 collectd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_collectd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_chronyd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_chronyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the chronyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') dontaudit $1 chronyd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_chronyd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_chronyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the chronyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') dontaudit $1 chronyd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_chronyd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_chronyd_port'($*)) dnl corenet_udp_send_chronyd_port($1) corenet_udp_receive_chronyd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_chronyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the chronyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl corenet_dontaudit_udp_send_chronyd_port($1) corenet_dontaudit_udp_receive_chronyd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_chronyd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_chronyd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the chronyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_chronyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to chronyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') dontaudit $1 chronyd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_chronyd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the chronyd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') allow $1 chronyd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_chronyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to chronyd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_chronyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_chronyd_port'($*)) dnl gen_require(` type chronyd_port_t; ') dontaudit $1 chronyd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_chronyd_port'($*)) dnl ') ######################################## ## ## Send chronyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_client_packets'($*)) dnl gen_require(` type chronyd_client_packet_t; ') allow $1 chronyd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send chronyd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl gen_require(` type chronyd_client_packet_t; ') dontaudit $1 chronyd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Receive chronyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_client_packets'($*)) dnl gen_require(` type chronyd_client_packet_t; ') allow $1 chronyd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive chronyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl gen_require(` type chronyd_client_packet_t; ') dontaudit $1 chronyd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive chronyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_client_packets'($*)) dnl corenet_send_chronyd_client_packets($1) corenet_receive_chronyd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive chronyd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl corenet_dontaudit_send_chronyd_client_packets($1) corenet_dontaudit_receive_chronyd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to chronyd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_chronyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_client_packets'($*)) dnl gen_require(` type chronyd_client_packet_t; ') allow $1 chronyd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_client_packets'($*)) dnl ') ######################################## ## ## Send chronyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_chronyd_server_packets'($*)) dnl gen_require(` type chronyd_server_packet_t; ') allow $1 chronyd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send chronyd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl gen_require(` type chronyd_server_packet_t; ') dontaudit $1 chronyd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Receive chronyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_chronyd_server_packets'($*)) dnl gen_require(` type chronyd_server_packet_t; ') allow $1 chronyd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive chronyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl gen_require(` type chronyd_server_packet_t; ') dontaudit $1 chronyd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive chronyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_chronyd_server_packets'($*)) dnl corenet_send_chronyd_server_packets($1) corenet_receive_chronyd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive chronyd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl corenet_dontaudit_send_chronyd_server_packets($1) corenet_dontaudit_receive_chronyd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to chronyd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_chronyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_chronyd_server_packets'($*)) dnl gen_require(` type chronyd_server_packet_t; ') allow $1 chronyd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_chronyd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clamd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_clamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the clamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') dontaudit $1 clamd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clamd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the clamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') dontaudit $1 clamd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clamd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clamd_port'($*)) dnl corenet_udp_send_clamd_port($1) corenet_udp_receive_clamd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the clamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl corenet_dontaudit_udp_send_clamd_port($1) corenet_dontaudit_udp_receive_clamd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clamd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clamd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the clamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to clamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') dontaudit $1 clamd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_clamd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the clamd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') allow $1 clamd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to clamd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_clamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_clamd_port'($*)) dnl gen_require(` type clamd_port_t; ') dontaudit $1 clamd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_clamd_port'($*)) dnl ') ######################################## ## ## Send clamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_client_packets'($*)) dnl gen_require(` type clamd_client_packet_t; ') allow $1 clamd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_clamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send clamd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_client_packets'($*)) dnl gen_require(` type clamd_client_packet_t; ') dontaudit $1 clamd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_client_packets'($*)) dnl ') ######################################## ## ## Receive clamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_client_packets'($*)) dnl gen_require(` type clamd_client_packet_t; ') allow $1 clamd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive clamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl gen_require(` type clamd_client_packet_t; ') dontaudit $1 clamd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive clamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_client_packets'($*)) dnl corenet_send_clamd_client_packets($1) corenet_receive_clamd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive clamd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl corenet_dontaudit_send_clamd_client_packets($1) corenet_dontaudit_receive_clamd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to clamd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_clamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_client_packets'($*)) dnl gen_require(` type clamd_client_packet_t; ') allow $1 clamd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_client_packets'($*)) dnl ') ######################################## ## ## Send clamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_clamd_server_packets'($*)) dnl gen_require(` type clamd_server_packet_t; ') allow $1 clamd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_clamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send clamd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clamd_server_packets'($*)) dnl gen_require(` type clamd_server_packet_t; ') dontaudit $1 clamd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clamd_server_packets'($*)) dnl ') ######################################## ## ## Receive clamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_clamd_server_packets'($*)) dnl gen_require(` type clamd_server_packet_t; ') allow $1 clamd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_clamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive clamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl gen_require(` type clamd_server_packet_t; ') dontaudit $1 clamd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clamd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive clamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clamd_server_packets'($*)) dnl corenet_send_clamd_server_packets($1) corenet_receive_clamd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive clamd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl corenet_dontaudit_send_clamd_server_packets($1) corenet_dontaudit_receive_clamd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clamd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to clamd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_clamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clamd_server_packets'($*)) dnl gen_require(` type clamd_server_packet_t; ') allow $1 clamd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_clamd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_clockspeed_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_clockspeed_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the clockspeed port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') dontaudit $1 clockspeed_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_clockspeed_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_clockspeed_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the clockspeed port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') dontaudit $1 clockspeed_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_clockspeed_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_clockspeed_port'($*)) dnl corenet_udp_send_clockspeed_port($1) corenet_udp_receive_clockspeed_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_clockspeed_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the clockspeed port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl corenet_dontaudit_udp_send_clockspeed_port($1) corenet_dontaudit_udp_receive_clockspeed_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_clockspeed_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_clockspeed_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the clockspeed port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_clockspeed_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to clockspeed port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') dontaudit $1 clockspeed_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_clockspeed_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the clockspeed port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') allow $1 clockspeed_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_clockspeed_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to clockspeed port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_clockspeed_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_clockspeed_port'($*)) dnl gen_require(` type clockspeed_port_t; ') dontaudit $1 clockspeed_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_clockspeed_port'($*)) dnl ') ######################################## ## ## Send clockspeed_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_client_packets'($*)) dnl gen_require(` type clockspeed_client_packet_t; ') allow $1 clockspeed_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send clockspeed_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl gen_require(` type clockspeed_client_packet_t; ') dontaudit $1 clockspeed_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Receive clockspeed_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_client_packets'($*)) dnl gen_require(` type clockspeed_client_packet_t; ') allow $1 clockspeed_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive clockspeed_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl gen_require(` type clockspeed_client_packet_t; ') dontaudit $1 clockspeed_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Send and receive clockspeed_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_client_packets'($*)) dnl corenet_send_clockspeed_client_packets($1) corenet_receive_clockspeed_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive clockspeed_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl corenet_dontaudit_send_clockspeed_client_packets($1) corenet_dontaudit_receive_clockspeed_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to clockspeed_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_clockspeed_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_client_packets'($*)) dnl gen_require(` type clockspeed_client_packet_t; ') allow $1 clockspeed_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_client_packets'($*)) dnl ') ######################################## ## ## Send clockspeed_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_clockspeed_server_packets'($*)) dnl gen_require(` type clockspeed_server_packet_t; ') allow $1 clockspeed_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send clockspeed_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl gen_require(` type clockspeed_server_packet_t; ') dontaudit $1 clockspeed_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Receive clockspeed_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_clockspeed_server_packets'($*)) dnl gen_require(` type clockspeed_server_packet_t; ') allow $1 clockspeed_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive clockspeed_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl gen_require(` type clockspeed_server_packet_t; ') dontaudit $1 clockspeed_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Send and receive clockspeed_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_clockspeed_server_packets'($*)) dnl corenet_send_clockspeed_server_packets($1) corenet_receive_clockspeed_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive clockspeed_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl corenet_dontaudit_send_clockspeed_server_packets($1) corenet_dontaudit_receive_clockspeed_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to clockspeed_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_clockspeed_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_clockspeed_server_packets'($*)) dnl gen_require(` type clockspeed_server_packet_t; ') allow $1 clockspeed_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_clockspeed_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cluster_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') dontaudit $1 cluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cluster_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') dontaudit $1 cluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cluster_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cluster_port'($*)) dnl corenet_udp_send_cluster_port($1) corenet_udp_receive_cluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl corenet_dontaudit_udp_send_cluster_port($1) corenet_dontaudit_udp_receive_cluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cluster_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cluster_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') dontaudit $1 cluster_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cluster_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') allow $1 cluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cluster_port'($*)) dnl gen_require(` type cluster_port_t; ') dontaudit $1 cluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cluster_port'($*)) dnl ') ######################################## ## ## Send cluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_client_packets'($*)) dnl gen_require(` type cluster_client_packet_t; ') allow $1 cluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_client_packets'($*)) dnl gen_require(` type cluster_client_packet_t; ') dontaudit $1 cluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_client_packets'($*)) dnl ') ######################################## ## ## Receive cluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_client_packets'($*)) dnl gen_require(` type cluster_client_packet_t; ') allow $1 cluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl gen_require(` type cluster_client_packet_t; ') dontaudit $1 cluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_client_packets'($*)) dnl corenet_send_cluster_client_packets($1) corenet_receive_cluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl corenet_dontaudit_send_cluster_client_packets($1) corenet_dontaudit_receive_cluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cluster_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_client_packets'($*)) dnl gen_require(` type cluster_client_packet_t; ') allow $1 cluster_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_client_packets'($*)) dnl ') ######################################## ## ## Send cluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cluster_server_packets'($*)) dnl gen_require(` type cluster_server_packet_t; ') allow $1 cluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cluster_server_packets'($*)) dnl gen_require(` type cluster_server_packet_t; ') dontaudit $1 cluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cluster_server_packets'($*)) dnl ') ######################################## ## ## Receive cluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cluster_server_packets'($*)) dnl gen_require(` type cluster_server_packet_t; ') allow $1 cluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl gen_require(` type cluster_server_packet_t; ') dontaudit $1 cluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cluster_server_packets'($*)) dnl corenet_send_cluster_server_packets($1) corenet_receive_cluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl corenet_dontaudit_send_cluster_server_packets($1) corenet_dontaudit_receive_cluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cluster_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cluster_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cluster_server_packets'($*)) dnl gen_require(` type cluster_server_packet_t; ') allow $1 cluster_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cma_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cma_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cma port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cma_port'($*)) dnl gen_require(` type cma_port_t; ') dontaudit $1 cma_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cma_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cma_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cma port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cma_port'($*)) dnl gen_require(` type cma_port_t; ') dontaudit $1 cma_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cma_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cma_port'($*)) dnl corenet_udp_send_cma_port($1) corenet_udp_receive_cma_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cma_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cma port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl corenet_dontaudit_udp_send_cma_port($1) corenet_dontaudit_udp_receive_cma_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cma_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cma_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cma port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cma_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cma port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cma_port'($*)) dnl gen_require(` type cma_port_t; ') dontaudit $1 cma_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cma_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cma port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cma_port'($*)) dnl gen_require(` type cma_port_t; ') allow $1 cma_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cma_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cma port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cma_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cma_port'($*)) dnl gen_require(` type cma_port_t; ') dontaudit $1 cma_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cma_port'($*)) dnl ') ######################################## ## ## Send cma_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cma_client_packets'($*)) dnl gen_require(` type cma_client_packet_t; ') allow $1 cma_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cma_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cma_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_client_packets'($*)) dnl gen_require(` type cma_client_packet_t; ') dontaudit $1 cma_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_client_packets'($*)) dnl ') ######################################## ## ## Receive cma_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_client_packets'($*)) dnl gen_require(` type cma_client_packet_t; ') allow $1 cma_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cma_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cma_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_client_packets'($*)) dnl gen_require(` type cma_client_packet_t; ') dontaudit $1 cma_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cma_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_client_packets'($*)) dnl corenet_send_cma_client_packets($1) corenet_receive_cma_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cma_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl corenet_dontaudit_send_cma_client_packets($1) corenet_dontaudit_receive_cma_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cma_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cma_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_client_packets'($*)) dnl gen_require(` type cma_client_packet_t; ') allow $1 cma_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_client_packets'($*)) dnl ') ######################################## ## ## Send cma_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cma_server_packets'($*)) dnl gen_require(` type cma_server_packet_t; ') allow $1 cma_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cma_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cma_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cma_server_packets'($*)) dnl gen_require(` type cma_server_packet_t; ') dontaudit $1 cma_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cma_server_packets'($*)) dnl ') ######################################## ## ## Receive cma_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cma_server_packets'($*)) dnl gen_require(` type cma_server_packet_t; ') allow $1 cma_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cma_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cma_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cma_server_packets'($*)) dnl gen_require(` type cma_server_packet_t; ') dontaudit $1 cma_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cma_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cma_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cma_server_packets'($*)) dnl corenet_send_cma_server_packets($1) corenet_receive_cma_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cma_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cma_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl corenet_dontaudit_send_cma_server_packets($1) corenet_dontaudit_receive_cma_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cma_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cma_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cma_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cma_server_packets'($*)) dnl gen_require(` type cma_server_packet_t; ') allow $1 cma_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cma_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cmadmin_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cmadmin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cmadmin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') dontaudit $1 cmadmin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cmadmin_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cmadmin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cmadmin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') dontaudit $1 cmadmin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cmadmin_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cmadmin_port'($*)) dnl corenet_udp_send_cmadmin_port($1) corenet_udp_receive_cmadmin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cmadmin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cmadmin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cmadmin_port'($*)) dnl corenet_dontaudit_udp_send_cmadmin_port($1) corenet_dontaudit_udp_receive_cmadmin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cmadmin_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cmadmin_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cmadmin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cmadmin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cmadmin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') dontaudit $1 cmadmin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cmadmin_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cmadmin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') allow $1 cmadmin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cmadmin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cmadmin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cmadmin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cmadmin_port'($*)) dnl gen_require(` type cmadmin_port_t; ') dontaudit $1 cmadmin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cmadmin_port'($*)) dnl ') ######################################## ## ## Send cmadmin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cmadmin_client_packets'($*)) dnl gen_require(` type cmadmin_client_packet_t; ') allow $1 cmadmin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cmadmin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cmadmin_client_packets'($*)) dnl gen_require(` type cmadmin_client_packet_t; ') dontaudit $1 cmadmin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Receive cmadmin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cmadmin_client_packets'($*)) dnl gen_require(` type cmadmin_client_packet_t; ') allow $1 cmadmin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cmadmin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cmadmin_client_packets'($*)) dnl gen_require(` type cmadmin_client_packet_t; ') dontaudit $1 cmadmin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cmadmin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cmadmin_client_packets'($*)) dnl corenet_send_cmadmin_client_packets($1) corenet_receive_cmadmin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cmadmin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cmadmin_client_packets'($*)) dnl corenet_dontaudit_send_cmadmin_client_packets($1) corenet_dontaudit_receive_cmadmin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cmadmin_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cmadmin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cmadmin_client_packets'($*)) dnl gen_require(` type cmadmin_client_packet_t; ') allow $1 cmadmin_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cmadmin_client_packets'($*)) dnl ') ######################################## ## ## Send cmadmin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cmadmin_server_packets'($*)) dnl gen_require(` type cmadmin_server_packet_t; ') allow $1 cmadmin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cmadmin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cmadmin_server_packets'($*)) dnl gen_require(` type cmadmin_server_packet_t; ') dontaudit $1 cmadmin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Receive cmadmin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cmadmin_server_packets'($*)) dnl gen_require(` type cmadmin_server_packet_t; ') allow $1 cmadmin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cmadmin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cmadmin_server_packets'($*)) dnl gen_require(` type cmadmin_server_packet_t; ') dontaudit $1 cmadmin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cmadmin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cmadmin_server_packets'($*)) dnl corenet_send_cmadmin_server_packets($1) corenet_receive_cmadmin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cmadmin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cmadmin_server_packets'($*)) dnl corenet_dontaudit_send_cmadmin_server_packets($1) corenet_dontaudit_receive_cmadmin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cmadmin_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cmadmin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cmadmin_server_packets'($*)) dnl gen_require(` type cmadmin_server_packet_t; ') allow $1 cmadmin_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cmadmin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cobbler_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cobbler_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cobbler port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') dontaudit $1 cobbler_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cobbler_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cobbler_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cobbler port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') dontaudit $1 cobbler_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cobbler_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cobbler_port'($*)) dnl corenet_udp_send_cobbler_port($1) corenet_udp_receive_cobbler_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cobbler_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cobbler port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl corenet_dontaudit_udp_send_cobbler_port($1) corenet_dontaudit_udp_receive_cobbler_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cobbler_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cobbler_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cobbler port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cobbler_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cobbler port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') dontaudit $1 cobbler_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cobbler_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cobbler port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') allow $1 cobbler_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cobbler_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cobbler port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cobbler_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cobbler_port'($*)) dnl gen_require(` type cobbler_port_t; ') dontaudit $1 cobbler_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cobbler_port'($*)) dnl ') ######################################## ## ## Send cobbler_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_client_packets'($*)) dnl gen_require(` type cobbler_client_packet_t; ') allow $1 cobbler_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cobbler_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl gen_require(` type cobbler_client_packet_t; ') dontaudit $1 cobbler_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Receive cobbler_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_client_packets'($*)) dnl gen_require(` type cobbler_client_packet_t; ') allow $1 cobbler_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cobbler_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl gen_require(` type cobbler_client_packet_t; ') dontaudit $1 cobbler_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cobbler_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_client_packets'($*)) dnl corenet_send_cobbler_client_packets($1) corenet_receive_cobbler_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cobbler_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl corenet_dontaudit_send_cobbler_client_packets($1) corenet_dontaudit_receive_cobbler_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cobbler_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cobbler_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_client_packets'($*)) dnl gen_require(` type cobbler_client_packet_t; ') allow $1 cobbler_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_client_packets'($*)) dnl ') ######################################## ## ## Send cobbler_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cobbler_server_packets'($*)) dnl gen_require(` type cobbler_server_packet_t; ') allow $1 cobbler_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cobbler_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl gen_require(` type cobbler_server_packet_t; ') dontaudit $1 cobbler_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Receive cobbler_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cobbler_server_packets'($*)) dnl gen_require(` type cobbler_server_packet_t; ') allow $1 cobbler_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cobbler_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl gen_require(` type cobbler_server_packet_t; ') dontaudit $1 cobbler_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cobbler_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cobbler_server_packets'($*)) dnl corenet_send_cobbler_server_packets($1) corenet_receive_cobbler_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cobbler_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl corenet_dontaudit_send_cobbler_server_packets($1) corenet_dontaudit_receive_cobbler_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cobbler_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cobbler_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cobbler_server_packets'($*)) dnl gen_require(` type cobbler_server_packet_t; ') allow $1 cobbler_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cobbler_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_link_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_link_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the commplex_link port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') dontaudit $1 commplex_link_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_link_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_link_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the commplex_link port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') dontaudit $1 commplex_link_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_link_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_link_port'($*)) dnl corenet_udp_send_commplex_link_port($1) corenet_udp_receive_commplex_link_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_link_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the commplex_link port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl corenet_dontaudit_udp_send_commplex_link_port($1) corenet_dontaudit_udp_receive_commplex_link_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_link_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_link_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the commplex_link port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_link_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to commplex_link port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') dontaudit $1 commplex_link_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_commplex_link_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the commplex_link port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') allow $1 commplex_link_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_link_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to commplex_link port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_commplex_link_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_commplex_link_port'($*)) dnl gen_require(` type commplex_link_port_t; ') dontaudit $1 commplex_link_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_commplex_link_port'($*)) dnl ') ######################################## ## ## Send commplex_link_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_client_packets'($*)) dnl gen_require(` type commplex_link_client_packet_t; ') allow $1 commplex_link_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send commplex_link_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl gen_require(` type commplex_link_client_packet_t; ') dontaudit $1 commplex_link_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Receive commplex_link_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_client_packets'($*)) dnl gen_require(` type commplex_link_client_packet_t; ') allow $1 commplex_link_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive commplex_link_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl gen_require(` type commplex_link_client_packet_t; ') dontaudit $1 commplex_link_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Send and receive commplex_link_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_client_packets'($*)) dnl corenet_send_commplex_link_client_packets($1) corenet_receive_commplex_link_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive commplex_link_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl corenet_dontaudit_send_commplex_link_client_packets($1) corenet_dontaudit_receive_commplex_link_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to commplex_link_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_commplex_link_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_client_packets'($*)) dnl gen_require(` type commplex_link_client_packet_t; ') allow $1 commplex_link_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_client_packets'($*)) dnl ') ######################################## ## ## Send commplex_link_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_link_server_packets'($*)) dnl gen_require(` type commplex_link_server_packet_t; ') allow $1 commplex_link_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send commplex_link_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl gen_require(` type commplex_link_server_packet_t; ') dontaudit $1 commplex_link_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Receive commplex_link_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_link_server_packets'($*)) dnl gen_require(` type commplex_link_server_packet_t; ') allow $1 commplex_link_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive commplex_link_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl gen_require(` type commplex_link_server_packet_t; ') dontaudit $1 commplex_link_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Send and receive commplex_link_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_link_server_packets'($*)) dnl corenet_send_commplex_link_server_packets($1) corenet_receive_commplex_link_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive commplex_link_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl corenet_dontaudit_send_commplex_link_server_packets($1) corenet_dontaudit_receive_commplex_link_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to commplex_link_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_commplex_link_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_link_server_packets'($*)) dnl gen_require(` type commplex_link_server_packet_t; ') allow $1 commplex_link_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_link_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_commplex_main_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_commplex_main_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the commplex_main port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') dontaudit $1 commplex_main_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_commplex_main_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_commplex_main_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the commplex_main port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') dontaudit $1 commplex_main_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_commplex_main_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_commplex_main_port'($*)) dnl corenet_udp_send_commplex_main_port($1) corenet_udp_receive_commplex_main_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_commplex_main_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the commplex_main port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl corenet_dontaudit_udp_send_commplex_main_port($1) corenet_dontaudit_udp_receive_commplex_main_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_commplex_main_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_commplex_main_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the commplex_main port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_commplex_main_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to commplex_main port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') dontaudit $1 commplex_main_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_commplex_main_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the commplex_main port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') allow $1 commplex_main_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_commplex_main_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to commplex_main port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_commplex_main_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_commplex_main_port'($*)) dnl gen_require(` type commplex_main_port_t; ') dontaudit $1 commplex_main_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_commplex_main_port'($*)) dnl ') ######################################## ## ## Send commplex_main_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_client_packets'($*)) dnl gen_require(` type commplex_main_client_packet_t; ') allow $1 commplex_main_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send commplex_main_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl gen_require(` type commplex_main_client_packet_t; ') dontaudit $1 commplex_main_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Receive commplex_main_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_client_packets'($*)) dnl gen_require(` type commplex_main_client_packet_t; ') allow $1 commplex_main_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive commplex_main_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl gen_require(` type commplex_main_client_packet_t; ') dontaudit $1 commplex_main_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Send and receive commplex_main_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_client_packets'($*)) dnl corenet_send_commplex_main_client_packets($1) corenet_receive_commplex_main_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive commplex_main_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl corenet_dontaudit_send_commplex_main_client_packets($1) corenet_dontaudit_receive_commplex_main_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to commplex_main_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_commplex_main_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_client_packets'($*)) dnl gen_require(` type commplex_main_client_packet_t; ') allow $1 commplex_main_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_client_packets'($*)) dnl ') ######################################## ## ## Send commplex_main_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_commplex_main_server_packets'($*)) dnl gen_require(` type commplex_main_server_packet_t; ') allow $1 commplex_main_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send commplex_main_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl gen_require(` type commplex_main_server_packet_t; ') dontaudit $1 commplex_main_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Receive commplex_main_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_commplex_main_server_packets'($*)) dnl gen_require(` type commplex_main_server_packet_t; ') allow $1 commplex_main_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive commplex_main_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl gen_require(` type commplex_main_server_packet_t; ') dontaudit $1 commplex_main_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Send and receive commplex_main_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_commplex_main_server_packets'($*)) dnl corenet_send_commplex_main_server_packets($1) corenet_receive_commplex_main_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive commplex_main_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl corenet_dontaudit_send_commplex_main_server_packets($1) corenet_dontaudit_receive_commplex_main_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to commplex_main_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_commplex_main_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_commplex_main_server_packets'($*)) dnl gen_require(` type commplex_main_server_packet_t; ') allow $1 commplex_main_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_commplex_main_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_comsat_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_comsat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the comsat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') dontaudit $1 comsat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_comsat_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_comsat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the comsat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') dontaudit $1 comsat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_comsat_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_comsat_port'($*)) dnl corenet_udp_send_comsat_port($1) corenet_udp_receive_comsat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_comsat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the comsat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl corenet_dontaudit_udp_send_comsat_port($1) corenet_dontaudit_udp_receive_comsat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_comsat_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_comsat_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the comsat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_comsat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to comsat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') dontaudit $1 comsat_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_comsat_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the comsat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') allow $1 comsat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_comsat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to comsat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_comsat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_comsat_port'($*)) dnl gen_require(` type comsat_port_t; ') dontaudit $1 comsat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_comsat_port'($*)) dnl ') ######################################## ## ## Send comsat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_client_packets'($*)) dnl gen_require(` type comsat_client_packet_t; ') allow $1 comsat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_comsat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send comsat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_client_packets'($*)) dnl gen_require(` type comsat_client_packet_t; ') dontaudit $1 comsat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_client_packets'($*)) dnl ') ######################################## ## ## Receive comsat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_client_packets'($*)) dnl gen_require(` type comsat_client_packet_t; ') allow $1 comsat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive comsat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl gen_require(` type comsat_client_packet_t; ') dontaudit $1 comsat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_client_packets'($*)) dnl ') ######################################## ## ## Send and receive comsat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_client_packets'($*)) dnl corenet_send_comsat_client_packets($1) corenet_receive_comsat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive comsat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl corenet_dontaudit_send_comsat_client_packets($1) corenet_dontaudit_receive_comsat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to comsat_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_comsat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_client_packets'($*)) dnl gen_require(` type comsat_client_packet_t; ') allow $1 comsat_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_client_packets'($*)) dnl ') ######################################## ## ## Send comsat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_comsat_server_packets'($*)) dnl gen_require(` type comsat_server_packet_t; ') allow $1 comsat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_comsat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send comsat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_comsat_server_packets'($*)) dnl gen_require(` type comsat_server_packet_t; ') dontaudit $1 comsat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_comsat_server_packets'($*)) dnl ') ######################################## ## ## Receive comsat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_comsat_server_packets'($*)) dnl gen_require(` type comsat_server_packet_t; ') allow $1 comsat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_comsat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive comsat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl gen_require(` type comsat_server_packet_t; ') dontaudit $1 comsat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_comsat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive comsat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_comsat_server_packets'($*)) dnl corenet_send_comsat_server_packets($1) corenet_receive_comsat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_comsat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive comsat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl corenet_dontaudit_send_comsat_server_packets($1) corenet_dontaudit_receive_comsat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_comsat_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to comsat_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_comsat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_comsat_server_packets'($*)) dnl gen_require(` type comsat_server_packet_t; ') allow $1 comsat_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_comsat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_condor_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_condor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the condor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_condor_port'($*)) dnl gen_require(` type condor_port_t; ') dontaudit $1 condor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_condor_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_condor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the condor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_condor_port'($*)) dnl gen_require(` type condor_port_t; ') dontaudit $1 condor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_condor_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_condor_port'($*)) dnl corenet_udp_send_condor_port($1) corenet_udp_receive_condor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_condor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the condor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl corenet_dontaudit_udp_send_condor_port($1) corenet_dontaudit_udp_receive_condor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_condor_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_condor_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the condor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_condor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to condor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_condor_port'($*)) dnl gen_require(` type condor_port_t; ') dontaudit $1 condor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_condor_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the condor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_condor_port'($*)) dnl gen_require(` type condor_port_t; ') allow $1 condor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_condor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to condor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_condor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_condor_port'($*)) dnl gen_require(` type condor_port_t; ') dontaudit $1 condor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_condor_port'($*)) dnl ') ######################################## ## ## Send condor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_condor_client_packets'($*)) dnl gen_require(` type condor_client_packet_t; ') allow $1 condor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_condor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send condor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_client_packets'($*)) dnl gen_require(` type condor_client_packet_t; ') dontaudit $1 condor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_client_packets'($*)) dnl ') ######################################## ## ## Receive condor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_client_packets'($*)) dnl gen_require(` type condor_client_packet_t; ') allow $1 condor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_condor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive condor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_client_packets'($*)) dnl gen_require(` type condor_client_packet_t; ') dontaudit $1 condor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_client_packets'($*)) dnl ') ######################################## ## ## Send and receive condor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_client_packets'($*)) dnl corenet_send_condor_client_packets($1) corenet_receive_condor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive condor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl corenet_dontaudit_send_condor_client_packets($1) corenet_dontaudit_receive_condor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to condor_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_condor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_client_packets'($*)) dnl gen_require(` type condor_client_packet_t; ') allow $1 condor_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_client_packets'($*)) dnl ') ######################################## ## ## Send condor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_condor_server_packets'($*)) dnl gen_require(` type condor_server_packet_t; ') allow $1 condor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_condor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send condor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_condor_server_packets'($*)) dnl gen_require(` type condor_server_packet_t; ') dontaudit $1 condor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_condor_server_packets'($*)) dnl ') ######################################## ## ## Receive condor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_condor_server_packets'($*)) dnl gen_require(` type condor_server_packet_t; ') allow $1 condor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_condor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive condor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_condor_server_packets'($*)) dnl gen_require(` type condor_server_packet_t; ') dontaudit $1 condor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_condor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive condor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_condor_server_packets'($*)) dnl corenet_send_condor_server_packets($1) corenet_receive_condor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_condor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive condor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl corenet_dontaudit_send_condor_server_packets($1) corenet_dontaudit_receive_condor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_condor_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to condor_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_condor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_condor_server_packets'($*)) dnl gen_require(` type condor_server_packet_t; ') allow $1 condor_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_condor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_conman_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_conman_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the conman port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_conman_port'($*)) dnl gen_require(` type conman_port_t; ') dontaudit $1 conman_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_conman_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_conman_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the conman port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_conman_port'($*)) dnl gen_require(` type conman_port_t; ') dontaudit $1 conman_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_conman_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_conman_port'($*)) dnl corenet_udp_send_conman_port($1) corenet_udp_receive_conman_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_conman_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the conman port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_conman_port'($*)) dnl corenet_dontaudit_udp_send_conman_port($1) corenet_dontaudit_udp_receive_conman_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_conman_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_conman_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the conman port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_conman_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to conman port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_conman_port'($*)) dnl gen_require(` type conman_port_t; ') dontaudit $1 conman_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_conman_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the conman port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_conman_port'($*)) dnl gen_require(` type conman_port_t; ') allow $1 conman_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_conman_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to conman port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_conman_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_conman_port'($*)) dnl gen_require(` type conman_port_t; ') dontaudit $1 conman_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_conman_port'($*)) dnl ') ######################################## ## ## Send conman_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_conman_client_packets'($*)) dnl gen_require(` type conman_client_packet_t; ') allow $1 conman_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_conman_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send conman_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conman_client_packets'($*)) dnl gen_require(` type conman_client_packet_t; ') dontaudit $1 conman_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conman_client_packets'($*)) dnl ') ######################################## ## ## Receive conman_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_conman_client_packets'($*)) dnl gen_require(` type conman_client_packet_t; ') allow $1 conman_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_conman_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive conman_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conman_client_packets'($*)) dnl gen_require(` type conman_client_packet_t; ') dontaudit $1 conman_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conman_client_packets'($*)) dnl ') ######################################## ## ## Send and receive conman_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conman_client_packets'($*)) dnl corenet_send_conman_client_packets($1) corenet_receive_conman_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conman_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive conman_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conman_client_packets'($*)) dnl corenet_dontaudit_send_conman_client_packets($1) corenet_dontaudit_receive_conman_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conman_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to conman_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_conman_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conman_client_packets'($*)) dnl gen_require(` type conman_client_packet_t; ') allow $1 conman_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_conman_client_packets'($*)) dnl ') ######################################## ## ## Send conman_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_conman_server_packets'($*)) dnl gen_require(` type conman_server_packet_t; ') allow $1 conman_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_conman_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send conman_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conman_server_packets'($*)) dnl gen_require(` type conman_server_packet_t; ') dontaudit $1 conman_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conman_server_packets'($*)) dnl ') ######################################## ## ## Receive conman_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_conman_server_packets'($*)) dnl gen_require(` type conman_server_packet_t; ') allow $1 conman_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_conman_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive conman_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conman_server_packets'($*)) dnl gen_require(` type conman_server_packet_t; ') dontaudit $1 conman_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conman_server_packets'($*)) dnl ') ######################################## ## ## Send and receive conman_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conman_server_packets'($*)) dnl corenet_send_conman_server_packets($1) corenet_receive_conman_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conman_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive conman_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conman_server_packets'($*)) dnl corenet_dontaudit_send_conman_server_packets($1) corenet_dontaudit_receive_conman_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conman_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to conman_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_conman_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conman_server_packets'($*)) dnl gen_require(` type conman_server_packet_t; ') allow $1 conman_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_conman_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_connlcli_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_connlcli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the connlcli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') dontaudit $1 connlcli_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_connlcli_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_connlcli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the connlcli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') dontaudit $1 connlcli_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_connlcli_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_connlcli_port'($*)) dnl corenet_udp_send_connlcli_port($1) corenet_udp_receive_connlcli_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_connlcli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the connlcli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_connlcli_port'($*)) dnl corenet_dontaudit_udp_send_connlcli_port($1) corenet_dontaudit_udp_receive_connlcli_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_connlcli_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_connlcli_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the connlcli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_connlcli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to connlcli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') dontaudit $1 connlcli_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_connlcli_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the connlcli port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') allow $1 connlcli_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_connlcli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to connlcli port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_connlcli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_connlcli_port'($*)) dnl gen_require(` type connlcli_port_t; ') dontaudit $1 connlcli_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_connlcli_port'($*)) dnl ') ######################################## ## ## Send connlcli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_connlcli_client_packets'($*)) dnl gen_require(` type connlcli_client_packet_t; ') allow $1 connlcli_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send connlcli_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_connlcli_client_packets'($*)) dnl gen_require(` type connlcli_client_packet_t; ') dontaudit $1 connlcli_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Receive connlcli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_connlcli_client_packets'($*)) dnl gen_require(` type connlcli_client_packet_t; ') allow $1 connlcli_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive connlcli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_connlcli_client_packets'($*)) dnl gen_require(` type connlcli_client_packet_t; ') dontaudit $1 connlcli_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Send and receive connlcli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_connlcli_client_packets'($*)) dnl corenet_send_connlcli_client_packets($1) corenet_receive_connlcli_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive connlcli_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_connlcli_client_packets'($*)) dnl corenet_dontaudit_send_connlcli_client_packets($1) corenet_dontaudit_receive_connlcli_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to connlcli_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_connlcli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_connlcli_client_packets'($*)) dnl gen_require(` type connlcli_client_packet_t; ') allow $1 connlcli_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_connlcli_client_packets'($*)) dnl ') ######################################## ## ## Send connlcli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_connlcli_server_packets'($*)) dnl gen_require(` type connlcli_server_packet_t; ') allow $1 connlcli_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send connlcli_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_connlcli_server_packets'($*)) dnl gen_require(` type connlcli_server_packet_t; ') dontaudit $1 connlcli_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Receive connlcli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_connlcli_server_packets'($*)) dnl gen_require(` type connlcli_server_packet_t; ') allow $1 connlcli_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive connlcli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_connlcli_server_packets'($*)) dnl gen_require(` type connlcli_server_packet_t; ') dontaudit $1 connlcli_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Send and receive connlcli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_connlcli_server_packets'($*)) dnl corenet_send_connlcli_server_packets($1) corenet_receive_connlcli_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive connlcli_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_connlcli_server_packets'($*)) dnl corenet_dontaudit_send_connlcli_server_packets($1) corenet_dontaudit_receive_connlcli_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to connlcli_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_connlcli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_connlcli_server_packets'($*)) dnl gen_require(` type connlcli_server_packet_t; ') allow $1 connlcli_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_connlcli_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_conntrackd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_conntrackd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the conntrackd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') dontaudit $1 conntrackd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_conntrackd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_conntrackd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the conntrackd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') dontaudit $1 conntrackd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_conntrackd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_conntrackd_port'($*)) dnl corenet_udp_send_conntrackd_port($1) corenet_udp_receive_conntrackd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_conntrackd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the conntrackd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_conntrackd_port'($*)) dnl corenet_dontaudit_udp_send_conntrackd_port($1) corenet_dontaudit_udp_receive_conntrackd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_conntrackd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_conntrackd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the conntrackd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_conntrackd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to conntrackd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') dontaudit $1 conntrackd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_conntrackd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the conntrackd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') allow $1 conntrackd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_conntrackd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to conntrackd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_conntrackd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_conntrackd_port'($*)) dnl gen_require(` type conntrackd_port_t; ') dontaudit $1 conntrackd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_conntrackd_port'($*)) dnl ') ######################################## ## ## Send conntrackd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_conntrackd_client_packets'($*)) dnl gen_require(` type conntrackd_client_packet_t; ') allow $1 conntrackd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send conntrackd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conntrackd_client_packets'($*)) dnl gen_require(` type conntrackd_client_packet_t; ') dontaudit $1 conntrackd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Receive conntrackd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_conntrackd_client_packets'($*)) dnl gen_require(` type conntrackd_client_packet_t; ') allow $1 conntrackd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive conntrackd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conntrackd_client_packets'($*)) dnl gen_require(` type conntrackd_client_packet_t; ') dontaudit $1 conntrackd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive conntrackd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conntrackd_client_packets'($*)) dnl corenet_send_conntrackd_client_packets($1) corenet_receive_conntrackd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive conntrackd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conntrackd_client_packets'($*)) dnl corenet_dontaudit_send_conntrackd_client_packets($1) corenet_dontaudit_receive_conntrackd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to conntrackd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_conntrackd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conntrackd_client_packets'($*)) dnl gen_require(` type conntrackd_client_packet_t; ') allow $1 conntrackd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_conntrackd_client_packets'($*)) dnl ') ######################################## ## ## Send conntrackd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_conntrackd_server_packets'($*)) dnl gen_require(` type conntrackd_server_packet_t; ') allow $1 conntrackd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send conntrackd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_conntrackd_server_packets'($*)) dnl gen_require(` type conntrackd_server_packet_t; ') dontaudit $1 conntrackd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Receive conntrackd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_conntrackd_server_packets'($*)) dnl gen_require(` type conntrackd_server_packet_t; ') allow $1 conntrackd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive conntrackd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_conntrackd_server_packets'($*)) dnl gen_require(` type conntrackd_server_packet_t; ') dontaudit $1 conntrackd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive conntrackd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_conntrackd_server_packets'($*)) dnl corenet_send_conntrackd_server_packets($1) corenet_receive_conntrackd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive conntrackd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_conntrackd_server_packets'($*)) dnl corenet_dontaudit_send_conntrackd_server_packets($1) corenet_dontaudit_receive_conntrackd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to conntrackd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_conntrackd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_conntrackd_server_packets'($*)) dnl gen_require(` type conntrackd_server_packet_t; ') allow $1 conntrackd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_conntrackd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_couchdb_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_couchdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the couchdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') dontaudit $1 couchdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_couchdb_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_couchdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the couchdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') dontaudit $1 couchdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_couchdb_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_couchdb_port'($*)) dnl corenet_udp_send_couchdb_port($1) corenet_udp_receive_couchdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_couchdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the couchdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl corenet_dontaudit_udp_send_couchdb_port($1) corenet_dontaudit_udp_receive_couchdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_couchdb_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_couchdb_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the couchdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_couchdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to couchdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') dontaudit $1 couchdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_couchdb_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the couchdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') allow $1 couchdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_couchdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to couchdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_couchdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_couchdb_port'($*)) dnl gen_require(` type couchdb_port_t; ') dontaudit $1 couchdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_couchdb_port'($*)) dnl ') ######################################## ## ## Send couchdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_client_packets'($*)) dnl gen_require(` type couchdb_client_packet_t; ') allow $1 couchdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send couchdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl gen_require(` type couchdb_client_packet_t; ') dontaudit $1 couchdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Receive couchdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_client_packets'($*)) dnl gen_require(` type couchdb_client_packet_t; ') allow $1 couchdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive couchdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl gen_require(` type couchdb_client_packet_t; ') dontaudit $1 couchdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Send and receive couchdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_client_packets'($*)) dnl corenet_send_couchdb_client_packets($1) corenet_receive_couchdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive couchdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl corenet_dontaudit_send_couchdb_client_packets($1) corenet_dontaudit_receive_couchdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to couchdb_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_couchdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_client_packets'($*)) dnl gen_require(` type couchdb_client_packet_t; ') allow $1 couchdb_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_client_packets'($*)) dnl ') ######################################## ## ## Send couchdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_couchdb_server_packets'($*)) dnl gen_require(` type couchdb_server_packet_t; ') allow $1 couchdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send couchdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl gen_require(` type couchdb_server_packet_t; ') dontaudit $1 couchdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Receive couchdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_couchdb_server_packets'($*)) dnl gen_require(` type couchdb_server_packet_t; ') allow $1 couchdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive couchdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl gen_require(` type couchdb_server_packet_t; ') dontaudit $1 couchdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive couchdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_couchdb_server_packets'($*)) dnl corenet_send_couchdb_server_packets($1) corenet_receive_couchdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive couchdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl corenet_dontaudit_send_couchdb_server_packets($1) corenet_dontaudit_receive_couchdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to couchdb_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_couchdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_couchdb_server_packets'($*)) dnl gen_require(` type couchdb_server_packet_t; ') allow $1 couchdb_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_couchdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ctdb_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ctdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ctdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') dontaudit $1 ctdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ctdb_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ctdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ctdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') dontaudit $1 ctdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ctdb_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ctdb_port'($*)) dnl corenet_udp_send_ctdb_port($1) corenet_udp_receive_ctdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ctdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ctdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl corenet_dontaudit_udp_send_ctdb_port($1) corenet_dontaudit_udp_receive_ctdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ctdb_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ctdb_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ctdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ctdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ctdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') dontaudit $1 ctdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ctdb_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ctdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') allow $1 ctdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ctdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ctdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ctdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ctdb_port'($*)) dnl gen_require(` type ctdb_port_t; ') dontaudit $1 ctdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ctdb_port'($*)) dnl ') ######################################## ## ## Send ctdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_client_packets'($*)) dnl gen_require(` type ctdb_client_packet_t; ') allow $1 ctdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ctdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl gen_require(` type ctdb_client_packet_t; ') dontaudit $1 ctdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Receive ctdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_client_packets'($*)) dnl gen_require(` type ctdb_client_packet_t; ') allow $1 ctdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ctdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl gen_require(` type ctdb_client_packet_t; ') dontaudit $1 ctdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ctdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_client_packets'($*)) dnl corenet_send_ctdb_client_packets($1) corenet_receive_ctdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ctdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl corenet_dontaudit_send_ctdb_client_packets($1) corenet_dontaudit_receive_ctdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ctdb_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ctdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_client_packets'($*)) dnl gen_require(` type ctdb_client_packet_t; ') allow $1 ctdb_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_client_packets'($*)) dnl ') ######################################## ## ## Send ctdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ctdb_server_packets'($*)) dnl gen_require(` type ctdb_server_packet_t; ') allow $1 ctdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ctdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl gen_require(` type ctdb_server_packet_t; ') dontaudit $1 ctdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Receive ctdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ctdb_server_packets'($*)) dnl gen_require(` type ctdb_server_packet_t; ') allow $1 ctdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ctdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl gen_require(` type ctdb_server_packet_t; ') dontaudit $1 ctdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ctdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ctdb_server_packets'($*)) dnl corenet_send_ctdb_server_packets($1) corenet_receive_ctdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ctdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl corenet_dontaudit_send_ctdb_server_packets($1) corenet_dontaudit_receive_ctdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ctdb_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ctdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ctdb_server_packets'($*)) dnl gen_require(` type ctdb_server_packet_t; ') allow $1 ctdb_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ctdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cvs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cvs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cvs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') dontaudit $1 cvs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cvs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cvs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cvs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') dontaudit $1 cvs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cvs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cvs_port'($*)) dnl corenet_udp_send_cvs_port($1) corenet_udp_receive_cvs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cvs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cvs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl corenet_dontaudit_udp_send_cvs_port($1) corenet_dontaudit_udp_receive_cvs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cvs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cvs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cvs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cvs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cvs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') dontaudit $1 cvs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cvs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cvs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') allow $1 cvs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cvs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cvs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cvs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cvs_port'($*)) dnl gen_require(` type cvs_port_t; ') dontaudit $1 cvs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cvs_port'($*)) dnl ') ######################################## ## ## Send cvs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_client_packets'($*)) dnl gen_require(` type cvs_client_packet_t; ') allow $1 cvs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cvs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cvs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_client_packets'($*)) dnl gen_require(` type cvs_client_packet_t; ') dontaudit $1 cvs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_client_packets'($*)) dnl ') ######################################## ## ## Receive cvs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_client_packets'($*)) dnl gen_require(` type cvs_client_packet_t; ') allow $1 cvs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cvs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl gen_require(` type cvs_client_packet_t; ') dontaudit $1 cvs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cvs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_client_packets'($*)) dnl corenet_send_cvs_client_packets($1) corenet_receive_cvs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cvs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl corenet_dontaudit_send_cvs_client_packets($1) corenet_dontaudit_receive_cvs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cvs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cvs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_client_packets'($*)) dnl gen_require(` type cvs_client_packet_t; ') allow $1 cvs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_client_packets'($*)) dnl ') ######################################## ## ## Send cvs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cvs_server_packets'($*)) dnl gen_require(` type cvs_server_packet_t; ') allow $1 cvs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cvs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cvs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cvs_server_packets'($*)) dnl gen_require(` type cvs_server_packet_t; ') dontaudit $1 cvs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cvs_server_packets'($*)) dnl ') ######################################## ## ## Receive cvs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cvs_server_packets'($*)) dnl gen_require(` type cvs_server_packet_t; ') allow $1 cvs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cvs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cvs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl gen_require(` type cvs_server_packet_t; ') dontaudit $1 cvs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cvs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cvs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cvs_server_packets'($*)) dnl corenet_send_cvs_server_packets($1) corenet_receive_cvs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cvs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cvs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl corenet_dontaudit_send_cvs_server_packets($1) corenet_dontaudit_receive_cvs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cvs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cvs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cvs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cvs_server_packets'($*)) dnl gen_require(` type cvs_server_packet_t; ') allow $1 cvs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cvs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cyphesis_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cyphesis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cyphesis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') dontaudit $1 cyphesis_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cyphesis_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cyphesis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cyphesis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') dontaudit $1 cyphesis_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cyphesis_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cyphesis_port'($*)) dnl corenet_udp_send_cyphesis_port($1) corenet_udp_receive_cyphesis_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cyphesis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cyphesis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl corenet_dontaudit_udp_send_cyphesis_port($1) corenet_dontaudit_udp_receive_cyphesis_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cyphesis_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cyphesis_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cyphesis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cyphesis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cyphesis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') dontaudit $1 cyphesis_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cyphesis_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cyphesis port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') allow $1 cyphesis_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cyphesis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cyphesis port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cyphesis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cyphesis_port'($*)) dnl gen_require(` type cyphesis_port_t; ') dontaudit $1 cyphesis_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cyphesis_port'($*)) dnl ') ######################################## ## ## Send cyphesis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_client_packets'($*)) dnl gen_require(` type cyphesis_client_packet_t; ') allow $1 cyphesis_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cyphesis_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl gen_require(` type cyphesis_client_packet_t; ') dontaudit $1 cyphesis_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Receive cyphesis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_client_packets'($*)) dnl gen_require(` type cyphesis_client_packet_t; ') allow $1 cyphesis_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cyphesis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl gen_require(` type cyphesis_client_packet_t; ') dontaudit $1 cyphesis_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cyphesis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_client_packets'($*)) dnl corenet_send_cyphesis_client_packets($1) corenet_receive_cyphesis_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cyphesis_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl corenet_dontaudit_send_cyphesis_client_packets($1) corenet_dontaudit_receive_cyphesis_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cyphesis_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cyphesis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_client_packets'($*)) dnl gen_require(` type cyphesis_client_packet_t; ') allow $1 cyphesis_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_client_packets'($*)) dnl ') ######################################## ## ## Send cyphesis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cyphesis_server_packets'($*)) dnl gen_require(` type cyphesis_server_packet_t; ') allow $1 cyphesis_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cyphesis_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl gen_require(` type cyphesis_server_packet_t; ') dontaudit $1 cyphesis_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Receive cyphesis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cyphesis_server_packets'($*)) dnl gen_require(` type cyphesis_server_packet_t; ') allow $1 cyphesis_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cyphesis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl gen_require(` type cyphesis_server_packet_t; ') dontaudit $1 cyphesis_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cyphesis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyphesis_server_packets'($*)) dnl corenet_send_cyphesis_server_packets($1) corenet_receive_cyphesis_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cyphesis_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl corenet_dontaudit_send_cyphesis_server_packets($1) corenet_dontaudit_receive_cyphesis_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cyphesis_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cyphesis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyphesis_server_packets'($*)) dnl gen_require(` type cyphesis_server_packet_t; ') allow $1 cyphesis_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyphesis_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the cyrus_imapd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') dontaudit $1 cyrus_imapd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the cyrus_imapd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') dontaudit $1 cyrus_imapd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_cyrus_imapd_port'($*)) dnl corenet_udp_send_cyrus_imapd_port($1) corenet_udp_receive_cyrus_imapd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the cyrus_imapd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_cyrus_imapd_port'($*)) dnl corenet_dontaudit_udp_send_cyrus_imapd_port($1) corenet_dontaudit_udp_receive_cyrus_imapd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to cyrus_imapd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') dontaudit $1 cyrus_imapd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') allow $1 cyrus_imapd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to cyrus_imapd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_cyrus_imapd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_cyrus_imapd_port'($*)) dnl gen_require(` type cyrus_imapd_port_t; ') dontaudit $1 cyrus_imapd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_cyrus_imapd_port'($*)) dnl ') ######################################## ## ## Send cyrus_imapd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cyrus_imapd_client_packets'($*)) dnl gen_require(` type cyrus_imapd_client_packet_t; ') allow $1 cyrus_imapd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cyrus_imapd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyrus_imapd_client_packets'($*)) dnl gen_require(` type cyrus_imapd_client_packet_t; ') dontaudit $1 cyrus_imapd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Receive cyrus_imapd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cyrus_imapd_client_packets'($*)) dnl gen_require(` type cyrus_imapd_client_packet_t; ') allow $1 cyrus_imapd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cyrus_imapd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyrus_imapd_client_packets'($*)) dnl gen_require(` type cyrus_imapd_client_packet_t; ') dontaudit $1 cyrus_imapd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive cyrus_imapd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyrus_imapd_client_packets'($*)) dnl corenet_send_cyrus_imapd_client_packets($1) corenet_receive_cyrus_imapd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cyrus_imapd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyrus_imapd_client_packets'($*)) dnl corenet_dontaudit_send_cyrus_imapd_client_packets($1) corenet_dontaudit_receive_cyrus_imapd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cyrus_imapd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cyrus_imapd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyrus_imapd_client_packets'($*)) dnl gen_require(` type cyrus_imapd_client_packet_t; ') allow $1 cyrus_imapd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyrus_imapd_client_packets'($*)) dnl ') ######################################## ## ## Send cyrus_imapd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_cyrus_imapd_server_packets'($*)) dnl gen_require(` type cyrus_imapd_server_packet_t; ') allow $1 cyrus_imapd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send cyrus_imapd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_cyrus_imapd_server_packets'($*)) dnl gen_require(` type cyrus_imapd_server_packet_t; ') dontaudit $1 cyrus_imapd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Receive cyrus_imapd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_cyrus_imapd_server_packets'($*)) dnl gen_require(` type cyrus_imapd_server_packet_t; ') allow $1 cyrus_imapd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive cyrus_imapd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_cyrus_imapd_server_packets'($*)) dnl gen_require(` type cyrus_imapd_server_packet_t; ') dontaudit $1 cyrus_imapd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive cyrus_imapd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_cyrus_imapd_server_packets'($*)) dnl corenet_send_cyrus_imapd_server_packets($1) corenet_receive_cyrus_imapd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive cyrus_imapd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_cyrus_imapd_server_packets'($*)) dnl corenet_dontaudit_send_cyrus_imapd_server_packets($1) corenet_dontaudit_receive_cyrus_imapd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to cyrus_imapd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_cyrus_imapd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_cyrus_imapd_server_packets'($*)) dnl gen_require(` type cyrus_imapd_server_packet_t; ') allow $1 cyrus_imapd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_cyrus_imapd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_daap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_daap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the daap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_daap_port'($*)) dnl gen_require(` type daap_port_t; ') dontaudit $1 daap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_daap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_daap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the daap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_daap_port'($*)) dnl gen_require(` type daap_port_t; ') dontaudit $1 daap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_daap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_daap_port'($*)) dnl corenet_udp_send_daap_port($1) corenet_udp_receive_daap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_daap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the daap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl corenet_dontaudit_udp_send_daap_port($1) corenet_dontaudit_udp_receive_daap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_daap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_daap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the daap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_daap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to daap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_daap_port'($*)) dnl gen_require(` type daap_port_t; ') dontaudit $1 daap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_daap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the daap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_daap_port'($*)) dnl gen_require(` type daap_port_t; ') allow $1 daap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_daap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to daap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_daap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_daap_port'($*)) dnl gen_require(` type daap_port_t; ') dontaudit $1 daap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_daap_port'($*)) dnl ') ######################################## ## ## Send daap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_daap_client_packets'($*)) dnl gen_require(` type daap_client_packet_t; ') allow $1 daap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_daap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send daap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_client_packets'($*)) dnl gen_require(` type daap_client_packet_t; ') dontaudit $1 daap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_client_packets'($*)) dnl ') ######################################## ## ## Receive daap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_client_packets'($*)) dnl gen_require(` type daap_client_packet_t; ') allow $1 daap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_daap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive daap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_client_packets'($*)) dnl gen_require(` type daap_client_packet_t; ') dontaudit $1 daap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive daap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_client_packets'($*)) dnl corenet_send_daap_client_packets($1) corenet_receive_daap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive daap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl corenet_dontaudit_send_daap_client_packets($1) corenet_dontaudit_receive_daap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to daap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_daap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_client_packets'($*)) dnl gen_require(` type daap_client_packet_t; ') allow $1 daap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_client_packets'($*)) dnl ') ######################################## ## ## Send daap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_daap_server_packets'($*)) dnl gen_require(` type daap_server_packet_t; ') allow $1 daap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_daap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send daap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_daap_server_packets'($*)) dnl gen_require(` type daap_server_packet_t; ') dontaudit $1 daap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_daap_server_packets'($*)) dnl ') ######################################## ## ## Receive daap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_daap_server_packets'($*)) dnl gen_require(` type daap_server_packet_t; ') allow $1 daap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_daap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive daap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_daap_server_packets'($*)) dnl gen_require(` type daap_server_packet_t; ') dontaudit $1 daap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_daap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive daap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_daap_server_packets'($*)) dnl corenet_send_daap_server_packets($1) corenet_receive_daap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_daap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive daap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl corenet_dontaudit_send_daap_server_packets($1) corenet_dontaudit_receive_daap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_daap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to daap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_daap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_daap_server_packets'($*)) dnl gen_require(` type daap_server_packet_t; ') allow $1 daap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_daap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dbskkd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dbskkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dbskkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') dontaudit $1 dbskkd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dbskkd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dbskkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dbskkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') dontaudit $1 dbskkd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dbskkd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dbskkd_port'($*)) dnl corenet_udp_send_dbskkd_port($1) corenet_udp_receive_dbskkd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dbskkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dbskkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl corenet_dontaudit_udp_send_dbskkd_port($1) corenet_dontaudit_udp_receive_dbskkd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dbskkd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dbskkd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dbskkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dbskkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dbskkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') dontaudit $1 dbskkd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dbskkd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dbskkd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') allow $1 dbskkd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dbskkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dbskkd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dbskkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dbskkd_port'($*)) dnl gen_require(` type dbskkd_port_t; ') dontaudit $1 dbskkd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dbskkd_port'($*)) dnl ') ######################################## ## ## Send dbskkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_client_packets'($*)) dnl gen_require(` type dbskkd_client_packet_t; ') allow $1 dbskkd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dbskkd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl gen_require(` type dbskkd_client_packet_t; ') dontaudit $1 dbskkd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Receive dbskkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_client_packets'($*)) dnl gen_require(` type dbskkd_client_packet_t; ') allow $1 dbskkd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dbskkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl gen_require(` type dbskkd_client_packet_t; ') dontaudit $1 dbskkd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dbskkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_client_packets'($*)) dnl corenet_send_dbskkd_client_packets($1) corenet_receive_dbskkd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dbskkd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl corenet_dontaudit_send_dbskkd_client_packets($1) corenet_dontaudit_receive_dbskkd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dbskkd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dbskkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_client_packets'($*)) dnl gen_require(` type dbskkd_client_packet_t; ') allow $1 dbskkd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_client_packets'($*)) dnl ') ######################################## ## ## Send dbskkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dbskkd_server_packets'($*)) dnl gen_require(` type dbskkd_server_packet_t; ') allow $1 dbskkd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dbskkd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl gen_require(` type dbskkd_server_packet_t; ') dontaudit $1 dbskkd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Receive dbskkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dbskkd_server_packets'($*)) dnl gen_require(` type dbskkd_server_packet_t; ') allow $1 dbskkd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dbskkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl gen_require(` type dbskkd_server_packet_t; ') dontaudit $1 dbskkd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dbskkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dbskkd_server_packets'($*)) dnl corenet_send_dbskkd_server_packets($1) corenet_receive_dbskkd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dbskkd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl corenet_dontaudit_send_dbskkd_server_packets($1) corenet_dontaudit_receive_dbskkd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dbskkd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dbskkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dbskkd_server_packets'($*)) dnl gen_require(` type dbskkd_server_packet_t; ') allow $1 dbskkd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dbskkd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dcc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') dontaudit $1 dcc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dcc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') dontaudit $1 dcc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dcc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dcc_port'($*)) dnl corenet_udp_send_dcc_port($1) corenet_udp_receive_dcc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl corenet_dontaudit_udp_send_dcc_port($1) corenet_dontaudit_udp_receive_dcc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dcc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dcc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') dontaudit $1 dcc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dcc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dcc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') allow $1 dcc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dcc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dcc_port'($*)) dnl gen_require(` type dcc_port_t; ') dontaudit $1 dcc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dcc_port'($*)) dnl ') ######################################## ## ## Send dcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_client_packets'($*)) dnl gen_require(` type dcc_client_packet_t; ') allow $1 dcc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dcc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_client_packets'($*)) dnl gen_require(` type dcc_client_packet_t; ') dontaudit $1 dcc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_client_packets'($*)) dnl ') ######################################## ## ## Receive dcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_client_packets'($*)) dnl gen_require(` type dcc_client_packet_t; ') allow $1 dcc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl gen_require(` type dcc_client_packet_t; ') dontaudit $1 dcc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_client_packets'($*)) dnl corenet_send_dcc_client_packets($1) corenet_receive_dcc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dcc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl corenet_dontaudit_send_dcc_client_packets($1) corenet_dontaudit_receive_dcc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dcc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_client_packets'($*)) dnl gen_require(` type dcc_client_packet_t; ') allow $1 dcc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_client_packets'($*)) dnl ') ######################################## ## ## Send dcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dcc_server_packets'($*)) dnl gen_require(` type dcc_server_packet_t; ') allow $1 dcc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dcc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dcc_server_packets'($*)) dnl gen_require(` type dcc_server_packet_t; ') dontaudit $1 dcc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dcc_server_packets'($*)) dnl ') ######################################## ## ## Receive dcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dcc_server_packets'($*)) dnl gen_require(` type dcc_server_packet_t; ') allow $1 dcc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl gen_require(` type dcc_server_packet_t; ') dontaudit $1 dcc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dcc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dcc_server_packets'($*)) dnl corenet_send_dcc_server_packets($1) corenet_receive_dcc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dcc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl corenet_dontaudit_send_dcc_server_packets($1) corenet_dontaudit_receive_dcc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dcc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dcc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dcc_server_packets'($*)) dnl gen_require(` type dcc_server_packet_t; ') allow $1 dcc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dcc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dccm_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dccm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dccm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') dontaudit $1 dccm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dccm_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dccm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dccm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') dontaudit $1 dccm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dccm_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dccm_port'($*)) dnl corenet_udp_send_dccm_port($1) corenet_udp_receive_dccm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dccm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dccm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl corenet_dontaudit_udp_send_dccm_port($1) corenet_dontaudit_udp_receive_dccm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dccm_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dccm_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dccm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dccm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dccm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') dontaudit $1 dccm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dccm_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dccm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') allow $1 dccm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dccm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dccm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dccm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dccm_port'($*)) dnl gen_require(` type dccm_port_t; ') dontaudit $1 dccm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dccm_port'($*)) dnl ') ######################################## ## ## Send dccm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_client_packets'($*)) dnl gen_require(` type dccm_client_packet_t; ') allow $1 dccm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dccm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dccm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_client_packets'($*)) dnl gen_require(` type dccm_client_packet_t; ') dontaudit $1 dccm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_client_packets'($*)) dnl ') ######################################## ## ## Receive dccm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_client_packets'($*)) dnl gen_require(` type dccm_client_packet_t; ') allow $1 dccm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dccm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl gen_require(` type dccm_client_packet_t; ') dontaudit $1 dccm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dccm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_client_packets'($*)) dnl corenet_send_dccm_client_packets($1) corenet_receive_dccm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dccm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl corenet_dontaudit_send_dccm_client_packets($1) corenet_dontaudit_receive_dccm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dccm_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dccm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_client_packets'($*)) dnl gen_require(` type dccm_client_packet_t; ') allow $1 dccm_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_client_packets'($*)) dnl ') ######################################## ## ## Send dccm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dccm_server_packets'($*)) dnl gen_require(` type dccm_server_packet_t; ') allow $1 dccm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dccm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dccm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dccm_server_packets'($*)) dnl gen_require(` type dccm_server_packet_t; ') dontaudit $1 dccm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dccm_server_packets'($*)) dnl ') ######################################## ## ## Receive dccm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dccm_server_packets'($*)) dnl gen_require(` type dccm_server_packet_t; ') allow $1 dccm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dccm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dccm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl gen_require(` type dccm_server_packet_t; ') dontaudit $1 dccm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dccm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dccm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dccm_server_packets'($*)) dnl corenet_send_dccm_server_packets($1) corenet_receive_dccm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dccm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dccm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl corenet_dontaudit_send_dccm_server_packets($1) corenet_dontaudit_receive_dccm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dccm_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dccm_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dccm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dccm_server_packets'($*)) dnl gen_require(` type dccm_server_packet_t; ') allow $1 dccm_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dccm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dey_keyneg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') dontaudit $1 dey_keyneg_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dey_keyneg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') dontaudit $1 dey_keyneg_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dey_keyneg_port'($*)) dnl corenet_udp_send_dey_keyneg_port($1) corenet_udp_receive_dey_keyneg_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dey_keyneg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dey_keyneg_port'($*)) dnl corenet_dontaudit_udp_send_dey_keyneg_port($1) corenet_dontaudit_udp_receive_dey_keyneg_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dey_keyneg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') dontaudit $1 dey_keyneg_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dey_keyneg port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') allow $1 dey_keyneg_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dey_keyneg port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dey_keyneg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dey_keyneg_port'($*)) dnl gen_require(` type dey_keyneg_port_t; ') dontaudit $1 dey_keyneg_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dey_keyneg_port'($*)) dnl ') ######################################## ## ## Send dey_keyneg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dey_keyneg_client_packets'($*)) dnl gen_require(` type dey_keyneg_client_packet_t; ') allow $1 dey_keyneg_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dey_keyneg_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_keyneg_client_packets'($*)) dnl gen_require(` type dey_keyneg_client_packet_t; ') dontaudit $1 dey_keyneg_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Receive dey_keyneg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_keyneg_client_packets'($*)) dnl gen_require(` type dey_keyneg_client_packet_t; ') allow $1 dey_keyneg_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dey_keyneg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_keyneg_client_packets'($*)) dnl gen_require(` type dey_keyneg_client_packet_t; ') dontaudit $1 dey_keyneg_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dey_keyneg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_keyneg_client_packets'($*)) dnl corenet_send_dey_keyneg_client_packets($1) corenet_receive_dey_keyneg_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dey_keyneg_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_keyneg_client_packets'($*)) dnl corenet_dontaudit_send_dey_keyneg_client_packets($1) corenet_dontaudit_receive_dey_keyneg_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dey_keyneg_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dey_keyneg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_keyneg_client_packets'($*)) dnl gen_require(` type dey_keyneg_client_packet_t; ') allow $1 dey_keyneg_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_keyneg_client_packets'($*)) dnl ') ######################################## ## ## Send dey_keyneg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dey_keyneg_server_packets'($*)) dnl gen_require(` type dey_keyneg_server_packet_t; ') allow $1 dey_keyneg_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dey_keyneg_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_keyneg_server_packets'($*)) dnl gen_require(` type dey_keyneg_server_packet_t; ') dontaudit $1 dey_keyneg_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Receive dey_keyneg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_keyneg_server_packets'($*)) dnl gen_require(` type dey_keyneg_server_packet_t; ') allow $1 dey_keyneg_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dey_keyneg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_keyneg_server_packets'($*)) dnl gen_require(` type dey_keyneg_server_packet_t; ') dontaudit $1 dey_keyneg_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dey_keyneg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_keyneg_server_packets'($*)) dnl corenet_send_dey_keyneg_server_packets($1) corenet_receive_dey_keyneg_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dey_keyneg_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_keyneg_server_packets'($*)) dnl corenet_dontaudit_send_dey_keyneg_server_packets($1) corenet_dontaudit_receive_dey_keyneg_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dey_keyneg_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dey_keyneg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_keyneg_server_packets'($*)) dnl gen_require(` type dey_keyneg_server_packet_t; ') allow $1 dey_keyneg_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_keyneg_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dey_sapi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dey_sapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dey_sapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') dontaudit $1 dey_sapi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dey_sapi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dey_sapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dey_sapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') dontaudit $1 dey_sapi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dey_sapi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dey_sapi_port'($*)) dnl corenet_udp_send_dey_sapi_port($1) corenet_udp_receive_dey_sapi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dey_sapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dey_sapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dey_sapi_port'($*)) dnl corenet_dontaudit_udp_send_dey_sapi_port($1) corenet_dontaudit_udp_receive_dey_sapi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dey_sapi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dey_sapi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dey_sapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dey_sapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dey_sapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') dontaudit $1 dey_sapi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dey_sapi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dey_sapi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') allow $1 dey_sapi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dey_sapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dey_sapi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dey_sapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dey_sapi_port'($*)) dnl gen_require(` type dey_sapi_port_t; ') dontaudit $1 dey_sapi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dey_sapi_port'($*)) dnl ') ######################################## ## ## Send dey_sapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dey_sapi_client_packets'($*)) dnl gen_require(` type dey_sapi_client_packet_t; ') allow $1 dey_sapi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dey_sapi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_sapi_client_packets'($*)) dnl gen_require(` type dey_sapi_client_packet_t; ') dontaudit $1 dey_sapi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Receive dey_sapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_sapi_client_packets'($*)) dnl gen_require(` type dey_sapi_client_packet_t; ') allow $1 dey_sapi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dey_sapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_sapi_client_packets'($*)) dnl gen_require(` type dey_sapi_client_packet_t; ') dontaudit $1 dey_sapi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dey_sapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_sapi_client_packets'($*)) dnl corenet_send_dey_sapi_client_packets($1) corenet_receive_dey_sapi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dey_sapi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_sapi_client_packets'($*)) dnl corenet_dontaudit_send_dey_sapi_client_packets($1) corenet_dontaudit_receive_dey_sapi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dey_sapi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dey_sapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_sapi_client_packets'($*)) dnl gen_require(` type dey_sapi_client_packet_t; ') allow $1 dey_sapi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_sapi_client_packets'($*)) dnl ') ######################################## ## ## Send dey_sapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dey_sapi_server_packets'($*)) dnl gen_require(` type dey_sapi_server_packet_t; ') allow $1 dey_sapi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dey_sapi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dey_sapi_server_packets'($*)) dnl gen_require(` type dey_sapi_server_packet_t; ') dontaudit $1 dey_sapi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Receive dey_sapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dey_sapi_server_packets'($*)) dnl gen_require(` type dey_sapi_server_packet_t; ') allow $1 dey_sapi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dey_sapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dey_sapi_server_packets'($*)) dnl gen_require(` type dey_sapi_server_packet_t; ') dontaudit $1 dey_sapi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dey_sapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dey_sapi_server_packets'($*)) dnl corenet_send_dey_sapi_server_packets($1) corenet_receive_dey_sapi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dey_sapi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dey_sapi_server_packets'($*)) dnl corenet_dontaudit_send_dey_sapi_server_packets($1) corenet_dontaudit_receive_dey_sapi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dey_sapi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dey_sapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dey_sapi_server_packets'($*)) dnl gen_require(` type dey_sapi_server_packet_t; ') allow $1 dey_sapi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dey_sapi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dhcpc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') dontaudit $1 dhcpc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dhcpc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') dontaudit $1 dhcpc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpc_port'($*)) dnl corenet_udp_send_dhcpc_port($1) corenet_udp_receive_dhcpc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dhcpc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl corenet_dontaudit_udp_send_dhcpc_port($1) corenet_dontaudit_udp_receive_dhcpc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dhcpc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dhcpc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') dontaudit $1 dhcpc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dhcpc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dhcpc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') allow $1 dhcpc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dhcpc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dhcpc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dhcpc_port'($*)) dnl gen_require(` type dhcpc_port_t; ') dontaudit $1 dhcpc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dhcpc_port'($*)) dnl ') ######################################## ## ## Send dhcpc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_client_packets'($*)) dnl gen_require(` type dhcpc_client_packet_t; ') allow $1 dhcpc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dhcpc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl gen_require(` type dhcpc_client_packet_t; ') dontaudit $1 dhcpc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Receive dhcpc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_client_packets'($*)) dnl gen_require(` type dhcpc_client_packet_t; ') allow $1 dhcpc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dhcpc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl gen_require(` type dhcpc_client_packet_t; ') dontaudit $1 dhcpc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dhcpc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_client_packets'($*)) dnl corenet_send_dhcpc_client_packets($1) corenet_receive_dhcpc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dhcpc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl corenet_dontaudit_send_dhcpc_client_packets($1) corenet_dontaudit_receive_dhcpc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dhcpc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dhcpc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_client_packets'($*)) dnl gen_require(` type dhcpc_client_packet_t; ') allow $1 dhcpc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_client_packets'($*)) dnl ') ######################################## ## ## Send dhcpc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpc_server_packets'($*)) dnl gen_require(` type dhcpc_server_packet_t; ') allow $1 dhcpc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dhcpc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl gen_require(` type dhcpc_server_packet_t; ') dontaudit $1 dhcpc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Receive dhcpc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpc_server_packets'($*)) dnl gen_require(` type dhcpc_server_packet_t; ') allow $1 dhcpc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dhcpc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl gen_require(` type dhcpc_server_packet_t; ') dontaudit $1 dhcpc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dhcpc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpc_server_packets'($*)) dnl corenet_send_dhcpc_server_packets($1) corenet_receive_dhcpc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dhcpc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl corenet_dontaudit_send_dhcpc_server_packets($1) corenet_dontaudit_receive_dhcpc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dhcpc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dhcpc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpc_server_packets'($*)) dnl gen_require(` type dhcpc_server_packet_t; ') allow $1 dhcpc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dhcpd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dhcpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dhcpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') dontaudit $1 dhcpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dhcpd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dhcpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dhcpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') dontaudit $1 dhcpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dhcpd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dhcpd_port'($*)) dnl corenet_udp_send_dhcpd_port($1) corenet_udp_receive_dhcpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dhcpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dhcpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl corenet_dontaudit_udp_send_dhcpd_port($1) corenet_dontaudit_udp_receive_dhcpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dhcpd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dhcpd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dhcpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dhcpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dhcpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') dontaudit $1 dhcpd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dhcpd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dhcpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') allow $1 dhcpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dhcpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dhcpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dhcpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dhcpd_port'($*)) dnl gen_require(` type dhcpd_port_t; ') dontaudit $1 dhcpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dhcpd_port'($*)) dnl ') ######################################## ## ## Send dhcpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_client_packets'($*)) dnl gen_require(` type dhcpd_client_packet_t; ') allow $1 dhcpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dhcpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl gen_require(` type dhcpd_client_packet_t; ') dontaudit $1 dhcpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Receive dhcpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_client_packets'($*)) dnl gen_require(` type dhcpd_client_packet_t; ') allow $1 dhcpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dhcpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl gen_require(` type dhcpd_client_packet_t; ') dontaudit $1 dhcpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dhcpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_client_packets'($*)) dnl corenet_send_dhcpd_client_packets($1) corenet_receive_dhcpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dhcpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl corenet_dontaudit_send_dhcpd_client_packets($1) corenet_dontaudit_receive_dhcpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dhcpd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dhcpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_client_packets'($*)) dnl gen_require(` type dhcpd_client_packet_t; ') allow $1 dhcpd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_client_packets'($*)) dnl ') ######################################## ## ## Send dhcpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dhcpd_server_packets'($*)) dnl gen_require(` type dhcpd_server_packet_t; ') allow $1 dhcpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dhcpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl gen_require(` type dhcpd_server_packet_t; ') dontaudit $1 dhcpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Receive dhcpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dhcpd_server_packets'($*)) dnl gen_require(` type dhcpd_server_packet_t; ') allow $1 dhcpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dhcpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl gen_require(` type dhcpd_server_packet_t; ') dontaudit $1 dhcpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dhcpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dhcpd_server_packets'($*)) dnl corenet_send_dhcpd_server_packets($1) corenet_receive_dhcpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dhcpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl corenet_dontaudit_send_dhcpd_server_packets($1) corenet_dontaudit_receive_dhcpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dhcpd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dhcpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dhcpd_server_packets'($*)) dnl gen_require(` type dhcpd_server_packet_t; ') allow $1 dhcpd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dhcpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dict_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dict_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dict port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dict_port'($*)) dnl gen_require(` type dict_port_t; ') dontaudit $1 dict_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dict_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dict_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dict port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dict_port'($*)) dnl gen_require(` type dict_port_t; ') dontaudit $1 dict_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dict_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dict_port'($*)) dnl corenet_udp_send_dict_port($1) corenet_udp_receive_dict_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dict_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dict port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl corenet_dontaudit_udp_send_dict_port($1) corenet_dontaudit_udp_receive_dict_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dict_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dict_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dict port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dict_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dict port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dict_port'($*)) dnl gen_require(` type dict_port_t; ') dontaudit $1 dict_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dict_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dict port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dict_port'($*)) dnl gen_require(` type dict_port_t; ') allow $1 dict_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dict_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dict port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dict_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dict_port'($*)) dnl gen_require(` type dict_port_t; ') dontaudit $1 dict_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dict_port'($*)) dnl ') ######################################## ## ## Send dict_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dict_client_packets'($*)) dnl gen_require(` type dict_client_packet_t; ') allow $1 dict_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dict_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dict_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_client_packets'($*)) dnl gen_require(` type dict_client_packet_t; ') dontaudit $1 dict_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_client_packets'($*)) dnl ') ######################################## ## ## Receive dict_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_client_packets'($*)) dnl gen_require(` type dict_client_packet_t; ') allow $1 dict_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dict_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dict_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_client_packets'($*)) dnl gen_require(` type dict_client_packet_t; ') dontaudit $1 dict_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dict_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_client_packets'($*)) dnl corenet_send_dict_client_packets($1) corenet_receive_dict_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dict_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl corenet_dontaudit_send_dict_client_packets($1) corenet_dontaudit_receive_dict_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dict_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dict_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_client_packets'($*)) dnl gen_require(` type dict_client_packet_t; ') allow $1 dict_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_client_packets'($*)) dnl ') ######################################## ## ## Send dict_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dict_server_packets'($*)) dnl gen_require(` type dict_server_packet_t; ') allow $1 dict_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dict_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dict_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dict_server_packets'($*)) dnl gen_require(` type dict_server_packet_t; ') dontaudit $1 dict_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dict_server_packets'($*)) dnl ') ######################################## ## ## Receive dict_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dict_server_packets'($*)) dnl gen_require(` type dict_server_packet_t; ') allow $1 dict_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dict_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dict_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dict_server_packets'($*)) dnl gen_require(` type dict_server_packet_t; ') dontaudit $1 dict_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dict_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dict_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dict_server_packets'($*)) dnl corenet_send_dict_server_packets($1) corenet_receive_dict_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dict_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dict_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl corenet_dontaudit_send_dict_server_packets($1) corenet_dontaudit_receive_dict_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dict_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dict_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dict_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dict_server_packets'($*)) dnl gen_require(` type dict_server_packet_t; ') allow $1 dict_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dict_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_distccd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_distccd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the distccd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') dontaudit $1 distccd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_distccd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_distccd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the distccd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') dontaudit $1 distccd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_distccd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_distccd_port'($*)) dnl corenet_udp_send_distccd_port($1) corenet_udp_receive_distccd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_distccd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the distccd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl corenet_dontaudit_udp_send_distccd_port($1) corenet_dontaudit_udp_receive_distccd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_distccd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_distccd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the distccd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_distccd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to distccd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') dontaudit $1 distccd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_distccd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the distccd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') allow $1 distccd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_distccd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to distccd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_distccd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_distccd_port'($*)) dnl gen_require(` type distccd_port_t; ') dontaudit $1 distccd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_distccd_port'($*)) dnl ') ######################################## ## ## Send distccd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_client_packets'($*)) dnl gen_require(` type distccd_client_packet_t; ') allow $1 distccd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_distccd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send distccd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_client_packets'($*)) dnl gen_require(` type distccd_client_packet_t; ') dontaudit $1 distccd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_client_packets'($*)) dnl ') ######################################## ## ## Receive distccd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_client_packets'($*)) dnl gen_require(` type distccd_client_packet_t; ') allow $1 distccd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive distccd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl gen_require(` type distccd_client_packet_t; ') dontaudit $1 distccd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive distccd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_client_packets'($*)) dnl corenet_send_distccd_client_packets($1) corenet_receive_distccd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive distccd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl corenet_dontaudit_send_distccd_client_packets($1) corenet_dontaudit_receive_distccd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to distccd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_distccd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_client_packets'($*)) dnl gen_require(` type distccd_client_packet_t; ') allow $1 distccd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_client_packets'($*)) dnl ') ######################################## ## ## Send distccd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_distccd_server_packets'($*)) dnl gen_require(` type distccd_server_packet_t; ') allow $1 distccd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_distccd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send distccd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_distccd_server_packets'($*)) dnl gen_require(` type distccd_server_packet_t; ') dontaudit $1 distccd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_distccd_server_packets'($*)) dnl ') ######################################## ## ## Receive distccd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_distccd_server_packets'($*)) dnl gen_require(` type distccd_server_packet_t; ') allow $1 distccd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_distccd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive distccd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl gen_require(` type distccd_server_packet_t; ') dontaudit $1 distccd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_distccd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive distccd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_distccd_server_packets'($*)) dnl corenet_send_distccd_server_packets($1) corenet_receive_distccd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_distccd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive distccd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl corenet_dontaudit_send_distccd_server_packets($1) corenet_dontaudit_receive_distccd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_distccd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to distccd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_distccd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_distccd_server_packets'($*)) dnl gen_require(` type distccd_server_packet_t; ') allow $1 distccd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_distccd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dogtag_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dogtag_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dogtag port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') dontaudit $1 dogtag_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dogtag_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dogtag_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dogtag port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') dontaudit $1 dogtag_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dogtag_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dogtag_port'($*)) dnl corenet_udp_send_dogtag_port($1) corenet_udp_receive_dogtag_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dogtag_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dogtag port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dogtag_port'($*)) dnl corenet_dontaudit_udp_send_dogtag_port($1) corenet_dontaudit_udp_receive_dogtag_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dogtag_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dogtag_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dogtag port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dogtag_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dogtag port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') dontaudit $1 dogtag_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dogtag_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dogtag port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') allow $1 dogtag_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dogtag_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dogtag port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dogtag_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dogtag_port'($*)) dnl gen_require(` type dogtag_port_t; ') dontaudit $1 dogtag_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dogtag_port'($*)) dnl ') ######################################## ## ## Send dogtag_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dogtag_client_packets'($*)) dnl gen_require(` type dogtag_client_packet_t; ') allow $1 dogtag_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dogtag_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dogtag_client_packets'($*)) dnl gen_require(` type dogtag_client_packet_t; ') dontaudit $1 dogtag_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Receive dogtag_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dogtag_client_packets'($*)) dnl gen_require(` type dogtag_client_packet_t; ') allow $1 dogtag_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dogtag_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dogtag_client_packets'($*)) dnl gen_require(` type dogtag_client_packet_t; ') dontaudit $1 dogtag_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dogtag_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dogtag_client_packets'($*)) dnl corenet_send_dogtag_client_packets($1) corenet_receive_dogtag_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dogtag_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dogtag_client_packets'($*)) dnl corenet_dontaudit_send_dogtag_client_packets($1) corenet_dontaudit_receive_dogtag_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dogtag_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dogtag_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dogtag_client_packets'($*)) dnl gen_require(` type dogtag_client_packet_t; ') allow $1 dogtag_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dogtag_client_packets'($*)) dnl ') ######################################## ## ## Send dogtag_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dogtag_server_packets'($*)) dnl gen_require(` type dogtag_server_packet_t; ') allow $1 dogtag_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dogtag_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dogtag_server_packets'($*)) dnl gen_require(` type dogtag_server_packet_t; ') dontaudit $1 dogtag_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Receive dogtag_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dogtag_server_packets'($*)) dnl gen_require(` type dogtag_server_packet_t; ') allow $1 dogtag_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dogtag_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dogtag_server_packets'($*)) dnl gen_require(` type dogtag_server_packet_t; ') dontaudit $1 dogtag_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dogtag_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dogtag_server_packets'($*)) dnl corenet_send_dogtag_server_packets($1) corenet_receive_dogtag_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dogtag_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dogtag_server_packets'($*)) dnl corenet_dontaudit_send_dogtag_server_packets($1) corenet_dontaudit_receive_dogtag_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dogtag_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dogtag_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dogtag_server_packets'($*)) dnl gen_require(` type dogtag_server_packet_t; ') allow $1 dogtag_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dogtag_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dns_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dns_port'($*)) dnl gen_require(` type dns_port_t; ') dontaudit $1 dns_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dns_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dns_port'($*)) dnl gen_require(` type dns_port_t; ') dontaudit $1 dns_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dns_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dns_port'($*)) dnl corenet_udp_send_dns_port($1) corenet_udp_receive_dns_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl corenet_dontaudit_udp_send_dns_port($1) corenet_dontaudit_udp_receive_dns_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dns_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dns_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dns_port'($*)) dnl gen_require(` type dns_port_t; ') dontaudit $1 dns_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dns_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dns port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dns_port'($*)) dnl gen_require(` type dns_port_t; ') allow $1 dns_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dns port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dns_port'($*)) dnl gen_require(` type dns_port_t; ') dontaudit $1 dns_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dns_port'($*)) dnl ') ######################################## ## ## Send dns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dns_client_packets'($*)) dnl gen_require(` type dns_client_packet_t; ') allow $1 dns_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dns_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_client_packets'($*)) dnl gen_require(` type dns_client_packet_t; ') dontaudit $1 dns_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_client_packets'($*)) dnl ') ######################################## ## ## Receive dns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_client_packets'($*)) dnl gen_require(` type dns_client_packet_t; ') allow $1 dns_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_client_packets'($*)) dnl gen_require(` type dns_client_packet_t; ') dontaudit $1 dns_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_client_packets'($*)) dnl corenet_send_dns_client_packets($1) corenet_receive_dns_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dns_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl corenet_dontaudit_send_dns_client_packets($1) corenet_dontaudit_receive_dns_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dns_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_client_packets'($*)) dnl gen_require(` type dns_client_packet_t; ') allow $1 dns_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_client_packets'($*)) dnl ') ######################################## ## ## Send dns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dns_server_packets'($*)) dnl gen_require(` type dns_server_packet_t; ') allow $1 dns_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dns_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dns_server_packets'($*)) dnl gen_require(` type dns_server_packet_t; ') dontaudit $1 dns_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dns_server_packets'($*)) dnl ') ######################################## ## ## Receive dns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dns_server_packets'($*)) dnl gen_require(` type dns_server_packet_t; ') allow $1 dns_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dns_server_packets'($*)) dnl gen_require(` type dns_server_packet_t; ') dontaudit $1 dns_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dns_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dns_server_packets'($*)) dnl corenet_send_dns_server_packets($1) corenet_receive_dns_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dns_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl corenet_dontaudit_send_dns_server_packets($1) corenet_dontaudit_receive_dns_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dns_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dns_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dns_server_packets'($*)) dnl gen_require(` type dns_server_packet_t; ') allow $1 dns_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dns_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_dnssec_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_dnssec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the dnssec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') dontaudit $1 dnssec_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_dnssec_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_dnssec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the dnssec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') dontaudit $1 dnssec_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_dnssec_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_dnssec_port'($*)) dnl corenet_udp_send_dnssec_port($1) corenet_udp_receive_dnssec_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_dnssec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the dnssec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_dnssec_port'($*)) dnl corenet_dontaudit_udp_send_dnssec_port($1) corenet_dontaudit_udp_receive_dnssec_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_dnssec_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_dnssec_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the dnssec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_dnssec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to dnssec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') dontaudit $1 dnssec_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_dnssec_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the dnssec port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') allow $1 dnssec_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_dnssec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to dnssec port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_dnssec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_dnssec_port'($*)) dnl gen_require(` type dnssec_port_t; ') dontaudit $1 dnssec_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_dnssec_port'($*)) dnl ') ######################################## ## ## Send dnssec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dnssec_client_packets'($*)) dnl gen_require(` type dnssec_client_packet_t; ') allow $1 dnssec_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dnssec_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dnssec_client_packets'($*)) dnl gen_require(` type dnssec_client_packet_t; ') dontaudit $1 dnssec_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Receive dnssec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dnssec_client_packets'($*)) dnl gen_require(` type dnssec_client_packet_t; ') allow $1 dnssec_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dnssec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dnssec_client_packets'($*)) dnl gen_require(` type dnssec_client_packet_t; ') dontaudit $1 dnssec_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Send and receive dnssec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dnssec_client_packets'($*)) dnl corenet_send_dnssec_client_packets($1) corenet_receive_dnssec_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dnssec_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dnssec_client_packets'($*)) dnl corenet_dontaudit_send_dnssec_client_packets($1) corenet_dontaudit_receive_dnssec_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dnssec_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dnssec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dnssec_client_packets'($*)) dnl gen_require(` type dnssec_client_packet_t; ') allow $1 dnssec_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dnssec_client_packets'($*)) dnl ') ######################################## ## ## Send dnssec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_dnssec_server_packets'($*)) dnl gen_require(` type dnssec_server_packet_t; ') allow $1 dnssec_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send dnssec_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_dnssec_server_packets'($*)) dnl gen_require(` type dnssec_server_packet_t; ') dontaudit $1 dnssec_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Receive dnssec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_dnssec_server_packets'($*)) dnl gen_require(` type dnssec_server_packet_t; ') allow $1 dnssec_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive dnssec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_dnssec_server_packets'($*)) dnl gen_require(` type dnssec_server_packet_t; ') dontaudit $1 dnssec_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Send and receive dnssec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_dnssec_server_packets'($*)) dnl corenet_send_dnssec_server_packets($1) corenet_receive_dnssec_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive dnssec_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_dnssec_server_packets'($*)) dnl corenet_dontaudit_send_dnssec_server_packets($1) corenet_dontaudit_receive_dnssec_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to dnssec_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_dnssec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_dnssec_server_packets'($*)) dnl gen_require(` type dnssec_server_packet_t; ') allow $1 dnssec_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_dnssec_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_echo_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_echo_port'($*)) dnl gen_require(` type echo_port_t; ') dontaudit $1 echo_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_echo_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_echo_port'($*)) dnl gen_require(` type echo_port_t; ') dontaudit $1 echo_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_echo_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_echo_port'($*)) dnl corenet_udp_send_echo_port($1) corenet_udp_receive_echo_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_echo_port'($*)) dnl corenet_dontaudit_udp_send_echo_port($1) corenet_dontaudit_udp_receive_echo_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_echo_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_echo_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the echo port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to echo port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_echo_port'($*)) dnl gen_require(` type echo_port_t; ') dontaudit $1 echo_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_echo_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the echo port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_echo_port'($*)) dnl gen_require(` type echo_port_t; ') allow $1 echo_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_echo_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to echo port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_echo_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_echo_port'($*)) dnl gen_require(` type echo_port_t; ') dontaudit $1 echo_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_echo_port'($*)) dnl ') ######################################## ## ## Send echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_echo_client_packets'($*)) dnl gen_require(` type echo_client_packet_t; ') allow $1 echo_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send echo_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_echo_client_packets'($*)) dnl gen_require(` type echo_client_packet_t; ') dontaudit $1 echo_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_echo_client_packets'($*)) dnl ') ######################################## ## ## Receive echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_echo_client_packets'($*)) dnl gen_require(` type echo_client_packet_t; ') allow $1 echo_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_echo_client_packets'($*)) dnl gen_require(` type echo_client_packet_t; ') dontaudit $1 echo_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_echo_client_packets'($*)) dnl ') ######################################## ## ## Send and receive echo_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_echo_client_packets'($*)) dnl corenet_send_echo_client_packets($1) corenet_receive_echo_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_echo_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive echo_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_echo_client_packets'($*)) dnl corenet_dontaudit_send_echo_client_packets($1) corenet_dontaudit_receive_echo_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_echo_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to echo_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_echo_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_echo_client_packets'($*)) dnl gen_require(` type echo_client_packet_t; ') allow $1 echo_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_echo_client_packets'($*)) dnl ') ######################################## ## ## Send echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_echo_server_packets'($*)) dnl gen_require(` type echo_server_packet_t; ') allow $1 echo_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send echo_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_echo_server_packets'($*)) dnl gen_require(` type echo_server_packet_t; ') dontaudit $1 echo_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_echo_server_packets'($*)) dnl ') ######################################## ## ## Receive echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_echo_server_packets'($*)) dnl gen_require(` type echo_server_packet_t; ') allow $1 echo_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_echo_server_packets'($*)) dnl gen_require(` type echo_server_packet_t; ') dontaudit $1 echo_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_echo_server_packets'($*)) dnl ') ######################################## ## ## Send and receive echo_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_echo_server_packets'($*)) dnl corenet_send_echo_server_packets($1) corenet_receive_echo_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_echo_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive echo_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_echo_server_packets'($*)) dnl corenet_dontaudit_send_echo_server_packets($1) corenet_dontaudit_receive_echo_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_echo_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to echo_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_echo_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_echo_server_packets'($*)) dnl gen_require(` type echo_server_packet_t; ') allow $1 echo_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_echo_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_efs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_efs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the efs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_efs_port'($*)) dnl gen_require(` type efs_port_t; ') dontaudit $1 efs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_efs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_efs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the efs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_efs_port'($*)) dnl gen_require(` type efs_port_t; ') dontaudit $1 efs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_efs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_efs_port'($*)) dnl corenet_udp_send_efs_port($1) corenet_udp_receive_efs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_efs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the efs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl corenet_dontaudit_udp_send_efs_port($1) corenet_dontaudit_udp_receive_efs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_efs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_efs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the efs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_efs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to efs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_efs_port'($*)) dnl gen_require(` type efs_port_t; ') dontaudit $1 efs_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_efs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the efs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_efs_port'($*)) dnl gen_require(` type efs_port_t; ') allow $1 efs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_efs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to efs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_efs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_efs_port'($*)) dnl gen_require(` type efs_port_t; ') dontaudit $1 efs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_efs_port'($*)) dnl ') ######################################## ## ## Send efs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_efs_client_packets'($*)) dnl gen_require(` type efs_client_packet_t; ') allow $1 efs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_efs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send efs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_client_packets'($*)) dnl gen_require(` type efs_client_packet_t; ') dontaudit $1 efs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_client_packets'($*)) dnl ') ######################################## ## ## Receive efs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_client_packets'($*)) dnl gen_require(` type efs_client_packet_t; ') allow $1 efs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_efs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive efs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_client_packets'($*)) dnl gen_require(` type efs_client_packet_t; ') dontaudit $1 efs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive efs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_client_packets'($*)) dnl corenet_send_efs_client_packets($1) corenet_receive_efs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive efs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl corenet_dontaudit_send_efs_client_packets($1) corenet_dontaudit_receive_efs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to efs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_efs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_client_packets'($*)) dnl gen_require(` type efs_client_packet_t; ') allow $1 efs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_client_packets'($*)) dnl ') ######################################## ## ## Send efs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_efs_server_packets'($*)) dnl gen_require(` type efs_server_packet_t; ') allow $1 efs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_efs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send efs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_efs_server_packets'($*)) dnl gen_require(` type efs_server_packet_t; ') dontaudit $1 efs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_efs_server_packets'($*)) dnl ') ######################################## ## ## Receive efs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_efs_server_packets'($*)) dnl gen_require(` type efs_server_packet_t; ') allow $1 efs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_efs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive efs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_efs_server_packets'($*)) dnl gen_require(` type efs_server_packet_t; ') dontaudit $1 efs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_efs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive efs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_efs_server_packets'($*)) dnl corenet_send_efs_server_packets($1) corenet_receive_efs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_efs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive efs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl corenet_dontaudit_send_efs_server_packets($1) corenet_dontaudit_receive_efs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_efs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to efs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_efs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_efs_server_packets'($*)) dnl gen_require(` type efs_server_packet_t; ') allow $1 efs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_efs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the embrace_dp_c port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') dontaudit $1 embrace_dp_c_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the embrace_dp_c port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') dontaudit $1 embrace_dp_c_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl corenet_udp_send_embrace_dp_c_port($1) corenet_udp_receive_embrace_dp_c_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the embrace_dp_c port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl corenet_dontaudit_udp_send_embrace_dp_c_port($1) corenet_dontaudit_udp_receive_embrace_dp_c_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to embrace_dp_c port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') dontaudit $1 embrace_dp_c_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') allow $1 embrace_dp_c_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to embrace_dp_c port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_embrace_dp_c_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_embrace_dp_c_port'($*)) dnl gen_require(` type embrace_dp_c_port_t; ') dontaudit $1 embrace_dp_c_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_embrace_dp_c_port'($*)) dnl ') ######################################## ## ## Send embrace_dp_c_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_client_packets'($*)) dnl gen_require(` type embrace_dp_c_client_packet_t; ') allow $1 embrace_dp_c_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send embrace_dp_c_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl gen_require(` type embrace_dp_c_client_packet_t; ') dontaudit $1 embrace_dp_c_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Receive embrace_dp_c_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_client_packets'($*)) dnl gen_require(` type embrace_dp_c_client_packet_t; ') allow $1 embrace_dp_c_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive embrace_dp_c_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl gen_require(` type embrace_dp_c_client_packet_t; ') dontaudit $1 embrace_dp_c_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Send and receive embrace_dp_c_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl corenet_send_embrace_dp_c_client_packets($1) corenet_receive_embrace_dp_c_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive embrace_dp_c_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl corenet_dontaudit_send_embrace_dp_c_client_packets($1) corenet_dontaudit_receive_embrace_dp_c_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to embrace_dp_c_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_embrace_dp_c_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl gen_require(` type embrace_dp_c_client_packet_t; ') allow $1 embrace_dp_c_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_client_packets'($*)) dnl ') ######################################## ## ## Send embrace_dp_c_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_embrace_dp_c_server_packets'($*)) dnl gen_require(` type embrace_dp_c_server_packet_t; ') allow $1 embrace_dp_c_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send embrace_dp_c_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl gen_require(` type embrace_dp_c_server_packet_t; ') dontaudit $1 embrace_dp_c_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Receive embrace_dp_c_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_embrace_dp_c_server_packets'($*)) dnl gen_require(` type embrace_dp_c_server_packet_t; ') allow $1 embrace_dp_c_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive embrace_dp_c_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl gen_require(` type embrace_dp_c_server_packet_t; ') dontaudit $1 embrace_dp_c_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Send and receive embrace_dp_c_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl corenet_send_embrace_dp_c_server_packets($1) corenet_receive_embrace_dp_c_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive embrace_dp_c_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl corenet_dontaudit_send_embrace_dp_c_server_packets($1) corenet_dontaudit_receive_embrace_dp_c_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to embrace_dp_c_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_embrace_dp_c_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl gen_require(` type embrace_dp_c_server_packet_t; ') allow $1 embrace_dp_c_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_embrace_dp_c_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the epmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') dontaudit $1 epmap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the epmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') dontaudit $1 epmap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmap_port'($*)) dnl corenet_udp_send_epmap_port($1) corenet_udp_receive_epmap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the epmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl corenet_dontaudit_udp_send_epmap_port($1) corenet_dontaudit_udp_receive_epmap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the epmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to epmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') dontaudit $1 epmap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_epmap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the epmap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') allow $1 epmap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to epmap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_epmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_epmap_port'($*)) dnl gen_require(` type epmap_port_t; ') dontaudit $1 epmap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_epmap_port'($*)) dnl ') ######################################## ## ## Send epmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_client_packets'($*)) dnl gen_require(` type epmap_client_packet_t; ') allow $1 epmap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_epmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send epmap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_client_packets'($*)) dnl gen_require(` type epmap_client_packet_t; ') dontaudit $1 epmap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_client_packets'($*)) dnl ') ######################################## ## ## Receive epmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_client_packets'($*)) dnl gen_require(` type epmap_client_packet_t; ') allow $1 epmap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive epmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl gen_require(` type epmap_client_packet_t; ') dontaudit $1 epmap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive epmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_client_packets'($*)) dnl corenet_send_epmap_client_packets($1) corenet_receive_epmap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive epmap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl corenet_dontaudit_send_epmap_client_packets($1) corenet_dontaudit_receive_epmap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to epmap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_epmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_client_packets'($*)) dnl gen_require(` type epmap_client_packet_t; ') allow $1 epmap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_client_packets'($*)) dnl ') ######################################## ## ## Send epmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_epmap_server_packets'($*)) dnl gen_require(` type epmap_server_packet_t; ') allow $1 epmap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_epmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send epmap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmap_server_packets'($*)) dnl gen_require(` type epmap_server_packet_t; ') dontaudit $1 epmap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmap_server_packets'($*)) dnl ') ######################################## ## ## Receive epmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_epmap_server_packets'($*)) dnl gen_require(` type epmap_server_packet_t; ') allow $1 epmap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_epmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive epmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl gen_require(` type epmap_server_packet_t; ') dontaudit $1 epmap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive epmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmap_server_packets'($*)) dnl corenet_send_epmap_server_packets($1) corenet_receive_epmap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive epmap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl corenet_dontaudit_send_epmap_server_packets($1) corenet_dontaudit_receive_epmap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to epmap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_epmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmap_server_packets'($*)) dnl gen_require(` type epmap_server_packet_t; ') allow $1 epmap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_epmd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_epmd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the epmd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') dontaudit $1 epmd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_epmd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_epmd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the epmd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') dontaudit $1 epmd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_epmd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_epmd_port'($*)) dnl corenet_udp_send_epmd_port($1) corenet_udp_receive_epmd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_epmd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the epmd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl corenet_dontaudit_udp_send_epmd_port($1) corenet_dontaudit_udp_receive_epmd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_epmd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_epmd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the epmd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_epmd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to epmd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') dontaudit $1 epmd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_epmd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the epmd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') allow $1 epmd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_epmd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to epmd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_epmd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_epmd_port'($*)) dnl gen_require(` type epmd_port_t; ') dontaudit $1 epmd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_epmd_port'($*)) dnl ') ######################################## ## ## Send epmd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_client_packets'($*)) dnl gen_require(` type epmd_client_packet_t; ') allow $1 epmd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_epmd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send epmd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_client_packets'($*)) dnl gen_require(` type epmd_client_packet_t; ') dontaudit $1 epmd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_client_packets'($*)) dnl ') ######################################## ## ## Receive epmd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_client_packets'($*)) dnl gen_require(` type epmd_client_packet_t; ') allow $1 epmd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive epmd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl gen_require(` type epmd_client_packet_t; ') dontaudit $1 epmd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive epmd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_client_packets'($*)) dnl corenet_send_epmd_client_packets($1) corenet_receive_epmd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive epmd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl corenet_dontaudit_send_epmd_client_packets($1) corenet_dontaudit_receive_epmd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to epmd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_epmd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_client_packets'($*)) dnl gen_require(` type epmd_client_packet_t; ') allow $1 epmd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_client_packets'($*)) dnl ') ######################################## ## ## Send epmd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_epmd_server_packets'($*)) dnl gen_require(` type epmd_server_packet_t; ') allow $1 epmd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_epmd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send epmd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_epmd_server_packets'($*)) dnl gen_require(` type epmd_server_packet_t; ') dontaudit $1 epmd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_epmd_server_packets'($*)) dnl ') ######################################## ## ## Receive epmd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_epmd_server_packets'($*)) dnl gen_require(` type epmd_server_packet_t; ') allow $1 epmd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_epmd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive epmd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl gen_require(` type epmd_server_packet_t; ') dontaudit $1 epmd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_epmd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive epmd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_epmd_server_packets'($*)) dnl corenet_send_epmd_server_packets($1) corenet_receive_epmd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_epmd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive epmd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl corenet_dontaudit_send_epmd_server_packets($1) corenet_dontaudit_receive_epmd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_epmd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to epmd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_epmd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_epmd_server_packets'($*)) dnl gen_require(` type epmd_server_packet_t; ') allow $1 epmd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_epmd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fac_restore_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_fac_restore_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the fac_restore port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') dontaudit $1 fac_restore_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fac_restore_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fac_restore_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the fac_restore port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') dontaudit $1 fac_restore_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fac_restore_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fac_restore_port'($*)) dnl corenet_udp_send_fac_restore_port($1) corenet_udp_receive_fac_restore_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fac_restore_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the fac_restore port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fac_restore_port'($*)) dnl corenet_dontaudit_udp_send_fac_restore_port($1) corenet_dontaudit_udp_receive_fac_restore_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fac_restore_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fac_restore_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the fac_restore port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fac_restore_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to fac_restore port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') dontaudit $1 fac_restore_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fac_restore_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the fac_restore port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') allow $1 fac_restore_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fac_restore_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to fac_restore port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_fac_restore_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fac_restore_port'($*)) dnl gen_require(` type fac_restore_port_t; ') dontaudit $1 fac_restore_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fac_restore_port'($*)) dnl ') ######################################## ## ## Send fac_restore_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fac_restore_client_packets'($*)) dnl gen_require(` type fac_restore_client_packet_t; ') allow $1 fac_restore_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fac_restore_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fac_restore_client_packets'($*)) dnl gen_require(` type fac_restore_client_packet_t; ') dontaudit $1 fac_restore_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Receive fac_restore_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fac_restore_client_packets'($*)) dnl gen_require(` type fac_restore_client_packet_t; ') allow $1 fac_restore_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fac_restore_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fac_restore_client_packets'($*)) dnl gen_require(` type fac_restore_client_packet_t; ') dontaudit $1 fac_restore_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Send and receive fac_restore_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fac_restore_client_packets'($*)) dnl corenet_send_fac_restore_client_packets($1) corenet_receive_fac_restore_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fac_restore_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fac_restore_client_packets'($*)) dnl corenet_dontaudit_send_fac_restore_client_packets($1) corenet_dontaudit_receive_fac_restore_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fac_restore_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fac_restore_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fac_restore_client_packets'($*)) dnl gen_require(` type fac_restore_client_packet_t; ') allow $1 fac_restore_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fac_restore_client_packets'($*)) dnl ') ######################################## ## ## Send fac_restore_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fac_restore_server_packets'($*)) dnl gen_require(` type fac_restore_server_packet_t; ') allow $1 fac_restore_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fac_restore_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fac_restore_server_packets'($*)) dnl gen_require(` type fac_restore_server_packet_t; ') dontaudit $1 fac_restore_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Receive fac_restore_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fac_restore_server_packets'($*)) dnl gen_require(` type fac_restore_server_packet_t; ') allow $1 fac_restore_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fac_restore_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fac_restore_server_packets'($*)) dnl gen_require(` type fac_restore_server_packet_t; ') dontaudit $1 fac_restore_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Send and receive fac_restore_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fac_restore_server_packets'($*)) dnl corenet_send_fac_restore_server_packets($1) corenet_receive_fac_restore_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fac_restore_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fac_restore_server_packets'($*)) dnl corenet_dontaudit_send_fac_restore_server_packets($1) corenet_dontaudit_receive_fac_restore_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fac_restore_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fac_restore_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fac_restore_server_packets'($*)) dnl gen_require(` type fac_restore_server_packet_t; ') allow $1 fac_restore_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fac_restore_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fingerd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_fingerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the fingerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') dontaudit $1 fingerd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fingerd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fingerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the fingerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') dontaudit $1 fingerd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fingerd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fingerd_port'($*)) dnl corenet_udp_send_fingerd_port($1) corenet_udp_receive_fingerd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fingerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the fingerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl corenet_dontaudit_udp_send_fingerd_port($1) corenet_dontaudit_udp_receive_fingerd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fingerd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fingerd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the fingerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fingerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to fingerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') dontaudit $1 fingerd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fingerd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the fingerd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') allow $1 fingerd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fingerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to fingerd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_fingerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fingerd_port'($*)) dnl gen_require(` type fingerd_port_t; ') dontaudit $1 fingerd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fingerd_port'($*)) dnl ') ######################################## ## ## Send fingerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_client_packets'($*)) dnl gen_require(` type fingerd_client_packet_t; ') allow $1 fingerd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fingerd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl gen_require(` type fingerd_client_packet_t; ') dontaudit $1 fingerd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Receive fingerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_client_packets'($*)) dnl gen_require(` type fingerd_client_packet_t; ') allow $1 fingerd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fingerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl gen_require(` type fingerd_client_packet_t; ') dontaudit $1 fingerd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive fingerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_client_packets'($*)) dnl corenet_send_fingerd_client_packets($1) corenet_receive_fingerd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fingerd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl corenet_dontaudit_send_fingerd_client_packets($1) corenet_dontaudit_receive_fingerd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fingerd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fingerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_client_packets'($*)) dnl gen_require(` type fingerd_client_packet_t; ') allow $1 fingerd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_client_packets'($*)) dnl ') ######################################## ## ## Send fingerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fingerd_server_packets'($*)) dnl gen_require(` type fingerd_server_packet_t; ') allow $1 fingerd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fingerd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl gen_require(` type fingerd_server_packet_t; ') dontaudit $1 fingerd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Receive fingerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fingerd_server_packets'($*)) dnl gen_require(` type fingerd_server_packet_t; ') allow $1 fingerd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fingerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl gen_require(` type fingerd_server_packet_t; ') dontaudit $1 fingerd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive fingerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fingerd_server_packets'($*)) dnl corenet_send_fingerd_server_packets($1) corenet_receive_fingerd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fingerd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl corenet_dontaudit_send_fingerd_server_packets($1) corenet_dontaudit_receive_fingerd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fingerd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fingerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fingerd_server_packets'($*)) dnl gen_require(` type fingerd_server_packet_t; ') allow $1 fingerd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fingerd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_firepower_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_firepower_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the firepower port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') dontaudit $1 firepower_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_firepower_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_firepower_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the firepower port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') dontaudit $1 firepower_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_firepower_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_firepower_port'($*)) dnl corenet_udp_send_firepower_port($1) corenet_udp_receive_firepower_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_firepower_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the firepower port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_firepower_port'($*)) dnl corenet_dontaudit_udp_send_firepower_port($1) corenet_dontaudit_udp_receive_firepower_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_firepower_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_firepower_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the firepower port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_firepower_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to firepower port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') dontaudit $1 firepower_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_firepower_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the firepower port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') allow $1 firepower_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_firepower_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to firepower port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_firepower_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_firepower_port'($*)) dnl gen_require(` type firepower_port_t; ') dontaudit $1 firepower_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_firepower_port'($*)) dnl ') ######################################## ## ## Send firepower_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_firepower_client_packets'($*)) dnl gen_require(` type firepower_client_packet_t; ') allow $1 firepower_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_firepower_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send firepower_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_firepower_client_packets'($*)) dnl gen_require(` type firepower_client_packet_t; ') dontaudit $1 firepower_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_firepower_client_packets'($*)) dnl ') ######################################## ## ## Receive firepower_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_firepower_client_packets'($*)) dnl gen_require(` type firepower_client_packet_t; ') allow $1 firepower_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_firepower_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive firepower_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_firepower_client_packets'($*)) dnl gen_require(` type firepower_client_packet_t; ') dontaudit $1 firepower_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_firepower_client_packets'($*)) dnl ') ######################################## ## ## Send and receive firepower_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_firepower_client_packets'($*)) dnl corenet_send_firepower_client_packets($1) corenet_receive_firepower_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_firepower_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive firepower_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_firepower_client_packets'($*)) dnl corenet_dontaudit_send_firepower_client_packets($1) corenet_dontaudit_receive_firepower_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_firepower_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to firepower_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_firepower_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_firepower_client_packets'($*)) dnl gen_require(` type firepower_client_packet_t; ') allow $1 firepower_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_firepower_client_packets'($*)) dnl ') ######################################## ## ## Send firepower_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_firepower_server_packets'($*)) dnl gen_require(` type firepower_server_packet_t; ') allow $1 firepower_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_firepower_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send firepower_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_firepower_server_packets'($*)) dnl gen_require(` type firepower_server_packet_t; ') dontaudit $1 firepower_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_firepower_server_packets'($*)) dnl ') ######################################## ## ## Receive firepower_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_firepower_server_packets'($*)) dnl gen_require(` type firepower_server_packet_t; ') allow $1 firepower_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_firepower_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive firepower_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_firepower_server_packets'($*)) dnl gen_require(` type firepower_server_packet_t; ') dontaudit $1 firepower_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_firepower_server_packets'($*)) dnl ') ######################################## ## ## Send and receive firepower_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_firepower_server_packets'($*)) dnl corenet_send_firepower_server_packets($1) corenet_receive_firepower_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_firepower_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive firepower_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_firepower_server_packets'($*)) dnl corenet_dontaudit_send_firepower_server_packets($1) corenet_dontaudit_receive_firepower_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_firepower_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to firepower_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_firepower_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_firepower_server_packets'($*)) dnl gen_require(` type firepower_server_packet_t; ') allow $1 firepower_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_firepower_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the fmpro_internal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') dontaudit $1 fmpro_internal_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the fmpro_internal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') dontaudit $1 fmpro_internal_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_fmpro_internal_port'($*)) dnl corenet_udp_send_fmpro_internal_port($1) corenet_udp_receive_fmpro_internal_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the fmpro_internal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_fmpro_internal_port'($*)) dnl corenet_dontaudit_udp_send_fmpro_internal_port($1) corenet_dontaudit_udp_receive_fmpro_internal_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to fmpro_internal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') dontaudit $1 fmpro_internal_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the fmpro_internal port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') allow $1 fmpro_internal_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to fmpro_internal port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_fmpro_internal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_fmpro_internal_port'($*)) dnl gen_require(` type fmpro_internal_port_t; ') dontaudit $1 fmpro_internal_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_fmpro_internal_port'($*)) dnl ') ######################################## ## ## Send fmpro_internal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fmpro_internal_client_packets'($*)) dnl gen_require(` type fmpro_internal_client_packet_t; ') allow $1 fmpro_internal_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fmpro_internal_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fmpro_internal_client_packets'($*)) dnl gen_require(` type fmpro_internal_client_packet_t; ') dontaudit $1 fmpro_internal_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Receive fmpro_internal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fmpro_internal_client_packets'($*)) dnl gen_require(` type fmpro_internal_client_packet_t; ') allow $1 fmpro_internal_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fmpro_internal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fmpro_internal_client_packets'($*)) dnl gen_require(` type fmpro_internal_client_packet_t; ') dontaudit $1 fmpro_internal_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Send and receive fmpro_internal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fmpro_internal_client_packets'($*)) dnl corenet_send_fmpro_internal_client_packets($1) corenet_receive_fmpro_internal_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fmpro_internal_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fmpro_internal_client_packets'($*)) dnl corenet_dontaudit_send_fmpro_internal_client_packets($1) corenet_dontaudit_receive_fmpro_internal_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fmpro_internal_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fmpro_internal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fmpro_internal_client_packets'($*)) dnl gen_require(` type fmpro_internal_client_packet_t; ') allow $1 fmpro_internal_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fmpro_internal_client_packets'($*)) dnl ') ######################################## ## ## Send fmpro_internal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_fmpro_internal_server_packets'($*)) dnl gen_require(` type fmpro_internal_server_packet_t; ') allow $1 fmpro_internal_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send fmpro_internal_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_fmpro_internal_server_packets'($*)) dnl gen_require(` type fmpro_internal_server_packet_t; ') dontaudit $1 fmpro_internal_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Receive fmpro_internal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_fmpro_internal_server_packets'($*)) dnl gen_require(` type fmpro_internal_server_packet_t; ') allow $1 fmpro_internal_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive fmpro_internal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_fmpro_internal_server_packets'($*)) dnl gen_require(` type fmpro_internal_server_packet_t; ') dontaudit $1 fmpro_internal_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Send and receive fmpro_internal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_fmpro_internal_server_packets'($*)) dnl corenet_send_fmpro_internal_server_packets($1) corenet_receive_fmpro_internal_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive fmpro_internal_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_fmpro_internal_server_packets'($*)) dnl corenet_dontaudit_send_fmpro_internal_server_packets($1) corenet_dontaudit_receive_fmpro_internal_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to fmpro_internal_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_fmpro_internal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_fmpro_internal_server_packets'($*)) dnl gen_require(` type fmpro_internal_server_packet_t; ') allow $1 fmpro_internal_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_fmpro_internal_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_flash_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_flash_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the flash port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_flash_port'($*)) dnl gen_require(` type flash_port_t; ') dontaudit $1 flash_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_flash_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_flash_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the flash port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_flash_port'($*)) dnl gen_require(` type flash_port_t; ') dontaudit $1 flash_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_flash_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_flash_port'($*)) dnl corenet_udp_send_flash_port($1) corenet_udp_receive_flash_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_flash_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the flash port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_flash_port'($*)) dnl corenet_dontaudit_udp_send_flash_port($1) corenet_dontaudit_udp_receive_flash_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_flash_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_flash_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the flash port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_flash_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to flash port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_flash_port'($*)) dnl gen_require(` type flash_port_t; ') dontaudit $1 flash_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_flash_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the flash port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_flash_port'($*)) dnl gen_require(` type flash_port_t; ') allow $1 flash_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_flash_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to flash port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_flash_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_flash_port'($*)) dnl gen_require(` type flash_port_t; ') dontaudit $1 flash_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_flash_port'($*)) dnl ') ######################################## ## ## Send flash_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_flash_client_packets'($*)) dnl gen_require(` type flash_client_packet_t; ') allow $1 flash_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_flash_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send flash_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_flash_client_packets'($*)) dnl gen_require(` type flash_client_packet_t; ') dontaudit $1 flash_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_flash_client_packets'($*)) dnl ') ######################################## ## ## Receive flash_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_flash_client_packets'($*)) dnl gen_require(` type flash_client_packet_t; ') allow $1 flash_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_flash_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive flash_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_flash_client_packets'($*)) dnl gen_require(` type flash_client_packet_t; ') dontaudit $1 flash_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_flash_client_packets'($*)) dnl ') ######################################## ## ## Send and receive flash_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_flash_client_packets'($*)) dnl corenet_send_flash_client_packets($1) corenet_receive_flash_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_flash_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive flash_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_flash_client_packets'($*)) dnl corenet_dontaudit_send_flash_client_packets($1) corenet_dontaudit_receive_flash_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_flash_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to flash_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_flash_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_flash_client_packets'($*)) dnl gen_require(` type flash_client_packet_t; ') allow $1 flash_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_flash_client_packets'($*)) dnl ') ######################################## ## ## Send flash_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_flash_server_packets'($*)) dnl gen_require(` type flash_server_packet_t; ') allow $1 flash_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_flash_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send flash_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_flash_server_packets'($*)) dnl gen_require(` type flash_server_packet_t; ') dontaudit $1 flash_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_flash_server_packets'($*)) dnl ') ######################################## ## ## Receive flash_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_flash_server_packets'($*)) dnl gen_require(` type flash_server_packet_t; ') allow $1 flash_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_flash_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive flash_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_flash_server_packets'($*)) dnl gen_require(` type flash_server_packet_t; ') dontaudit $1 flash_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_flash_server_packets'($*)) dnl ') ######################################## ## ## Send and receive flash_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_flash_server_packets'($*)) dnl corenet_send_flash_server_packets($1) corenet_receive_flash_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_flash_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive flash_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_flash_server_packets'($*)) dnl corenet_dontaudit_send_flash_server_packets($1) corenet_dontaudit_receive_flash_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_flash_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to flash_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_flash_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_flash_server_packets'($*)) dnl gen_require(` type flash_server_packet_t; ') allow $1 flash_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_flash_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_freeipmi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_freeipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the freeipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') dontaudit $1 freeipmi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_freeipmi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_freeipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the freeipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') dontaudit $1 freeipmi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_freeipmi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_freeipmi_port'($*)) dnl corenet_udp_send_freeipmi_port($1) corenet_udp_receive_freeipmi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_freeipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the freeipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_freeipmi_port'($*)) dnl corenet_dontaudit_udp_send_freeipmi_port($1) corenet_dontaudit_udp_receive_freeipmi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_freeipmi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_freeipmi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the freeipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_freeipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to freeipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') dontaudit $1 freeipmi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_freeipmi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the freeipmi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') allow $1 freeipmi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_freeipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to freeipmi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_freeipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_freeipmi_port'($*)) dnl gen_require(` type freeipmi_port_t; ') dontaudit $1 freeipmi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_freeipmi_port'($*)) dnl ') ######################################## ## ## Send freeipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_freeipmi_client_packets'($*)) dnl gen_require(` type freeipmi_client_packet_t; ') allow $1 freeipmi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send freeipmi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_freeipmi_client_packets'($*)) dnl gen_require(` type freeipmi_client_packet_t; ') dontaudit $1 freeipmi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Receive freeipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_freeipmi_client_packets'($*)) dnl gen_require(` type freeipmi_client_packet_t; ') allow $1 freeipmi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive freeipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_freeipmi_client_packets'($*)) dnl gen_require(` type freeipmi_client_packet_t; ') dontaudit $1 freeipmi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive freeipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_freeipmi_client_packets'($*)) dnl corenet_send_freeipmi_client_packets($1) corenet_receive_freeipmi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive freeipmi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_freeipmi_client_packets'($*)) dnl corenet_dontaudit_send_freeipmi_client_packets($1) corenet_dontaudit_receive_freeipmi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to freeipmi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_freeipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_freeipmi_client_packets'($*)) dnl gen_require(` type freeipmi_client_packet_t; ') allow $1 freeipmi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_freeipmi_client_packets'($*)) dnl ') ######################################## ## ## Send freeipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_freeipmi_server_packets'($*)) dnl gen_require(` type freeipmi_server_packet_t; ') allow $1 freeipmi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send freeipmi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_freeipmi_server_packets'($*)) dnl gen_require(` type freeipmi_server_packet_t; ') dontaudit $1 freeipmi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Receive freeipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_freeipmi_server_packets'($*)) dnl gen_require(` type freeipmi_server_packet_t; ') allow $1 freeipmi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive freeipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_freeipmi_server_packets'($*)) dnl gen_require(` type freeipmi_server_packet_t; ') dontaudit $1 freeipmi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive freeipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_freeipmi_server_packets'($*)) dnl corenet_send_freeipmi_server_packets($1) corenet_receive_freeipmi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive freeipmi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_freeipmi_server_packets'($*)) dnl corenet_dontaudit_send_freeipmi_server_packets($1) corenet_dontaudit_receive_freeipmi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to freeipmi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_freeipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_freeipmi_server_packets'($*)) dnl gen_require(` type freeipmi_server_packet_t; ') allow $1 freeipmi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_freeipmi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') dontaudit $1 ftp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') dontaudit $1 ftp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_port'($*)) dnl corenet_udp_send_ftp_port($1) corenet_udp_receive_ftp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl corenet_dontaudit_udp_send_ftp_port($1) corenet_dontaudit_udp_receive_ftp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') dontaudit $1 ftp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ftp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ftp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') allow $1 ftp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ftp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ftp_port'($*)) dnl gen_require(` type ftp_port_t; ') dontaudit $1 ftp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ftp_port'($*)) dnl ') ######################################## ## ## Send ftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_client_packets'($*)) dnl gen_require(` type ftp_client_packet_t; ') allow $1 ftp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ftp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_client_packets'($*)) dnl gen_require(` type ftp_client_packet_t; ') dontaudit $1 ftp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_client_packets'($*)) dnl ') ######################################## ## ## Receive ftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_client_packets'($*)) dnl gen_require(` type ftp_client_packet_t; ') allow $1 ftp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl gen_require(` type ftp_client_packet_t; ') dontaudit $1 ftp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_client_packets'($*)) dnl corenet_send_ftp_client_packets($1) corenet_receive_ftp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ftp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl corenet_dontaudit_send_ftp_client_packets($1) corenet_dontaudit_receive_ftp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ftp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_client_packets'($*)) dnl gen_require(` type ftp_client_packet_t; ') allow $1 ftp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_client_packets'($*)) dnl ') ######################################## ## ## Send ftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_server_packets'($*)) dnl gen_require(` type ftp_server_packet_t; ') allow $1 ftp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ftp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_server_packets'($*)) dnl gen_require(` type ftp_server_packet_t; ') dontaudit $1 ftp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_server_packets'($*)) dnl ') ######################################## ## ## Receive ftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_server_packets'($*)) dnl gen_require(` type ftp_server_packet_t; ') allow $1 ftp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl gen_require(` type ftp_server_packet_t; ') dontaudit $1 ftp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_server_packets'($*)) dnl corenet_send_ftp_server_packets($1) corenet_receive_ftp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ftp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl corenet_dontaudit_send_ftp_server_packets($1) corenet_dontaudit_receive_ftp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ftp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_server_packets'($*)) dnl gen_require(` type ftp_server_packet_t; ') allow $1 ftp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ftp_data_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ftp_data_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ftp_data port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') dontaudit $1 ftp_data_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ftp_data_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ftp_data_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ftp_data port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') dontaudit $1 ftp_data_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ftp_data_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ftp_data_port'($*)) dnl corenet_udp_send_ftp_data_port($1) corenet_udp_receive_ftp_data_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ftp_data_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ftp_data port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl corenet_dontaudit_udp_send_ftp_data_port($1) corenet_dontaudit_udp_receive_ftp_data_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ftp_data_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ftp_data_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ftp_data port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ftp_data_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ftp_data port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') dontaudit $1 ftp_data_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ftp_data_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ftp_data port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') allow $1 ftp_data_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ftp_data_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ftp_data port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ftp_data_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ftp_data_port'($*)) dnl gen_require(` type ftp_data_port_t; ') dontaudit $1 ftp_data_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ftp_data_port'($*)) dnl ') ######################################## ## ## Send ftp_data_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_client_packets'($*)) dnl gen_require(` type ftp_data_client_packet_t; ') allow $1 ftp_data_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ftp_data_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl gen_require(` type ftp_data_client_packet_t; ') dontaudit $1 ftp_data_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Receive ftp_data_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_client_packets'($*)) dnl gen_require(` type ftp_data_client_packet_t; ') allow $1 ftp_data_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ftp_data_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl gen_require(` type ftp_data_client_packet_t; ') dontaudit $1 ftp_data_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ftp_data_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_client_packets'($*)) dnl corenet_send_ftp_data_client_packets($1) corenet_receive_ftp_data_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ftp_data_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl corenet_dontaudit_send_ftp_data_client_packets($1) corenet_dontaudit_receive_ftp_data_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ftp_data_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ftp_data_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_client_packets'($*)) dnl gen_require(` type ftp_data_client_packet_t; ') allow $1 ftp_data_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_client_packets'($*)) dnl ') ######################################## ## ## Send ftp_data_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ftp_data_server_packets'($*)) dnl gen_require(` type ftp_data_server_packet_t; ') allow $1 ftp_data_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ftp_data_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl gen_require(` type ftp_data_server_packet_t; ') dontaudit $1 ftp_data_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Receive ftp_data_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ftp_data_server_packets'($*)) dnl gen_require(` type ftp_data_server_packet_t; ') allow $1 ftp_data_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ftp_data_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl gen_require(` type ftp_data_server_packet_t; ') dontaudit $1 ftp_data_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ftp_data_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ftp_data_server_packets'($*)) dnl corenet_send_ftp_data_server_packets($1) corenet_receive_ftp_data_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ftp_data_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl corenet_dontaudit_send_ftp_data_server_packets($1) corenet_dontaudit_receive_ftp_data_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ftp_data_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ftp_data_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ftp_data_server_packets'($*)) dnl gen_require(` type ftp_data_server_packet_t; ') allow $1 ftp_data_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ftp_data_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gatekeeper_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gatekeeper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gatekeeper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') dontaudit $1 gatekeeper_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gatekeeper_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gatekeeper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gatekeeper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') dontaudit $1 gatekeeper_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gatekeeper_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl corenet_udp_send_gatekeeper_port($1) corenet_udp_receive_gatekeeper_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gatekeeper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gatekeeper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl corenet_dontaudit_udp_send_gatekeeper_port($1) corenet_dontaudit_udp_receive_gatekeeper_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gatekeeper_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gatekeeper_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gatekeeper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gatekeeper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gatekeeper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') dontaudit $1 gatekeeper_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gatekeeper_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gatekeeper port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') allow $1 gatekeeper_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gatekeeper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gatekeeper port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gatekeeper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gatekeeper_port'($*)) dnl gen_require(` type gatekeeper_port_t; ') dontaudit $1 gatekeeper_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gatekeeper_port'($*)) dnl ') ######################################## ## ## Send gatekeeper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_client_packets'($*)) dnl gen_require(` type gatekeeper_client_packet_t; ') allow $1 gatekeeper_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gatekeeper_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl gen_require(` type gatekeeper_client_packet_t; ') dontaudit $1 gatekeeper_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Receive gatekeeper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_client_packets'($*)) dnl gen_require(` type gatekeeper_client_packet_t; ') allow $1 gatekeeper_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gatekeeper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl gen_require(` type gatekeeper_client_packet_t; ') dontaudit $1 gatekeeper_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gatekeeper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl corenet_send_gatekeeper_client_packets($1) corenet_receive_gatekeeper_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gatekeeper_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl corenet_dontaudit_send_gatekeeper_client_packets($1) corenet_dontaudit_receive_gatekeeper_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gatekeeper_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gatekeeper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_client_packets'($*)) dnl gen_require(` type gatekeeper_client_packet_t; ') allow $1 gatekeeper_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_client_packets'($*)) dnl ') ######################################## ## ## Send gatekeeper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gatekeeper_server_packets'($*)) dnl gen_require(` type gatekeeper_server_packet_t; ') allow $1 gatekeeper_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gatekeeper_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl gen_require(` type gatekeeper_server_packet_t; ') dontaudit $1 gatekeeper_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Receive gatekeeper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gatekeeper_server_packets'($*)) dnl gen_require(` type gatekeeper_server_packet_t; ') allow $1 gatekeeper_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gatekeeper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl gen_require(` type gatekeeper_server_packet_t; ') dontaudit $1 gatekeeper_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gatekeeper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl corenet_send_gatekeeper_server_packets($1) corenet_receive_gatekeeper_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gatekeeper_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl corenet_dontaudit_send_gatekeeper_server_packets($1) corenet_dontaudit_receive_gatekeeper_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gatekeeper_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gatekeeper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gatekeeper_server_packets'($*)) dnl gen_require(` type gatekeeper_server_packet_t; ') allow $1 gatekeeper_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gatekeeper_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gear_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gear_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gear port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gear_port'($*)) dnl gen_require(` type gear_port_t; ') dontaudit $1 gear_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gear_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gear_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gear port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gear_port'($*)) dnl gen_require(` type gear_port_t; ') dontaudit $1 gear_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gear_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gear_port'($*)) dnl corenet_udp_send_gear_port($1) corenet_udp_receive_gear_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gear_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gear port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gear_port'($*)) dnl corenet_dontaudit_udp_send_gear_port($1) corenet_dontaudit_udp_receive_gear_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gear_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gear_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gear port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gear_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gear port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gear_port'($*)) dnl gen_require(` type gear_port_t; ') dontaudit $1 gear_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gear_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gear port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gear_port'($*)) dnl gen_require(` type gear_port_t; ') allow $1 gear_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gear_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gear port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gear_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gear_port'($*)) dnl gen_require(` type gear_port_t; ') dontaudit $1 gear_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gear_port'($*)) dnl ') ######################################## ## ## Send gear_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gear_client_packets'($*)) dnl gen_require(` type gear_client_packet_t; ') allow $1 gear_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gear_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gear_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gear_client_packets'($*)) dnl gen_require(` type gear_client_packet_t; ') dontaudit $1 gear_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gear_client_packets'($*)) dnl ') ######################################## ## ## Receive gear_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gear_client_packets'($*)) dnl gen_require(` type gear_client_packet_t; ') allow $1 gear_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gear_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gear_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gear_client_packets'($*)) dnl gen_require(` type gear_client_packet_t; ') dontaudit $1 gear_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gear_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gear_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gear_client_packets'($*)) dnl corenet_send_gear_client_packets($1) corenet_receive_gear_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gear_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gear_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gear_client_packets'($*)) dnl corenet_dontaudit_send_gear_client_packets($1) corenet_dontaudit_receive_gear_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gear_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gear_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gear_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gear_client_packets'($*)) dnl gen_require(` type gear_client_packet_t; ') allow $1 gear_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gear_client_packets'($*)) dnl ') ######################################## ## ## Send gear_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gear_server_packets'($*)) dnl gen_require(` type gear_server_packet_t; ') allow $1 gear_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gear_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gear_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gear_server_packets'($*)) dnl gen_require(` type gear_server_packet_t; ') dontaudit $1 gear_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gear_server_packets'($*)) dnl ') ######################################## ## ## Receive gear_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gear_server_packets'($*)) dnl gen_require(` type gear_server_packet_t; ') allow $1 gear_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gear_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gear_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gear_server_packets'($*)) dnl gen_require(` type gear_server_packet_t; ') dontaudit $1 gear_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gear_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gear_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gear_server_packets'($*)) dnl corenet_send_gear_server_packets($1) corenet_receive_gear_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gear_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gear_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gear_server_packets'($*)) dnl corenet_dontaudit_send_gear_server_packets($1) corenet_dontaudit_receive_gear_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gear_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gear_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gear_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gear_server_packets'($*)) dnl gen_require(` type gear_server_packet_t; ') allow $1 gear_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gear_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_geneve_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_geneve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the geneve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') dontaudit $1 geneve_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_geneve_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_geneve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the geneve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') dontaudit $1 geneve_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_geneve_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_geneve_port'($*)) dnl corenet_udp_send_geneve_port($1) corenet_udp_receive_geneve_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_geneve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the geneve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_geneve_port'($*)) dnl corenet_dontaudit_udp_send_geneve_port($1) corenet_dontaudit_udp_receive_geneve_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_geneve_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_geneve_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the geneve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_geneve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to geneve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') dontaudit $1 geneve_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_geneve_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the geneve port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') allow $1 geneve_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_geneve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to geneve port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_geneve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_geneve_port'($*)) dnl gen_require(` type geneve_port_t; ') dontaudit $1 geneve_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_geneve_port'($*)) dnl ') ######################################## ## ## Send geneve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_geneve_client_packets'($*)) dnl gen_require(` type geneve_client_packet_t; ') allow $1 geneve_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_geneve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send geneve_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_geneve_client_packets'($*)) dnl gen_require(` type geneve_client_packet_t; ') dontaudit $1 geneve_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_geneve_client_packets'($*)) dnl ') ######################################## ## ## Receive geneve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_geneve_client_packets'($*)) dnl gen_require(` type geneve_client_packet_t; ') allow $1 geneve_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_geneve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive geneve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_geneve_client_packets'($*)) dnl gen_require(` type geneve_client_packet_t; ') dontaudit $1 geneve_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_geneve_client_packets'($*)) dnl ') ######################################## ## ## Send and receive geneve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_geneve_client_packets'($*)) dnl corenet_send_geneve_client_packets($1) corenet_receive_geneve_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_geneve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive geneve_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_geneve_client_packets'($*)) dnl corenet_dontaudit_send_geneve_client_packets($1) corenet_dontaudit_receive_geneve_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_geneve_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to geneve_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_geneve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_geneve_client_packets'($*)) dnl gen_require(` type geneve_client_packet_t; ') allow $1 geneve_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_geneve_client_packets'($*)) dnl ') ######################################## ## ## Send geneve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_geneve_server_packets'($*)) dnl gen_require(` type geneve_server_packet_t; ') allow $1 geneve_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_geneve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send geneve_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_geneve_server_packets'($*)) dnl gen_require(` type geneve_server_packet_t; ') dontaudit $1 geneve_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_geneve_server_packets'($*)) dnl ') ######################################## ## ## Receive geneve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_geneve_server_packets'($*)) dnl gen_require(` type geneve_server_packet_t; ') allow $1 geneve_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_geneve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive geneve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_geneve_server_packets'($*)) dnl gen_require(` type geneve_server_packet_t; ') dontaudit $1 geneve_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_geneve_server_packets'($*)) dnl ') ######################################## ## ## Send and receive geneve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_geneve_server_packets'($*)) dnl corenet_send_geneve_server_packets($1) corenet_receive_geneve_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_geneve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive geneve_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_geneve_server_packets'($*)) dnl corenet_dontaudit_send_geneve_server_packets($1) corenet_dontaudit_receive_geneve_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_geneve_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to geneve_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_geneve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_geneve_server_packets'($*)) dnl gen_require(` type geneve_server_packet_t; ') allow $1 geneve_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_geneve_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gdomap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gdomap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gdomap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') dontaudit $1 gdomap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gdomap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gdomap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gdomap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') dontaudit $1 gdomap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gdomap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gdomap_port'($*)) dnl corenet_udp_send_gdomap_port($1) corenet_udp_receive_gdomap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gdomap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gdomap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl corenet_dontaudit_udp_send_gdomap_port($1) corenet_dontaudit_udp_receive_gdomap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gdomap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gdomap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gdomap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gdomap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gdomap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') dontaudit $1 gdomap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gdomap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gdomap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') allow $1 gdomap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gdomap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gdomap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gdomap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gdomap_port'($*)) dnl gen_require(` type gdomap_port_t; ') dontaudit $1 gdomap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gdomap_port'($*)) dnl ') ######################################## ## ## Send gdomap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_client_packets'($*)) dnl gen_require(` type gdomap_client_packet_t; ') allow $1 gdomap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gdomap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl gen_require(` type gdomap_client_packet_t; ') dontaudit $1 gdomap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Receive gdomap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_client_packets'($*)) dnl gen_require(` type gdomap_client_packet_t; ') allow $1 gdomap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gdomap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl gen_require(` type gdomap_client_packet_t; ') dontaudit $1 gdomap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gdomap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_client_packets'($*)) dnl corenet_send_gdomap_client_packets($1) corenet_receive_gdomap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gdomap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl corenet_dontaudit_send_gdomap_client_packets($1) corenet_dontaudit_receive_gdomap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gdomap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gdomap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_client_packets'($*)) dnl gen_require(` type gdomap_client_packet_t; ') allow $1 gdomap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_client_packets'($*)) dnl ') ######################################## ## ## Send gdomap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gdomap_server_packets'($*)) dnl gen_require(` type gdomap_server_packet_t; ') allow $1 gdomap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gdomap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl gen_require(` type gdomap_server_packet_t; ') dontaudit $1 gdomap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Receive gdomap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gdomap_server_packets'($*)) dnl gen_require(` type gdomap_server_packet_t; ') allow $1 gdomap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gdomap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl gen_require(` type gdomap_server_packet_t; ') dontaudit $1 gdomap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gdomap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gdomap_server_packets'($*)) dnl corenet_send_gdomap_server_packets($1) corenet_receive_gdomap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gdomap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl corenet_dontaudit_send_gdomap_server_packets($1) corenet_dontaudit_receive_gdomap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gdomap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gdomap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gdomap_server_packets'($*)) dnl gen_require(` type gdomap_server_packet_t; ') allow $1 gdomap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gdomap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gds_db_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gds_db_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gds_db port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') dontaudit $1 gds_db_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gds_db_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gds_db_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gds_db port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') dontaudit $1 gds_db_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gds_db_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gds_db_port'($*)) dnl corenet_udp_send_gds_db_port($1) corenet_udp_receive_gds_db_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gds_db_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gds_db port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl corenet_dontaudit_udp_send_gds_db_port($1) corenet_dontaudit_udp_receive_gds_db_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gds_db_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gds_db_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gds_db port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gds_db_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gds_db port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') dontaudit $1 gds_db_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gds_db_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gds_db port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') allow $1 gds_db_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gds_db_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gds_db port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gds_db_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gds_db_port'($*)) dnl gen_require(` type gds_db_port_t; ') dontaudit $1 gds_db_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gds_db_port'($*)) dnl ') ######################################## ## ## Send gds_db_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_client_packets'($*)) dnl gen_require(` type gds_db_client_packet_t; ') allow $1 gds_db_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gds_db_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl gen_require(` type gds_db_client_packet_t; ') dontaudit $1 gds_db_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Receive gds_db_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_client_packets'($*)) dnl gen_require(` type gds_db_client_packet_t; ') allow $1 gds_db_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gds_db_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl gen_require(` type gds_db_client_packet_t; ') dontaudit $1 gds_db_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gds_db_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_client_packets'($*)) dnl corenet_send_gds_db_client_packets($1) corenet_receive_gds_db_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gds_db_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl corenet_dontaudit_send_gds_db_client_packets($1) corenet_dontaudit_receive_gds_db_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gds_db_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gds_db_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_client_packets'($*)) dnl gen_require(` type gds_db_client_packet_t; ') allow $1 gds_db_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_client_packets'($*)) dnl ') ######################################## ## ## Send gds_db_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gds_db_server_packets'($*)) dnl gen_require(` type gds_db_server_packet_t; ') allow $1 gds_db_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gds_db_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl gen_require(` type gds_db_server_packet_t; ') dontaudit $1 gds_db_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Receive gds_db_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gds_db_server_packets'($*)) dnl gen_require(` type gds_db_server_packet_t; ') allow $1 gds_db_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gds_db_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl gen_require(` type gds_db_server_packet_t; ') dontaudit $1 gds_db_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gds_db_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gds_db_server_packets'($*)) dnl corenet_send_gds_db_server_packets($1) corenet_receive_gds_db_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gds_db_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl corenet_dontaudit_send_gds_db_server_packets($1) corenet_dontaudit_receive_gds_db_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gds_db_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gds_db_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gds_db_server_packets'($*)) dnl gen_require(` type gds_db_server_packet_t; ') allow $1 gds_db_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gds_db_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_giftd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_giftd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the giftd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') dontaudit $1 giftd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_giftd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_giftd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the giftd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') dontaudit $1 giftd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_giftd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_giftd_port'($*)) dnl corenet_udp_send_giftd_port($1) corenet_udp_receive_giftd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_giftd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the giftd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl corenet_dontaudit_udp_send_giftd_port($1) corenet_dontaudit_udp_receive_giftd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_giftd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_giftd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the giftd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_giftd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to giftd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') dontaudit $1 giftd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_giftd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the giftd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') allow $1 giftd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_giftd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to giftd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_giftd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_giftd_port'($*)) dnl gen_require(` type giftd_port_t; ') dontaudit $1 giftd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_giftd_port'($*)) dnl ') ######################################## ## ## Send giftd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_client_packets'($*)) dnl gen_require(` type giftd_client_packet_t; ') allow $1 giftd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_giftd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send giftd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_client_packets'($*)) dnl gen_require(` type giftd_client_packet_t; ') dontaudit $1 giftd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_client_packets'($*)) dnl ') ######################################## ## ## Receive giftd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_client_packets'($*)) dnl gen_require(` type giftd_client_packet_t; ') allow $1 giftd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive giftd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl gen_require(` type giftd_client_packet_t; ') dontaudit $1 giftd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive giftd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_client_packets'($*)) dnl corenet_send_giftd_client_packets($1) corenet_receive_giftd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive giftd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl corenet_dontaudit_send_giftd_client_packets($1) corenet_dontaudit_receive_giftd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to giftd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_giftd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_client_packets'($*)) dnl gen_require(` type giftd_client_packet_t; ') allow $1 giftd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_client_packets'($*)) dnl ') ######################################## ## ## Send giftd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_giftd_server_packets'($*)) dnl gen_require(` type giftd_server_packet_t; ') allow $1 giftd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_giftd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send giftd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_giftd_server_packets'($*)) dnl gen_require(` type giftd_server_packet_t; ') dontaudit $1 giftd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_giftd_server_packets'($*)) dnl ') ######################################## ## ## Receive giftd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_giftd_server_packets'($*)) dnl gen_require(` type giftd_server_packet_t; ') allow $1 giftd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_giftd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive giftd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl gen_require(` type giftd_server_packet_t; ') dontaudit $1 giftd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_giftd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive giftd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_giftd_server_packets'($*)) dnl corenet_send_giftd_server_packets($1) corenet_receive_giftd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_giftd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive giftd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl corenet_dontaudit_send_giftd_server_packets($1) corenet_dontaudit_receive_giftd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_giftd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to giftd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_giftd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_giftd_server_packets'($*)) dnl gen_require(` type giftd_server_packet_t; ') allow $1 giftd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_giftd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_git_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_git_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the git port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_git_port'($*)) dnl gen_require(` type git_port_t; ') dontaudit $1 git_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_git_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_git_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the git port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_git_port'($*)) dnl gen_require(` type git_port_t; ') dontaudit $1 git_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_git_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_git_port'($*)) dnl corenet_udp_send_git_port($1) corenet_udp_receive_git_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_git_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the git port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl corenet_dontaudit_udp_send_git_port($1) corenet_dontaudit_udp_receive_git_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_git_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_git_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the git port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_git_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to git port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_git_port'($*)) dnl gen_require(` type git_port_t; ') dontaudit $1 git_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_git_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the git port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_git_port'($*)) dnl gen_require(` type git_port_t; ') allow $1 git_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_git_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to git port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_git_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_git_port'($*)) dnl gen_require(` type git_port_t; ') dontaudit $1 git_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_git_port'($*)) dnl ') ######################################## ## ## Send git_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_git_client_packets'($*)) dnl gen_require(` type git_client_packet_t; ') allow $1 git_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_git_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send git_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_client_packets'($*)) dnl gen_require(` type git_client_packet_t; ') dontaudit $1 git_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_client_packets'($*)) dnl ') ######################################## ## ## Receive git_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_git_client_packets'($*)) dnl gen_require(` type git_client_packet_t; ') allow $1 git_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_git_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive git_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_client_packets'($*)) dnl gen_require(` type git_client_packet_t; ') dontaudit $1 git_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_client_packets'($*)) dnl ') ######################################## ## ## Send and receive git_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_client_packets'($*)) dnl corenet_send_git_client_packets($1) corenet_receive_git_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive git_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl corenet_dontaudit_send_git_client_packets($1) corenet_dontaudit_receive_git_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to git_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_git_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_client_packets'($*)) dnl gen_require(` type git_client_packet_t; ') allow $1 git_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_client_packets'($*)) dnl ') ######################################## ## ## Send git_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_git_server_packets'($*)) dnl gen_require(` type git_server_packet_t; ') allow $1 git_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_git_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send git_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_git_server_packets'($*)) dnl gen_require(` type git_server_packet_t; ') dontaudit $1 git_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_git_server_packets'($*)) dnl ') ######################################## ## ## Receive git_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_git_server_packets'($*)) dnl gen_require(` type git_server_packet_t; ') allow $1 git_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_git_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive git_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_git_server_packets'($*)) dnl gen_require(` type git_server_packet_t; ') dontaudit $1 git_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_git_server_packets'($*)) dnl ') ######################################## ## ## Send and receive git_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_git_server_packets'($*)) dnl corenet_send_git_server_packets($1) corenet_receive_git_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_git_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive git_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl corenet_dontaudit_send_git_server_packets($1) corenet_dontaudit_receive_git_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_git_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to git_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_git_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_git_server_packets'($*)) dnl gen_require(` type git_server_packet_t; ') allow $1 git_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_git_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_glance_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_glance_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the glance port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_glance_port'($*)) dnl gen_require(` type glance_port_t; ') dontaudit $1 glance_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_glance_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_glance_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the glance port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_glance_port'($*)) dnl gen_require(` type glance_port_t; ') dontaudit $1 glance_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_glance_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_glance_port'($*)) dnl corenet_udp_send_glance_port($1) corenet_udp_receive_glance_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_glance_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the glance port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_glance_port'($*)) dnl corenet_dontaudit_udp_send_glance_port($1) corenet_dontaudit_udp_receive_glance_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_glance_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_glance_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the glance port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_glance_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to glance port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_glance_port'($*)) dnl gen_require(` type glance_port_t; ') dontaudit $1 glance_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_glance_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the glance port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_glance_port'($*)) dnl gen_require(` type glance_port_t; ') allow $1 glance_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_glance_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to glance port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_glance_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_glance_port'($*)) dnl gen_require(` type glance_port_t; ') dontaudit $1 glance_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_glance_port'($*)) dnl ') ######################################## ## ## Send glance_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_glance_client_packets'($*)) dnl gen_require(` type glance_client_packet_t; ') allow $1 glance_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_glance_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send glance_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_client_packets'($*)) dnl gen_require(` type glance_client_packet_t; ') dontaudit $1 glance_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_client_packets'($*)) dnl ') ######################################## ## ## Receive glance_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_client_packets'($*)) dnl gen_require(` type glance_client_packet_t; ') allow $1 glance_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_glance_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive glance_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_client_packets'($*)) dnl gen_require(` type glance_client_packet_t; ') dontaudit $1 glance_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_client_packets'($*)) dnl ') ######################################## ## ## Send and receive glance_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_client_packets'($*)) dnl corenet_send_glance_client_packets($1) corenet_receive_glance_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive glance_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_client_packets'($*)) dnl corenet_dontaudit_send_glance_client_packets($1) corenet_dontaudit_receive_glance_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to glance_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_glance_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_client_packets'($*)) dnl gen_require(` type glance_client_packet_t; ') allow $1 glance_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_client_packets'($*)) dnl ') ######################################## ## ## Send glance_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_glance_server_packets'($*)) dnl gen_require(` type glance_server_packet_t; ') allow $1 glance_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_glance_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send glance_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_server_packets'($*)) dnl gen_require(` type glance_server_packet_t; ') dontaudit $1 glance_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_server_packets'($*)) dnl ') ######################################## ## ## Receive glance_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_server_packets'($*)) dnl gen_require(` type glance_server_packet_t; ') allow $1 glance_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_glance_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive glance_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_server_packets'($*)) dnl gen_require(` type glance_server_packet_t; ') dontaudit $1 glance_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_server_packets'($*)) dnl ') ######################################## ## ## Send and receive glance_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_server_packets'($*)) dnl corenet_send_glance_server_packets($1) corenet_receive_glance_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive glance_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_server_packets'($*)) dnl corenet_dontaudit_send_glance_server_packets($1) corenet_dontaudit_receive_glance_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to glance_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_glance_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_server_packets'($*)) dnl gen_require(` type glance_server_packet_t; ') allow $1 glance_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_glance_registry_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_glance_registry_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the glance_registry port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') dontaudit $1 glance_registry_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_glance_registry_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_glance_registry_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the glance_registry port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') dontaudit $1 glance_registry_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_glance_registry_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_glance_registry_port'($*)) dnl corenet_udp_send_glance_registry_port($1) corenet_udp_receive_glance_registry_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_glance_registry_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the glance_registry port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl corenet_dontaudit_udp_send_glance_registry_port($1) corenet_dontaudit_udp_receive_glance_registry_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_glance_registry_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_glance_registry_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the glance_registry port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_glance_registry_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to glance_registry port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') dontaudit $1 glance_registry_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_glance_registry_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the glance_registry port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') allow $1 glance_registry_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_glance_registry_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to glance_registry port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_glance_registry_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_glance_registry_port'($*)) dnl gen_require(` type glance_registry_port_t; ') dontaudit $1 glance_registry_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_glance_registry_port'($*)) dnl ') ######################################## ## ## Send glance_registry_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_client_packets'($*)) dnl gen_require(` type glance_registry_client_packet_t; ') allow $1 glance_registry_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send glance_registry_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl gen_require(` type glance_registry_client_packet_t; ') dontaudit $1 glance_registry_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Receive glance_registry_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_client_packets'($*)) dnl gen_require(` type glance_registry_client_packet_t; ') allow $1 glance_registry_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive glance_registry_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl gen_require(` type glance_registry_client_packet_t; ') dontaudit $1 glance_registry_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Send and receive glance_registry_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_client_packets'($*)) dnl corenet_send_glance_registry_client_packets($1) corenet_receive_glance_registry_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive glance_registry_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl corenet_dontaudit_send_glance_registry_client_packets($1) corenet_dontaudit_receive_glance_registry_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to glance_registry_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_glance_registry_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_client_packets'($*)) dnl gen_require(` type glance_registry_client_packet_t; ') allow $1 glance_registry_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_client_packets'($*)) dnl ') ######################################## ## ## Send glance_registry_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_glance_registry_server_packets'($*)) dnl gen_require(` type glance_registry_server_packet_t; ') allow $1 glance_registry_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send glance_registry_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl gen_require(` type glance_registry_server_packet_t; ') dontaudit $1 glance_registry_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Receive glance_registry_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_glance_registry_server_packets'($*)) dnl gen_require(` type glance_registry_server_packet_t; ') allow $1 glance_registry_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive glance_registry_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl gen_require(` type glance_registry_server_packet_t; ') dontaudit $1 glance_registry_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Send and receive glance_registry_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_glance_registry_server_packets'($*)) dnl corenet_send_glance_registry_server_packets($1) corenet_receive_glance_registry_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive glance_registry_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl corenet_dontaudit_send_glance_registry_server_packets($1) corenet_dontaudit_receive_glance_registry_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to glance_registry_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_glance_registry_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_glance_registry_server_packets'($*)) dnl gen_require(` type glance_registry_server_packet_t; ') allow $1 glance_registry_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_glance_registry_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gluster_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') dontaudit $1 gluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gluster_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') dontaudit $1 gluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gluster_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gluster_port'($*)) dnl corenet_udp_send_gluster_port($1) corenet_udp_receive_gluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gluster_port'($*)) dnl corenet_dontaudit_udp_send_gluster_port($1) corenet_dontaudit_udp_receive_gluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gluster_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gluster_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') dontaudit $1 gluster_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gluster_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') allow $1 gluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gluster_port'($*)) dnl gen_require(` type gluster_port_t; ') dontaudit $1 gluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gluster_port'($*)) dnl ') ######################################## ## ## Send gluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gluster_client_packets'($*)) dnl gen_require(` type gluster_client_packet_t; ') allow $1 gluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gluster_client_packets'($*)) dnl gen_require(` type gluster_client_packet_t; ') dontaudit $1 gluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gluster_client_packets'($*)) dnl ') ######################################## ## ## Receive gluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gluster_client_packets'($*)) dnl gen_require(` type gluster_client_packet_t; ') allow $1 gluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gluster_client_packets'($*)) dnl gen_require(` type gluster_client_packet_t; ') dontaudit $1 gluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gluster_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gluster_client_packets'($*)) dnl corenet_send_gluster_client_packets($1) corenet_receive_gluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gluster_client_packets'($*)) dnl corenet_dontaudit_send_gluster_client_packets($1) corenet_dontaudit_receive_gluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gluster_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gluster_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gluster_client_packets'($*)) dnl gen_require(` type gluster_client_packet_t; ') allow $1 gluster_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gluster_client_packets'($*)) dnl ') ######################################## ## ## Send gluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gluster_server_packets'($*)) dnl gen_require(` type gluster_server_packet_t; ') allow $1 gluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gluster_server_packets'($*)) dnl gen_require(` type gluster_server_packet_t; ') dontaudit $1 gluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gluster_server_packets'($*)) dnl ') ######################################## ## ## Receive gluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gluster_server_packets'($*)) dnl gen_require(` type gluster_server_packet_t; ') allow $1 gluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gluster_server_packets'($*)) dnl gen_require(` type gluster_server_packet_t; ') dontaudit $1 gluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gluster_server_packets'($*)) dnl corenet_send_gluster_server_packets($1) corenet_receive_gluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gluster_server_packets'($*)) dnl corenet_dontaudit_send_gluster_server_packets($1) corenet_dontaudit_receive_gluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gluster_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gluster_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gluster_server_packets'($*)) dnl gen_require(` type gluster_server_packet_t; ') allow $1 gluster_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gopher_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gopher_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gopher port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') dontaudit $1 gopher_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gopher_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gopher_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gopher port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') dontaudit $1 gopher_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gopher_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gopher_port'($*)) dnl corenet_udp_send_gopher_port($1) corenet_udp_receive_gopher_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gopher_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gopher port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl corenet_dontaudit_udp_send_gopher_port($1) corenet_dontaudit_udp_receive_gopher_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gopher_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gopher_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gopher port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gopher_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gopher port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') dontaudit $1 gopher_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gopher_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gopher port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') allow $1 gopher_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gopher_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gopher port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gopher_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gopher_port'($*)) dnl gen_require(` type gopher_port_t; ') dontaudit $1 gopher_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gopher_port'($*)) dnl ') ######################################## ## ## Send gopher_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_client_packets'($*)) dnl gen_require(` type gopher_client_packet_t; ') allow $1 gopher_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gopher_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gopher_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_client_packets'($*)) dnl gen_require(` type gopher_client_packet_t; ') dontaudit $1 gopher_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_client_packets'($*)) dnl ') ######################################## ## ## Receive gopher_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_client_packets'($*)) dnl gen_require(` type gopher_client_packet_t; ') allow $1 gopher_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gopher_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl gen_require(` type gopher_client_packet_t; ') dontaudit $1 gopher_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gopher_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_client_packets'($*)) dnl corenet_send_gopher_client_packets($1) corenet_receive_gopher_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gopher_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl corenet_dontaudit_send_gopher_client_packets($1) corenet_dontaudit_receive_gopher_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gopher_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gopher_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_client_packets'($*)) dnl gen_require(` type gopher_client_packet_t; ') allow $1 gopher_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_client_packets'($*)) dnl ') ######################################## ## ## Send gopher_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gopher_server_packets'($*)) dnl gen_require(` type gopher_server_packet_t; ') allow $1 gopher_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gopher_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gopher_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gopher_server_packets'($*)) dnl gen_require(` type gopher_server_packet_t; ') dontaudit $1 gopher_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gopher_server_packets'($*)) dnl ') ######################################## ## ## Receive gopher_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gopher_server_packets'($*)) dnl gen_require(` type gopher_server_packet_t; ') allow $1 gopher_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gopher_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gopher_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl gen_require(` type gopher_server_packet_t; ') dontaudit $1 gopher_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gopher_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gopher_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gopher_server_packets'($*)) dnl corenet_send_gopher_server_packets($1) corenet_receive_gopher_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gopher_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gopher_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl corenet_dontaudit_send_gopher_server_packets($1) corenet_dontaudit_receive_gopher_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gopher_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gopher_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gopher_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gopher_server_packets'($*)) dnl gen_require(` type gopher_server_packet_t; ') allow $1 gopher_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gopher_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_gpsd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_gpsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the gpsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') dontaudit $1 gpsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_gpsd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_gpsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the gpsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') dontaudit $1 gpsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_gpsd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_gpsd_port'($*)) dnl corenet_udp_send_gpsd_port($1) corenet_udp_receive_gpsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_gpsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the gpsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl corenet_dontaudit_udp_send_gpsd_port($1) corenet_dontaudit_udp_receive_gpsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_gpsd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_gpsd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the gpsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_gpsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to gpsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') dontaudit $1 gpsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_gpsd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the gpsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') allow $1 gpsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_gpsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to gpsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_gpsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_gpsd_port'($*)) dnl gen_require(` type gpsd_port_t; ') dontaudit $1 gpsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_gpsd_port'($*)) dnl ') ######################################## ## ## Send gpsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_client_packets'($*)) dnl gen_require(` type gpsd_client_packet_t; ') allow $1 gpsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gpsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl gen_require(` type gpsd_client_packet_t; ') dontaudit $1 gpsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Receive gpsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_client_packets'($*)) dnl gen_require(` type gpsd_client_packet_t; ') allow $1 gpsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gpsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl gen_require(` type gpsd_client_packet_t; ') dontaudit $1 gpsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive gpsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_client_packets'($*)) dnl corenet_send_gpsd_client_packets($1) corenet_receive_gpsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gpsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl corenet_dontaudit_send_gpsd_client_packets($1) corenet_dontaudit_receive_gpsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gpsd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gpsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_client_packets'($*)) dnl gen_require(` type gpsd_client_packet_t; ') allow $1 gpsd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_client_packets'($*)) dnl ') ######################################## ## ## Send gpsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_gpsd_server_packets'($*)) dnl gen_require(` type gpsd_server_packet_t; ') allow $1 gpsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send gpsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl gen_require(` type gpsd_server_packet_t; ') dontaudit $1 gpsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Receive gpsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_gpsd_server_packets'($*)) dnl gen_require(` type gpsd_server_packet_t; ') allow $1 gpsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive gpsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl gen_require(` type gpsd_server_packet_t; ') dontaudit $1 gpsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive gpsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_gpsd_server_packets'($*)) dnl corenet_send_gpsd_server_packets($1) corenet_receive_gpsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive gpsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl corenet_dontaudit_send_gpsd_server_packets($1) corenet_dontaudit_receive_gpsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to gpsd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_gpsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_gpsd_server_packets'($*)) dnl gen_require(` type gpsd_server_packet_t; ') allow $1 gpsd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_gpsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the hadoop_datanode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') dontaudit $1 hadoop_datanode_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the hadoop_datanode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') dontaudit $1 hadoop_datanode_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl corenet_udp_send_hadoop_datanode_port($1) corenet_udp_receive_hadoop_datanode_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the hadoop_datanode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl corenet_dontaudit_udp_send_hadoop_datanode_port($1) corenet_dontaudit_udp_receive_hadoop_datanode_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to hadoop_datanode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') dontaudit $1 hadoop_datanode_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') allow $1 hadoop_datanode_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to hadoop_datanode port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_hadoop_datanode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hadoop_datanode_port'($*)) dnl gen_require(` type hadoop_datanode_port_t; ') dontaudit $1 hadoop_datanode_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hadoop_datanode_port'($*)) dnl ') ######################################## ## ## Send hadoop_datanode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_client_packets'($*)) dnl gen_require(` type hadoop_datanode_client_packet_t; ') allow $1 hadoop_datanode_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hadoop_datanode_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl gen_require(` type hadoop_datanode_client_packet_t; ') dontaudit $1 hadoop_datanode_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Receive hadoop_datanode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_client_packets'($*)) dnl gen_require(` type hadoop_datanode_client_packet_t; ') allow $1 hadoop_datanode_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hadoop_datanode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl gen_require(` type hadoop_datanode_client_packet_t; ') dontaudit $1 hadoop_datanode_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Send and receive hadoop_datanode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl corenet_send_hadoop_datanode_client_packets($1) corenet_receive_hadoop_datanode_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hadoop_datanode_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl corenet_dontaudit_send_hadoop_datanode_client_packets($1) corenet_dontaudit_receive_hadoop_datanode_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hadoop_datanode_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hadoop_datanode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl gen_require(` type hadoop_datanode_client_packet_t; ') allow $1 hadoop_datanode_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_client_packets'($*)) dnl ') ######################################## ## ## Send hadoop_datanode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_datanode_server_packets'($*)) dnl gen_require(` type hadoop_datanode_server_packet_t; ') allow $1 hadoop_datanode_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hadoop_datanode_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl gen_require(` type hadoop_datanode_server_packet_t; ') dontaudit $1 hadoop_datanode_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Receive hadoop_datanode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_datanode_server_packets'($*)) dnl gen_require(` type hadoop_datanode_server_packet_t; ') allow $1 hadoop_datanode_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hadoop_datanode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl gen_require(` type hadoop_datanode_server_packet_t; ') dontaudit $1 hadoop_datanode_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Send and receive hadoop_datanode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl corenet_send_hadoop_datanode_server_packets($1) corenet_receive_hadoop_datanode_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hadoop_datanode_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl corenet_dontaudit_send_hadoop_datanode_server_packets($1) corenet_dontaudit_receive_hadoop_datanode_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hadoop_datanode_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hadoop_datanode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl gen_require(` type hadoop_datanode_server_packet_t; ') allow $1 hadoop_datanode_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_datanode_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the hadoop_namenode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') dontaudit $1 hadoop_namenode_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the hadoop_namenode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') dontaudit $1 hadoop_namenode_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl corenet_udp_send_hadoop_namenode_port($1) corenet_udp_receive_hadoop_namenode_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the hadoop_namenode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl corenet_dontaudit_udp_send_hadoop_namenode_port($1) corenet_dontaudit_udp_receive_hadoop_namenode_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to hadoop_namenode port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') dontaudit $1 hadoop_namenode_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') allow $1 hadoop_namenode_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to hadoop_namenode port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_hadoop_namenode_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hadoop_namenode_port'($*)) dnl gen_require(` type hadoop_namenode_port_t; ') dontaudit $1 hadoop_namenode_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hadoop_namenode_port'($*)) dnl ') ######################################## ## ## Send hadoop_namenode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_client_packets'($*)) dnl gen_require(` type hadoop_namenode_client_packet_t; ') allow $1 hadoop_namenode_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hadoop_namenode_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl gen_require(` type hadoop_namenode_client_packet_t; ') dontaudit $1 hadoop_namenode_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Receive hadoop_namenode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_client_packets'($*)) dnl gen_require(` type hadoop_namenode_client_packet_t; ') allow $1 hadoop_namenode_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hadoop_namenode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl gen_require(` type hadoop_namenode_client_packet_t; ') dontaudit $1 hadoop_namenode_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Send and receive hadoop_namenode_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl corenet_send_hadoop_namenode_client_packets($1) corenet_receive_hadoop_namenode_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hadoop_namenode_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl corenet_dontaudit_send_hadoop_namenode_client_packets($1) corenet_dontaudit_receive_hadoop_namenode_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hadoop_namenode_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hadoop_namenode_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl gen_require(` type hadoop_namenode_client_packet_t; ') allow $1 hadoop_namenode_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_client_packets'($*)) dnl ') ######################################## ## ## Send hadoop_namenode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hadoop_namenode_server_packets'($*)) dnl gen_require(` type hadoop_namenode_server_packet_t; ') allow $1 hadoop_namenode_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hadoop_namenode_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl gen_require(` type hadoop_namenode_server_packet_t; ') dontaudit $1 hadoop_namenode_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Receive hadoop_namenode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hadoop_namenode_server_packets'($*)) dnl gen_require(` type hadoop_namenode_server_packet_t; ') allow $1 hadoop_namenode_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hadoop_namenode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl gen_require(` type hadoop_namenode_server_packet_t; ') dontaudit $1 hadoop_namenode_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Send and receive hadoop_namenode_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl corenet_send_hadoop_namenode_server_packets($1) corenet_receive_hadoop_namenode_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hadoop_namenode_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl corenet_dontaudit_send_hadoop_namenode_server_packets($1) corenet_dontaudit_receive_hadoop_namenode_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hadoop_namenode_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hadoop_namenode_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl gen_require(` type hadoop_namenode_server_packet_t; ') allow $1 hadoop_namenode_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hadoop_namenode_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hddtemp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_hddtemp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the hddtemp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') dontaudit $1 hddtemp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hddtemp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hddtemp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the hddtemp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') dontaudit $1 hddtemp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hddtemp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hddtemp_port'($*)) dnl corenet_udp_send_hddtemp_port($1) corenet_udp_receive_hddtemp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hddtemp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the hddtemp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl corenet_dontaudit_udp_send_hddtemp_port($1) corenet_dontaudit_udp_receive_hddtemp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hddtemp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hddtemp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the hddtemp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hddtemp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to hddtemp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') dontaudit $1 hddtemp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hddtemp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the hddtemp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') allow $1 hddtemp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hddtemp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to hddtemp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_hddtemp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hddtemp_port'($*)) dnl gen_require(` type hddtemp_port_t; ') dontaudit $1 hddtemp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hddtemp_port'($*)) dnl ') ######################################## ## ## Send hddtemp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_client_packets'($*)) dnl gen_require(` type hddtemp_client_packet_t; ') allow $1 hddtemp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hddtemp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl gen_require(` type hddtemp_client_packet_t; ') dontaudit $1 hddtemp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Receive hddtemp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_client_packets'($*)) dnl gen_require(` type hddtemp_client_packet_t; ') allow $1 hddtemp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hddtemp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl gen_require(` type hddtemp_client_packet_t; ') dontaudit $1 hddtemp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive hddtemp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_client_packets'($*)) dnl corenet_send_hddtemp_client_packets($1) corenet_receive_hddtemp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hddtemp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl corenet_dontaudit_send_hddtemp_client_packets($1) corenet_dontaudit_receive_hddtemp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hddtemp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hddtemp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_client_packets'($*)) dnl gen_require(` type hddtemp_client_packet_t; ') allow $1 hddtemp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_client_packets'($*)) dnl ') ######################################## ## ## Send hddtemp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hddtemp_server_packets'($*)) dnl gen_require(` type hddtemp_server_packet_t; ') allow $1 hddtemp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hddtemp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl gen_require(` type hddtemp_server_packet_t; ') dontaudit $1 hddtemp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Receive hddtemp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hddtemp_server_packets'($*)) dnl gen_require(` type hddtemp_server_packet_t; ') allow $1 hddtemp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hddtemp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl gen_require(` type hddtemp_server_packet_t; ') dontaudit $1 hddtemp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive hddtemp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hddtemp_server_packets'($*)) dnl corenet_send_hddtemp_server_packets($1) corenet_receive_hddtemp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hddtemp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl corenet_dontaudit_send_hddtemp_server_packets($1) corenet_dontaudit_receive_hddtemp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hddtemp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hddtemp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hddtemp_server_packets'($*)) dnl gen_require(` type hddtemp_server_packet_t; ') allow $1 hddtemp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hddtemp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_howl_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_howl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the howl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_howl_port'($*)) dnl gen_require(` type howl_port_t; ') dontaudit $1 howl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_howl_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_howl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the howl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_howl_port'($*)) dnl gen_require(` type howl_port_t; ') dontaudit $1 howl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_howl_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_howl_port'($*)) dnl corenet_udp_send_howl_port($1) corenet_udp_receive_howl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_howl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the howl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl corenet_dontaudit_udp_send_howl_port($1) corenet_dontaudit_udp_receive_howl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_howl_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_howl_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the howl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_howl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to howl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_howl_port'($*)) dnl gen_require(` type howl_port_t; ') dontaudit $1 howl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_howl_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the howl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_howl_port'($*)) dnl gen_require(` type howl_port_t; ') allow $1 howl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_howl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to howl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_howl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_howl_port'($*)) dnl gen_require(` type howl_port_t; ') dontaudit $1 howl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_howl_port'($*)) dnl ') ######################################## ## ## Send howl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_howl_client_packets'($*)) dnl gen_require(` type howl_client_packet_t; ') allow $1 howl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_howl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send howl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_client_packets'($*)) dnl gen_require(` type howl_client_packet_t; ') dontaudit $1 howl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_client_packets'($*)) dnl ') ######################################## ## ## Receive howl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_client_packets'($*)) dnl gen_require(` type howl_client_packet_t; ') allow $1 howl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_howl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive howl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_client_packets'($*)) dnl gen_require(` type howl_client_packet_t; ') dontaudit $1 howl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_client_packets'($*)) dnl ') ######################################## ## ## Send and receive howl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_client_packets'($*)) dnl corenet_send_howl_client_packets($1) corenet_receive_howl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive howl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl corenet_dontaudit_send_howl_client_packets($1) corenet_dontaudit_receive_howl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to howl_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_howl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_client_packets'($*)) dnl gen_require(` type howl_client_packet_t; ') allow $1 howl_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_client_packets'($*)) dnl ') ######################################## ## ## Send howl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_howl_server_packets'($*)) dnl gen_require(` type howl_server_packet_t; ') allow $1 howl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_howl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send howl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_howl_server_packets'($*)) dnl gen_require(` type howl_server_packet_t; ') dontaudit $1 howl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_howl_server_packets'($*)) dnl ') ######################################## ## ## Receive howl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_howl_server_packets'($*)) dnl gen_require(` type howl_server_packet_t; ') allow $1 howl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_howl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive howl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_howl_server_packets'($*)) dnl gen_require(` type howl_server_packet_t; ') dontaudit $1 howl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_howl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive howl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_howl_server_packets'($*)) dnl corenet_send_howl_server_packets($1) corenet_receive_howl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_howl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive howl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl corenet_dontaudit_send_howl_server_packets($1) corenet_dontaudit_receive_howl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_howl_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to howl_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_howl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_howl_server_packets'($*)) dnl gen_require(` type howl_server_packet_t; ') allow $1 howl_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_howl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_hplip_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_hplip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the hplip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') dontaudit $1 hplip_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_hplip_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_hplip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the hplip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') dontaudit $1 hplip_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_hplip_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_hplip_port'($*)) dnl corenet_udp_send_hplip_port($1) corenet_udp_receive_hplip_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_hplip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the hplip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl corenet_dontaudit_udp_send_hplip_port($1) corenet_dontaudit_udp_receive_hplip_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_hplip_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_hplip_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the hplip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_hplip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to hplip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') dontaudit $1 hplip_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_hplip_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the hplip port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') allow $1 hplip_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_hplip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to hplip port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_hplip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_hplip_port'($*)) dnl gen_require(` type hplip_port_t; ') dontaudit $1 hplip_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_hplip_port'($*)) dnl ') ######################################## ## ## Send hplip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_client_packets'($*)) dnl gen_require(` type hplip_client_packet_t; ') allow $1 hplip_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hplip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hplip_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_client_packets'($*)) dnl gen_require(` type hplip_client_packet_t; ') dontaudit $1 hplip_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_client_packets'($*)) dnl ') ######################################## ## ## Receive hplip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_client_packets'($*)) dnl gen_require(` type hplip_client_packet_t; ') allow $1 hplip_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hplip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl gen_require(` type hplip_client_packet_t; ') dontaudit $1 hplip_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_client_packets'($*)) dnl ') ######################################## ## ## Send and receive hplip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_client_packets'($*)) dnl corenet_send_hplip_client_packets($1) corenet_receive_hplip_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hplip_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl corenet_dontaudit_send_hplip_client_packets($1) corenet_dontaudit_receive_hplip_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hplip_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hplip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_client_packets'($*)) dnl gen_require(` type hplip_client_packet_t; ') allow $1 hplip_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_client_packets'($*)) dnl ') ######################################## ## ## Send hplip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_hplip_server_packets'($*)) dnl gen_require(` type hplip_server_packet_t; ') allow $1 hplip_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_hplip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send hplip_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_hplip_server_packets'($*)) dnl gen_require(` type hplip_server_packet_t; ') dontaudit $1 hplip_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_hplip_server_packets'($*)) dnl ') ######################################## ## ## Receive hplip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_hplip_server_packets'($*)) dnl gen_require(` type hplip_server_packet_t; ') allow $1 hplip_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_hplip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive hplip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl gen_require(` type hplip_server_packet_t; ') dontaudit $1 hplip_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_hplip_server_packets'($*)) dnl ') ######################################## ## ## Send and receive hplip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_hplip_server_packets'($*)) dnl corenet_send_hplip_server_packets($1) corenet_receive_hplip_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_hplip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive hplip_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl corenet_dontaudit_send_hplip_server_packets($1) corenet_dontaudit_receive_hplip_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_hplip_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to hplip_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_hplip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_hplip_server_packets'($*)) dnl gen_require(` type hplip_server_packet_t; ') allow $1 hplip_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_hplip_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_port'($*)) dnl gen_require(` type http_port_t; ') dontaudit $1 http_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_port'($*)) dnl gen_require(` type http_port_t; ') dontaudit $1 http_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_port'($*)) dnl corenet_udp_send_http_port($1) corenet_udp_receive_http_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl corenet_dontaudit_udp_send_http_port($1) corenet_dontaudit_udp_receive_http_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_http_port'($*)) dnl gen_require(` type http_port_t; ') dontaudit $1 http_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_http_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the http port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_port'($*)) dnl gen_require(` type http_port_t; ') allow $1 http_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to http port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_http_port'($*)) dnl gen_require(` type http_port_t; ') dontaudit $1 http_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_http_port'($*)) dnl ') ######################################## ## ## Send http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_http_client_packets'($*)) dnl gen_require(` type http_client_packet_t; ') allow $1 http_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send http_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_client_packets'($*)) dnl gen_require(` type http_client_packet_t; ') dontaudit $1 http_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_client_packets'($*)) dnl ') ######################################## ## ## Receive http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_http_client_packets'($*)) dnl gen_require(` type http_client_packet_t; ') allow $1 http_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_client_packets'($*)) dnl gen_require(` type http_client_packet_t; ') dontaudit $1 http_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_client_packets'($*)) dnl ') ######################################## ## ## Send and receive http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_client_packets'($*)) dnl corenet_send_http_client_packets($1) corenet_receive_http_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive http_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl corenet_dontaudit_send_http_client_packets($1) corenet_dontaudit_receive_http_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to http_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_client_packets'($*)) dnl gen_require(` type http_client_packet_t; ') allow $1 http_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_client_packets'($*)) dnl ') ######################################## ## ## Send http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_http_server_packets'($*)) dnl gen_require(` type http_server_packet_t; ') allow $1 http_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send http_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_server_packets'($*)) dnl gen_require(` type http_server_packet_t; ') dontaudit $1 http_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_server_packets'($*)) dnl ') ######################################## ## ## Receive http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_http_server_packets'($*)) dnl gen_require(` type http_server_packet_t; ') allow $1 http_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_server_packets'($*)) dnl gen_require(` type http_server_packet_t; ') dontaudit $1 http_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_server_packets'($*)) dnl ') ######################################## ## ## Send and receive http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_server_packets'($*)) dnl corenet_send_http_server_packets($1) corenet_receive_http_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive http_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl corenet_dontaudit_send_http_server_packets($1) corenet_dontaudit_receive_http_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to http_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_server_packets'($*)) dnl gen_require(` type http_server_packet_t; ') allow $1 http_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_server_packets'($*)) dnl ') #8443 is mod_nss default port ######################################## ## ## Send and receive TCP traffic on the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_http_cache_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_http_cache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the http_cache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') dontaudit $1 http_cache_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_http_cache_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_http_cache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the http_cache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') dontaudit $1 http_cache_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_http_cache_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_http_cache_port'($*)) dnl corenet_udp_send_http_cache_port($1) corenet_udp_receive_http_cache_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_http_cache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the http_cache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl corenet_dontaudit_udp_send_http_cache_port($1) corenet_dontaudit_udp_receive_http_cache_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_http_cache_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_http_cache_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the http_cache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_http_cache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to http_cache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') dontaudit $1 http_cache_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_http_cache_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the http_cache port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') allow $1 http_cache_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_http_cache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to http_cache port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_http_cache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_http_cache_port'($*)) dnl gen_require(` type http_cache_port_t; ') dontaudit $1 http_cache_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_http_cache_port'($*)) dnl ') ######################################## ## ## Send http_cache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_client_packets'($*)) dnl gen_require(` type http_cache_client_packet_t; ') allow $1 http_cache_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send http_cache_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl gen_require(` type http_cache_client_packet_t; ') dontaudit $1 http_cache_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Receive http_cache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_client_packets'($*)) dnl gen_require(` type http_cache_client_packet_t; ') allow $1 http_cache_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive http_cache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl gen_require(` type http_cache_client_packet_t; ') dontaudit $1 http_cache_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Send and receive http_cache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_client_packets'($*)) dnl corenet_send_http_cache_client_packets($1) corenet_receive_http_cache_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive http_cache_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl corenet_dontaudit_send_http_cache_client_packets($1) corenet_dontaudit_receive_http_cache_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to http_cache_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_http_cache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_client_packets'($*)) dnl gen_require(` type http_cache_client_packet_t; ') allow $1 http_cache_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_client_packets'($*)) dnl ') ######################################## ## ## Send http_cache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_http_cache_server_packets'($*)) dnl gen_require(` type http_cache_server_packet_t; ') allow $1 http_cache_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send http_cache_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl gen_require(` type http_cache_server_packet_t; ') dontaudit $1 http_cache_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Receive http_cache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_http_cache_server_packets'($*)) dnl gen_require(` type http_cache_server_packet_t; ') allow $1 http_cache_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive http_cache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl gen_require(` type http_cache_server_packet_t; ') dontaudit $1 http_cache_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Send and receive http_cache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_http_cache_server_packets'($*)) dnl corenet_send_http_cache_server_packets($1) corenet_receive_http_cache_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive http_cache_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl corenet_dontaudit_send_http_cache_server_packets($1) corenet_dontaudit_receive_http_cache_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_http_cache_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to http_cache_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_http_cache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_http_cache_server_packets'($*)) dnl gen_require(` type http_cache_server_packet_t; ') allow $1 http_cache_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_http_cache_server_packets'($*)) dnl ') # 8118 is for privoxy ######################################## ## ## Send and receive TCP traffic on the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') dontaudit $1 ibm_dt_2_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') dontaudit $1 ibm_dt_2_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ibm_dt_2_port'($*)) dnl corenet_udp_send_ibm_dt_2_port($1) corenet_udp_receive_ibm_dt_2_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ibm_dt_2 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ibm_dt_2_port'($*)) dnl corenet_dontaudit_udp_send_ibm_dt_2_port($1) corenet_dontaudit_udp_receive_ibm_dt_2_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ibm_dt_2 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') dontaudit $1 ibm_dt_2_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') allow $1 ibm_dt_2_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ibm_dt_2 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ibm_dt_2_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ibm_dt_2_port'($*)) dnl gen_require(` type ibm_dt_2_port_t; ') dontaudit $1 ibm_dt_2_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ibm_dt_2_port'($*)) dnl ') ######################################## ## ## Send ibm_dt_2_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ibm_dt_2_client_packets'($*)) dnl gen_require(` type ibm_dt_2_client_packet_t; ') allow $1 ibm_dt_2_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ibm_dt_2_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ibm_dt_2_client_packets'($*)) dnl gen_require(` type ibm_dt_2_client_packet_t; ') dontaudit $1 ibm_dt_2_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Receive ibm_dt_2_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ibm_dt_2_client_packets'($*)) dnl gen_require(` type ibm_dt_2_client_packet_t; ') allow $1 ibm_dt_2_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ibm_dt_2_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ibm_dt_2_client_packets'($*)) dnl gen_require(` type ibm_dt_2_client_packet_t; ') dontaudit $1 ibm_dt_2_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ibm_dt_2_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ibm_dt_2_client_packets'($*)) dnl corenet_send_ibm_dt_2_client_packets($1) corenet_receive_ibm_dt_2_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ibm_dt_2_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ibm_dt_2_client_packets'($*)) dnl corenet_dontaudit_send_ibm_dt_2_client_packets($1) corenet_dontaudit_receive_ibm_dt_2_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ibm_dt_2_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ibm_dt_2_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ibm_dt_2_client_packets'($*)) dnl gen_require(` type ibm_dt_2_client_packet_t; ') allow $1 ibm_dt_2_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ibm_dt_2_client_packets'($*)) dnl ') ######################################## ## ## Send ibm_dt_2_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ibm_dt_2_server_packets'($*)) dnl gen_require(` type ibm_dt_2_server_packet_t; ') allow $1 ibm_dt_2_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ibm_dt_2_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ibm_dt_2_server_packets'($*)) dnl gen_require(` type ibm_dt_2_server_packet_t; ') dontaudit $1 ibm_dt_2_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Receive ibm_dt_2_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ibm_dt_2_server_packets'($*)) dnl gen_require(` type ibm_dt_2_server_packet_t; ') allow $1 ibm_dt_2_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ibm_dt_2_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ibm_dt_2_server_packets'($*)) dnl gen_require(` type ibm_dt_2_server_packet_t; ') dontaudit $1 ibm_dt_2_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ibm_dt_2_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ibm_dt_2_server_packets'($*)) dnl corenet_send_ibm_dt_2_server_packets($1) corenet_receive_ibm_dt_2_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ibm_dt_2_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ibm_dt_2_server_packets'($*)) dnl corenet_dontaudit_send_ibm_dt_2_server_packets($1) corenet_dontaudit_receive_ibm_dt_2_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ibm_dt_2_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ibm_dt_2_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ibm_dt_2_server_packets'($*)) dnl gen_require(` type ibm_dt_2_server_packet_t; ') allow $1 ibm_dt_2_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ibm_dt_2_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_intermapper_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_intermapper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the intermapper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') dontaudit $1 intermapper_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_intermapper_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_intermapper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the intermapper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') dontaudit $1 intermapper_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_intermapper_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_intermapper_port'($*)) dnl corenet_udp_send_intermapper_port($1) corenet_udp_receive_intermapper_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_intermapper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the intermapper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_intermapper_port'($*)) dnl corenet_dontaudit_udp_send_intermapper_port($1) corenet_dontaudit_udp_receive_intermapper_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_intermapper_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_intermapper_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the intermapper port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_intermapper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to intermapper port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') dontaudit $1 intermapper_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_intermapper_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the intermapper port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') allow $1 intermapper_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_intermapper_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to intermapper port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_intermapper_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_intermapper_port'($*)) dnl gen_require(` type intermapper_port_t; ') dontaudit $1 intermapper_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_intermapper_port'($*)) dnl ') ######################################## ## ## Send intermapper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_intermapper_client_packets'($*)) dnl gen_require(` type intermapper_client_packet_t; ') allow $1 intermapper_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send intermapper_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_intermapper_client_packets'($*)) dnl gen_require(` type intermapper_client_packet_t; ') dontaudit $1 intermapper_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Receive intermapper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_intermapper_client_packets'($*)) dnl gen_require(` type intermapper_client_packet_t; ') allow $1 intermapper_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive intermapper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_intermapper_client_packets'($*)) dnl gen_require(` type intermapper_client_packet_t; ') dontaudit $1 intermapper_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Send and receive intermapper_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_intermapper_client_packets'($*)) dnl corenet_send_intermapper_client_packets($1) corenet_receive_intermapper_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive intermapper_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_intermapper_client_packets'($*)) dnl corenet_dontaudit_send_intermapper_client_packets($1) corenet_dontaudit_receive_intermapper_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to intermapper_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_intermapper_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_intermapper_client_packets'($*)) dnl gen_require(` type intermapper_client_packet_t; ') allow $1 intermapper_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_intermapper_client_packets'($*)) dnl ') ######################################## ## ## Send intermapper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_intermapper_server_packets'($*)) dnl gen_require(` type intermapper_server_packet_t; ') allow $1 intermapper_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send intermapper_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_intermapper_server_packets'($*)) dnl gen_require(` type intermapper_server_packet_t; ') dontaudit $1 intermapper_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Receive intermapper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_intermapper_server_packets'($*)) dnl gen_require(` type intermapper_server_packet_t; ') allow $1 intermapper_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive intermapper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_intermapper_server_packets'($*)) dnl gen_require(` type intermapper_server_packet_t; ') dontaudit $1 intermapper_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Send and receive intermapper_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_intermapper_server_packets'($*)) dnl corenet_send_intermapper_server_packets($1) corenet_receive_intermapper_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive intermapper_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_intermapper_server_packets'($*)) dnl corenet_dontaudit_send_intermapper_server_packets($1) corenet_dontaudit_receive_intermapper_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to intermapper_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_intermapper_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_intermapper_server_packets'($*)) dnl gen_require(` type intermapper_server_packet_t; ') allow $1 intermapper_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_intermapper_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_i18n_input_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_i18n_input_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the i18n_input port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') dontaudit $1 i18n_input_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_i18n_input_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_i18n_input_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the i18n_input port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') dontaudit $1 i18n_input_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_i18n_input_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_i18n_input_port'($*)) dnl corenet_udp_send_i18n_input_port($1) corenet_udp_receive_i18n_input_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_i18n_input_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the i18n_input port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl corenet_dontaudit_udp_send_i18n_input_port($1) corenet_dontaudit_udp_receive_i18n_input_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_i18n_input_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_i18n_input_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the i18n_input port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_i18n_input_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to i18n_input port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') dontaudit $1 i18n_input_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_i18n_input_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the i18n_input port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') allow $1 i18n_input_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_i18n_input_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to i18n_input port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_i18n_input_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_i18n_input_port'($*)) dnl gen_require(` type i18n_input_port_t; ') dontaudit $1 i18n_input_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_i18n_input_port'($*)) dnl ') ######################################## ## ## Send i18n_input_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_client_packets'($*)) dnl gen_require(` type i18n_input_client_packet_t; ') allow $1 i18n_input_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send i18n_input_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl gen_require(` type i18n_input_client_packet_t; ') dontaudit $1 i18n_input_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Receive i18n_input_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_client_packets'($*)) dnl gen_require(` type i18n_input_client_packet_t; ') allow $1 i18n_input_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive i18n_input_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl gen_require(` type i18n_input_client_packet_t; ') dontaudit $1 i18n_input_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Send and receive i18n_input_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_client_packets'($*)) dnl corenet_send_i18n_input_client_packets($1) corenet_receive_i18n_input_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive i18n_input_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl corenet_dontaudit_send_i18n_input_client_packets($1) corenet_dontaudit_receive_i18n_input_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to i18n_input_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_i18n_input_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_client_packets'($*)) dnl gen_require(` type i18n_input_client_packet_t; ') allow $1 i18n_input_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_client_packets'($*)) dnl ') ######################################## ## ## Send i18n_input_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_i18n_input_server_packets'($*)) dnl gen_require(` type i18n_input_server_packet_t; ') allow $1 i18n_input_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send i18n_input_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl gen_require(` type i18n_input_server_packet_t; ') dontaudit $1 i18n_input_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Receive i18n_input_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_i18n_input_server_packets'($*)) dnl gen_require(` type i18n_input_server_packet_t; ') allow $1 i18n_input_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive i18n_input_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl gen_require(` type i18n_input_server_packet_t; ') dontaudit $1 i18n_input_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Send and receive i18n_input_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_i18n_input_server_packets'($*)) dnl corenet_send_i18n_input_server_packets($1) corenet_receive_i18n_input_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive i18n_input_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl corenet_dontaudit_send_i18n_input_server_packets($1) corenet_dontaudit_receive_i18n_input_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to i18n_input_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_i18n_input_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_i18n_input_server_packets'($*)) dnl gen_require(` type i18n_input_server_packet_t; ') allow $1 i18n_input_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_i18n_input_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_imaze_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_imaze_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the imaze port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') dontaudit $1 imaze_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_imaze_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_imaze_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the imaze port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') dontaudit $1 imaze_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_imaze_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_imaze_port'($*)) dnl corenet_udp_send_imaze_port($1) corenet_udp_receive_imaze_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_imaze_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the imaze port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl corenet_dontaudit_udp_send_imaze_port($1) corenet_dontaudit_udp_receive_imaze_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_imaze_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_imaze_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the imaze port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_imaze_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to imaze port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') dontaudit $1 imaze_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_imaze_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the imaze port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') allow $1 imaze_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_imaze_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to imaze port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_imaze_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_imaze_port'($*)) dnl gen_require(` type imaze_port_t; ') dontaudit $1 imaze_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_imaze_port'($*)) dnl ') ######################################## ## ## Send imaze_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_client_packets'($*)) dnl gen_require(` type imaze_client_packet_t; ') allow $1 imaze_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_imaze_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send imaze_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_client_packets'($*)) dnl gen_require(` type imaze_client_packet_t; ') dontaudit $1 imaze_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_client_packets'($*)) dnl ') ######################################## ## ## Receive imaze_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_client_packets'($*)) dnl gen_require(` type imaze_client_packet_t; ') allow $1 imaze_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive imaze_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl gen_require(` type imaze_client_packet_t; ') dontaudit $1 imaze_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_client_packets'($*)) dnl ') ######################################## ## ## Send and receive imaze_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_client_packets'($*)) dnl corenet_send_imaze_client_packets($1) corenet_receive_imaze_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive imaze_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl corenet_dontaudit_send_imaze_client_packets($1) corenet_dontaudit_receive_imaze_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to imaze_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_imaze_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_client_packets'($*)) dnl gen_require(` type imaze_client_packet_t; ') allow $1 imaze_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_client_packets'($*)) dnl ') ######################################## ## ## Send imaze_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_imaze_server_packets'($*)) dnl gen_require(` type imaze_server_packet_t; ') allow $1 imaze_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_imaze_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send imaze_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_imaze_server_packets'($*)) dnl gen_require(` type imaze_server_packet_t; ') dontaudit $1 imaze_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_imaze_server_packets'($*)) dnl ') ######################################## ## ## Receive imaze_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_imaze_server_packets'($*)) dnl gen_require(` type imaze_server_packet_t; ') allow $1 imaze_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_imaze_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive imaze_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl gen_require(` type imaze_server_packet_t; ') dontaudit $1 imaze_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_imaze_server_packets'($*)) dnl ') ######################################## ## ## Send and receive imaze_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_imaze_server_packets'($*)) dnl corenet_send_imaze_server_packets($1) corenet_receive_imaze_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_imaze_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive imaze_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl corenet_dontaudit_send_imaze_server_packets($1) corenet_dontaudit_receive_imaze_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_imaze_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to imaze_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_imaze_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_imaze_server_packets'($*)) dnl gen_require(` type imaze_server_packet_t; ') allow $1 imaze_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_imaze_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_inetd_child_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_inetd_child_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the inetd_child port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') dontaudit $1 inetd_child_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_inetd_child_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_inetd_child_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the inetd_child port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') dontaudit $1 inetd_child_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_inetd_child_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_inetd_child_port'($*)) dnl corenet_udp_send_inetd_child_port($1) corenet_udp_receive_inetd_child_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_inetd_child_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the inetd_child port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl corenet_dontaudit_udp_send_inetd_child_port($1) corenet_dontaudit_udp_receive_inetd_child_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_inetd_child_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_inetd_child_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the inetd_child port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_inetd_child_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to inetd_child port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') dontaudit $1 inetd_child_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_inetd_child_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the inetd_child port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') allow $1 inetd_child_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_inetd_child_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to inetd_child port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_inetd_child_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_inetd_child_port'($*)) dnl gen_require(` type inetd_child_port_t; ') dontaudit $1 inetd_child_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_inetd_child_port'($*)) dnl ') ######################################## ## ## Send inetd_child_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_client_packets'($*)) dnl gen_require(` type inetd_child_client_packet_t; ') allow $1 inetd_child_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send inetd_child_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl gen_require(` type inetd_child_client_packet_t; ') dontaudit $1 inetd_child_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Receive inetd_child_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_client_packets'($*)) dnl gen_require(` type inetd_child_client_packet_t; ') allow $1 inetd_child_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive inetd_child_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl gen_require(` type inetd_child_client_packet_t; ') dontaudit $1 inetd_child_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Send and receive inetd_child_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_client_packets'($*)) dnl corenet_send_inetd_child_client_packets($1) corenet_receive_inetd_child_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive inetd_child_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl corenet_dontaudit_send_inetd_child_client_packets($1) corenet_dontaudit_receive_inetd_child_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to inetd_child_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_inetd_child_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_client_packets'($*)) dnl gen_require(` type inetd_child_client_packet_t; ') allow $1 inetd_child_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_client_packets'($*)) dnl ') ######################################## ## ## Send inetd_child_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_inetd_child_server_packets'($*)) dnl gen_require(` type inetd_child_server_packet_t; ') allow $1 inetd_child_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send inetd_child_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl gen_require(` type inetd_child_server_packet_t; ') dontaudit $1 inetd_child_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Receive inetd_child_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_inetd_child_server_packets'($*)) dnl gen_require(` type inetd_child_server_packet_t; ') allow $1 inetd_child_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive inetd_child_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl gen_require(` type inetd_child_server_packet_t; ') dontaudit $1 inetd_child_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Send and receive inetd_child_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_inetd_child_server_packets'($*)) dnl corenet_send_inetd_child_server_packets($1) corenet_receive_inetd_child_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive inetd_child_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl corenet_dontaudit_send_inetd_child_server_packets($1) corenet_dontaudit_receive_inetd_child_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to inetd_child_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_inetd_child_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_inetd_child_server_packets'($*)) dnl gen_require(` type inetd_child_server_packet_t; ') allow $1 inetd_child_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_inetd_child_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_innd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_innd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the innd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_innd_port'($*)) dnl gen_require(` type innd_port_t; ') dontaudit $1 innd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_innd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_innd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the innd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_innd_port'($*)) dnl gen_require(` type innd_port_t; ') dontaudit $1 innd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_innd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_innd_port'($*)) dnl corenet_udp_send_innd_port($1) corenet_udp_receive_innd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_innd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the innd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl corenet_dontaudit_udp_send_innd_port($1) corenet_dontaudit_udp_receive_innd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_innd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_innd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the innd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_innd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to innd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_innd_port'($*)) dnl gen_require(` type innd_port_t; ') dontaudit $1 innd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_innd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the innd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_innd_port'($*)) dnl gen_require(` type innd_port_t; ') allow $1 innd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_innd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to innd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_innd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_innd_port'($*)) dnl gen_require(` type innd_port_t; ') dontaudit $1 innd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_innd_port'($*)) dnl ') ######################################## ## ## Send innd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_innd_client_packets'($*)) dnl gen_require(` type innd_client_packet_t; ') allow $1 innd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_innd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send innd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_client_packets'($*)) dnl gen_require(` type innd_client_packet_t; ') dontaudit $1 innd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_client_packets'($*)) dnl ') ######################################## ## ## Receive innd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_client_packets'($*)) dnl gen_require(` type innd_client_packet_t; ') allow $1 innd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_innd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive innd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_client_packets'($*)) dnl gen_require(` type innd_client_packet_t; ') dontaudit $1 innd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive innd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_client_packets'($*)) dnl corenet_send_innd_client_packets($1) corenet_receive_innd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive innd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl corenet_dontaudit_send_innd_client_packets($1) corenet_dontaudit_receive_innd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to innd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_innd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_client_packets'($*)) dnl gen_require(` type innd_client_packet_t; ') allow $1 innd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_client_packets'($*)) dnl ') ######################################## ## ## Send innd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_innd_server_packets'($*)) dnl gen_require(` type innd_server_packet_t; ') allow $1 innd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_innd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send innd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_innd_server_packets'($*)) dnl gen_require(` type innd_server_packet_t; ') dontaudit $1 innd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_innd_server_packets'($*)) dnl ') ######################################## ## ## Receive innd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_innd_server_packets'($*)) dnl gen_require(` type innd_server_packet_t; ') allow $1 innd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_innd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive innd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_innd_server_packets'($*)) dnl gen_require(` type innd_server_packet_t; ') dontaudit $1 innd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_innd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive innd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_innd_server_packets'($*)) dnl corenet_send_innd_server_packets($1) corenet_receive_innd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_innd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive innd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl corenet_dontaudit_send_innd_server_packets($1) corenet_dontaudit_receive_innd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_innd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to innd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_innd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_innd_server_packets'($*)) dnl gen_require(` type innd_server_packet_t; ') allow $1 innd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_innd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_interwise_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_interwise_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the interwise port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') dontaudit $1 interwise_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_interwise_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_interwise_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the interwise port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') dontaudit $1 interwise_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_interwise_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_interwise_port'($*)) dnl corenet_udp_send_interwise_port($1) corenet_udp_receive_interwise_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_interwise_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the interwise port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl corenet_dontaudit_udp_send_interwise_port($1) corenet_dontaudit_udp_receive_interwise_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_interwise_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_interwise_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the interwise port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_interwise_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to interwise port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') dontaudit $1 interwise_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_interwise_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the interwise port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') allow $1 interwise_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_interwise_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to interwise port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_interwise_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_interwise_port'($*)) dnl gen_require(` type interwise_port_t; ') dontaudit $1 interwise_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_interwise_port'($*)) dnl ') ######################################## ## ## Send interwise_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_client_packets'($*)) dnl gen_require(` type interwise_client_packet_t; ') allow $1 interwise_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_interwise_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send interwise_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_client_packets'($*)) dnl gen_require(` type interwise_client_packet_t; ') dontaudit $1 interwise_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_client_packets'($*)) dnl ') ######################################## ## ## Receive interwise_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_client_packets'($*)) dnl gen_require(` type interwise_client_packet_t; ') allow $1 interwise_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive interwise_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl gen_require(` type interwise_client_packet_t; ') dontaudit $1 interwise_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_client_packets'($*)) dnl ') ######################################## ## ## Send and receive interwise_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_client_packets'($*)) dnl corenet_send_interwise_client_packets($1) corenet_receive_interwise_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive interwise_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl corenet_dontaudit_send_interwise_client_packets($1) corenet_dontaudit_receive_interwise_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to interwise_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_interwise_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_client_packets'($*)) dnl gen_require(` type interwise_client_packet_t; ') allow $1 interwise_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_client_packets'($*)) dnl ') ######################################## ## ## Send interwise_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_interwise_server_packets'($*)) dnl gen_require(` type interwise_server_packet_t; ') allow $1 interwise_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_interwise_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send interwise_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_interwise_server_packets'($*)) dnl gen_require(` type interwise_server_packet_t; ') dontaudit $1 interwise_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_interwise_server_packets'($*)) dnl ') ######################################## ## ## Receive interwise_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_interwise_server_packets'($*)) dnl gen_require(` type interwise_server_packet_t; ') allow $1 interwise_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_interwise_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive interwise_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl gen_require(` type interwise_server_packet_t; ') dontaudit $1 interwise_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_interwise_server_packets'($*)) dnl ') ######################################## ## ## Send and receive interwise_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_interwise_server_packets'($*)) dnl corenet_send_interwise_server_packets($1) corenet_receive_interwise_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_interwise_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive interwise_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl corenet_dontaudit_send_interwise_server_packets($1) corenet_dontaudit_receive_interwise_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_interwise_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to interwise_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_interwise_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_interwise_server_packets'($*)) dnl gen_require(` type interwise_server_packet_t; ') allow $1 interwise_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_interwise_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ionixnetmon port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') dontaudit $1 ionixnetmon_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ionixnetmon port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') dontaudit $1 ionixnetmon_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl corenet_udp_send_ionixnetmon_port($1) corenet_udp_receive_ionixnetmon_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ionixnetmon port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl corenet_dontaudit_udp_send_ionixnetmon_port($1) corenet_dontaudit_udp_receive_ionixnetmon_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ionixnetmon port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') dontaudit $1 ionixnetmon_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ionixnetmon port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') allow $1 ionixnetmon_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ionixnetmon port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ionixnetmon_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ionixnetmon_port'($*)) dnl gen_require(` type ionixnetmon_port_t; ') dontaudit $1 ionixnetmon_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ionixnetmon_port'($*)) dnl ') ######################################## ## ## Send ionixnetmon_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_client_packets'($*)) dnl gen_require(` type ionixnetmon_client_packet_t; ') allow $1 ionixnetmon_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ionixnetmon_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl gen_require(` type ionixnetmon_client_packet_t; ') dontaudit $1 ionixnetmon_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Receive ionixnetmon_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_client_packets'($*)) dnl gen_require(` type ionixnetmon_client_packet_t; ') allow $1 ionixnetmon_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ionixnetmon_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl gen_require(` type ionixnetmon_client_packet_t; ') dontaudit $1 ionixnetmon_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ionixnetmon_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl corenet_send_ionixnetmon_client_packets($1) corenet_receive_ionixnetmon_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ionixnetmon_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl corenet_dontaudit_send_ionixnetmon_client_packets($1) corenet_dontaudit_receive_ionixnetmon_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ionixnetmon_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ionixnetmon_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl gen_require(` type ionixnetmon_client_packet_t; ') allow $1 ionixnetmon_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_client_packets'($*)) dnl ') ######################################## ## ## Send ionixnetmon_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ionixnetmon_server_packets'($*)) dnl gen_require(` type ionixnetmon_server_packet_t; ') allow $1 ionixnetmon_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ionixnetmon_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl gen_require(` type ionixnetmon_server_packet_t; ') dontaudit $1 ionixnetmon_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Receive ionixnetmon_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ionixnetmon_server_packets'($*)) dnl gen_require(` type ionixnetmon_server_packet_t; ') allow $1 ionixnetmon_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ionixnetmon_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl gen_require(` type ionixnetmon_server_packet_t; ') dontaudit $1 ionixnetmon_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ionixnetmon_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl corenet_send_ionixnetmon_server_packets($1) corenet_receive_ionixnetmon_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ionixnetmon_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl corenet_dontaudit_send_ionixnetmon_server_packets($1) corenet_dontaudit_receive_ionixnetmon_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ionixnetmon_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ionixnetmon_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl gen_require(` type ionixnetmon_server_packet_t; ') allow $1 ionixnetmon_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ionixnetmon_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipmi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') dontaudit $1 ipmi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipmi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') dontaudit $1 ipmi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipmi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipmi_port'($*)) dnl corenet_udp_send_ipmi_port($1) corenet_udp_receive_ipmi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl corenet_dontaudit_udp_send_ipmi_port($1) corenet_dontaudit_udp_receive_ipmi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipmi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipmi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ipmi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ipmi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') dontaudit $1 ipmi_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipmi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ipmi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') allow $1 ipmi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipmi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ipmi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ipmi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipmi_port'($*)) dnl gen_require(` type ipmi_port_t; ') dontaudit $1 ipmi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipmi_port'($*)) dnl ') ######################################## ## ## Send ipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_client_packets'($*)) dnl gen_require(` type ipmi_client_packet_t; ') allow $1 ipmi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipmi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl gen_require(` type ipmi_client_packet_t; ') dontaudit $1 ipmi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Receive ipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_client_packets'($*)) dnl gen_require(` type ipmi_client_packet_t; ') allow $1 ipmi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl gen_require(` type ipmi_client_packet_t; ') dontaudit $1 ipmi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ipmi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_client_packets'($*)) dnl corenet_send_ipmi_client_packets($1) corenet_receive_ipmi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipmi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl corenet_dontaudit_send_ipmi_client_packets($1) corenet_dontaudit_receive_ipmi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipmi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipmi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_client_packets'($*)) dnl gen_require(` type ipmi_client_packet_t; ') allow $1 ipmi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_client_packets'($*)) dnl ') ######################################## ## ## Send ipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipmi_server_packets'($*)) dnl gen_require(` type ipmi_server_packet_t; ') allow $1 ipmi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipmi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl gen_require(` type ipmi_server_packet_t; ') dontaudit $1 ipmi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Receive ipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipmi_server_packets'($*)) dnl gen_require(` type ipmi_server_packet_t; ') allow $1 ipmi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl gen_require(` type ipmi_server_packet_t; ') dontaudit $1 ipmi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ipmi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipmi_server_packets'($*)) dnl corenet_send_ipmi_server_packets($1) corenet_receive_ipmi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipmi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl corenet_dontaudit_send_ipmi_server_packets($1) corenet_dontaudit_receive_ipmi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipmi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipmi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipmi_server_packets'($*)) dnl gen_require(` type ipmi_server_packet_t; ') allow $1 ipmi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipmi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ipp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') dontaudit $1 ipp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ipp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') dontaudit $1 ipp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipp_port'($*)) dnl corenet_udp_send_ipp_port($1) corenet_udp_receive_ipp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ipp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl corenet_dontaudit_udp_send_ipp_port($1) corenet_dontaudit_udp_receive_ipp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ipp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ipp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') dontaudit $1 ipp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ipp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') allow $1 ipp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ipp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ipp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipp_port'($*)) dnl gen_require(` type ipp_port_t; ') dontaudit $1 ipp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipp_port'($*)) dnl ') ######################################## ## ## Send ipp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_client_packets'($*)) dnl gen_require(` type ipp_client_packet_t; ') allow $1 ipp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_client_packets'($*)) dnl gen_require(` type ipp_client_packet_t; ') dontaudit $1 ipp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_client_packets'($*)) dnl ') ######################################## ## ## Receive ipp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_client_packets'($*)) dnl gen_require(` type ipp_client_packet_t; ') allow $1 ipp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl gen_require(` type ipp_client_packet_t; ') dontaudit $1 ipp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ipp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_client_packets'($*)) dnl corenet_send_ipp_client_packets($1) corenet_receive_ipp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl corenet_dontaudit_send_ipp_client_packets($1) corenet_dontaudit_receive_ipp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_client_packets'($*)) dnl gen_require(` type ipp_client_packet_t; ') allow $1 ipp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_client_packets'($*)) dnl ') ######################################## ## ## Send ipp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipp_server_packets'($*)) dnl gen_require(` type ipp_server_packet_t; ') allow $1 ipp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipp_server_packets'($*)) dnl gen_require(` type ipp_server_packet_t; ') dontaudit $1 ipp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipp_server_packets'($*)) dnl ') ######################################## ## ## Receive ipp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipp_server_packets'($*)) dnl gen_require(` type ipp_server_packet_t; ') allow $1 ipp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl gen_require(` type ipp_server_packet_t; ') dontaudit $1 ipp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ipp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipp_server_packets'($*)) dnl corenet_send_ipp_server_packets($1) corenet_receive_ipp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl corenet_dontaudit_send_ipp_server_packets($1) corenet_dontaudit_receive_ipp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipp_server_packets'($*)) dnl gen_require(` type ipp_server_packet_t; ') allow $1 ipp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ipsecnat_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ipsecnat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ipsecnat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') dontaudit $1 ipsecnat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ipsecnat_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ipsecnat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ipsecnat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') dontaudit $1 ipsecnat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ipsecnat_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl corenet_udp_send_ipsecnat_port($1) corenet_udp_receive_ipsecnat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ipsecnat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ipsecnat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl corenet_dontaudit_udp_send_ipsecnat_port($1) corenet_dontaudit_udp_receive_ipsecnat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ipsecnat_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ipsecnat_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ipsecnat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ipsecnat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ipsecnat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') dontaudit $1 ipsecnat_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ipsecnat_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ipsecnat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') allow $1 ipsecnat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ipsecnat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ipsecnat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ipsecnat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ipsecnat_port'($*)) dnl gen_require(` type ipsecnat_port_t; ') dontaudit $1 ipsecnat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ipsecnat_port'($*)) dnl ') ######################################## ## ## Send ipsecnat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_client_packets'($*)) dnl gen_require(` type ipsecnat_client_packet_t; ') allow $1 ipsecnat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipsecnat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl gen_require(` type ipsecnat_client_packet_t; ') dontaudit $1 ipsecnat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Receive ipsecnat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_client_packets'($*)) dnl gen_require(` type ipsecnat_client_packet_t; ') allow $1 ipsecnat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipsecnat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl gen_require(` type ipsecnat_client_packet_t; ') dontaudit $1 ipsecnat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ipsecnat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl corenet_send_ipsecnat_client_packets($1) corenet_receive_ipsecnat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipsecnat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl corenet_dontaudit_send_ipsecnat_client_packets($1) corenet_dontaudit_receive_ipsecnat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipsecnat_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipsecnat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_client_packets'($*)) dnl gen_require(` type ipsecnat_client_packet_t; ') allow $1 ipsecnat_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_client_packets'($*)) dnl ') ######################################## ## ## Send ipsecnat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ipsecnat_server_packets'($*)) dnl gen_require(` type ipsecnat_server_packet_t; ') allow $1 ipsecnat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ipsecnat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl gen_require(` type ipsecnat_server_packet_t; ') dontaudit $1 ipsecnat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Receive ipsecnat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ipsecnat_server_packets'($*)) dnl gen_require(` type ipsecnat_server_packet_t; ') allow $1 ipsecnat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ipsecnat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl gen_require(` type ipsecnat_server_packet_t; ') dontaudit $1 ipsecnat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ipsecnat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl corenet_send_ipsecnat_server_packets($1) corenet_receive_ipsecnat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ipsecnat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl corenet_dontaudit_send_ipsecnat_server_packets($1) corenet_dontaudit_receive_ipsecnat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ipsecnat_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ipsecnat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ipsecnat_server_packets'($*)) dnl gen_require(` type ipsecnat_server_packet_t; ') allow $1 ipsecnat_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ipsecnat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ircd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ircd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ircd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') dontaudit $1 ircd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ircd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ircd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ircd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') dontaudit $1 ircd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ircd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ircd_port'($*)) dnl corenet_udp_send_ircd_port($1) corenet_udp_receive_ircd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ircd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ircd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl corenet_dontaudit_udp_send_ircd_port($1) corenet_dontaudit_udp_receive_ircd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ircd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ircd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ircd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ircd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ircd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') dontaudit $1 ircd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ircd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ircd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') allow $1 ircd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ircd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ircd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ircd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ircd_port'($*)) dnl gen_require(` type ircd_port_t; ') dontaudit $1 ircd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ircd_port'($*)) dnl ') ######################################## ## ## Send ircd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_client_packets'($*)) dnl gen_require(` type ircd_client_packet_t; ') allow $1 ircd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ircd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ircd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_client_packets'($*)) dnl gen_require(` type ircd_client_packet_t; ') dontaudit $1 ircd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_client_packets'($*)) dnl ') ######################################## ## ## Receive ircd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_client_packets'($*)) dnl gen_require(` type ircd_client_packet_t; ') allow $1 ircd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ircd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl gen_require(` type ircd_client_packet_t; ') dontaudit $1 ircd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ircd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_client_packets'($*)) dnl corenet_send_ircd_client_packets($1) corenet_receive_ircd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ircd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl corenet_dontaudit_send_ircd_client_packets($1) corenet_dontaudit_receive_ircd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ircd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ircd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_client_packets'($*)) dnl gen_require(` type ircd_client_packet_t; ') allow $1 ircd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_client_packets'($*)) dnl ') ######################################## ## ## Send ircd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ircd_server_packets'($*)) dnl gen_require(` type ircd_server_packet_t; ') allow $1 ircd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ircd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ircd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ircd_server_packets'($*)) dnl gen_require(` type ircd_server_packet_t; ') dontaudit $1 ircd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ircd_server_packets'($*)) dnl ') ######################################## ## ## Receive ircd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ircd_server_packets'($*)) dnl gen_require(` type ircd_server_packet_t; ') allow $1 ircd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ircd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ircd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl gen_require(` type ircd_server_packet_t; ') dontaudit $1 ircd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ircd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ircd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ircd_server_packets'($*)) dnl corenet_send_ircd_server_packets($1) corenet_receive_ircd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ircd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ircd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl corenet_dontaudit_send_ircd_server_packets($1) corenet_dontaudit_receive_ircd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ircd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ircd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ircd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ircd_server_packets'($*)) dnl gen_require(` type ircd_server_packet_t; ') allow $1 ircd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ircd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isakmp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_isakmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the isakmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') dontaudit $1 isakmp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isakmp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isakmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the isakmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') dontaudit $1 isakmp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isakmp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isakmp_port'($*)) dnl corenet_udp_send_isakmp_port($1) corenet_udp_receive_isakmp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isakmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the isakmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl corenet_dontaudit_udp_send_isakmp_port($1) corenet_dontaudit_udp_receive_isakmp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isakmp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isakmp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the isakmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isakmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to isakmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') dontaudit $1 isakmp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_isakmp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the isakmp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') allow $1 isakmp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isakmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to isakmp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_isakmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_isakmp_port'($*)) dnl gen_require(` type isakmp_port_t; ') dontaudit $1 isakmp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_isakmp_port'($*)) dnl ') ######################################## ## ## Send isakmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_client_packets'($*)) dnl gen_require(` type isakmp_client_packet_t; ') allow $1 isakmp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send isakmp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl gen_require(` type isakmp_client_packet_t; ') dontaudit $1 isakmp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Receive isakmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_client_packets'($*)) dnl gen_require(` type isakmp_client_packet_t; ') allow $1 isakmp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive isakmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl gen_require(` type isakmp_client_packet_t; ') dontaudit $1 isakmp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive isakmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_client_packets'($*)) dnl corenet_send_isakmp_client_packets($1) corenet_receive_isakmp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive isakmp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl corenet_dontaudit_send_isakmp_client_packets($1) corenet_dontaudit_receive_isakmp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to isakmp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_isakmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_client_packets'($*)) dnl gen_require(` type isakmp_client_packet_t; ') allow $1 isakmp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_client_packets'($*)) dnl ') ######################################## ## ## Send isakmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_isakmp_server_packets'($*)) dnl gen_require(` type isakmp_server_packet_t; ') allow $1 isakmp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send isakmp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl gen_require(` type isakmp_server_packet_t; ') dontaudit $1 isakmp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Receive isakmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_isakmp_server_packets'($*)) dnl gen_require(` type isakmp_server_packet_t; ') allow $1 isakmp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive isakmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl gen_require(` type isakmp_server_packet_t; ') dontaudit $1 isakmp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive isakmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isakmp_server_packets'($*)) dnl corenet_send_isakmp_server_packets($1) corenet_receive_isakmp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive isakmp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl corenet_dontaudit_send_isakmp_server_packets($1) corenet_dontaudit_receive_isakmp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to isakmp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_isakmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isakmp_server_packets'($*)) dnl gen_require(` type isakmp_server_packet_t; ') allow $1 isakmp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_isakmp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_iscsi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_iscsi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the iscsi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') dontaudit $1 iscsi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_iscsi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_iscsi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the iscsi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') dontaudit $1 iscsi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_iscsi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_iscsi_port'($*)) dnl corenet_udp_send_iscsi_port($1) corenet_udp_receive_iscsi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_iscsi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the iscsi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl corenet_dontaudit_udp_send_iscsi_port($1) corenet_dontaudit_udp_receive_iscsi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_iscsi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_iscsi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the iscsi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_iscsi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to iscsi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') dontaudit $1 iscsi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_iscsi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the iscsi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') allow $1 iscsi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_iscsi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to iscsi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_iscsi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_iscsi_port'($*)) dnl gen_require(` type iscsi_port_t; ') dontaudit $1 iscsi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_iscsi_port'($*)) dnl ') ######################################## ## ## Send iscsi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_client_packets'($*)) dnl gen_require(` type iscsi_client_packet_t; ') allow $1 iscsi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send iscsi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl gen_require(` type iscsi_client_packet_t; ') dontaudit $1 iscsi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Receive iscsi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_client_packets'($*)) dnl gen_require(` type iscsi_client_packet_t; ') allow $1 iscsi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive iscsi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl gen_require(` type iscsi_client_packet_t; ') dontaudit $1 iscsi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive iscsi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_client_packets'($*)) dnl corenet_send_iscsi_client_packets($1) corenet_receive_iscsi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive iscsi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl corenet_dontaudit_send_iscsi_client_packets($1) corenet_dontaudit_receive_iscsi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to iscsi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_iscsi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_client_packets'($*)) dnl gen_require(` type iscsi_client_packet_t; ') allow $1 iscsi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_client_packets'($*)) dnl ') ######################################## ## ## Send iscsi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_iscsi_server_packets'($*)) dnl gen_require(` type iscsi_server_packet_t; ') allow $1 iscsi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send iscsi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl gen_require(` type iscsi_server_packet_t; ') dontaudit $1 iscsi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Receive iscsi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_iscsi_server_packets'($*)) dnl gen_require(` type iscsi_server_packet_t; ') allow $1 iscsi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive iscsi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl gen_require(` type iscsi_server_packet_t; ') dontaudit $1 iscsi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive iscsi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_iscsi_server_packets'($*)) dnl corenet_send_iscsi_server_packets($1) corenet_receive_iscsi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive iscsi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl corenet_dontaudit_send_iscsi_server_packets($1) corenet_dontaudit_receive_iscsi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to iscsi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_iscsi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_iscsi_server_packets'($*)) dnl gen_require(` type iscsi_server_packet_t; ') allow $1 iscsi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_iscsi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_isns_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_isns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the isns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_isns_port'($*)) dnl gen_require(` type isns_port_t; ') dontaudit $1 isns_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_isns_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_isns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the isns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_isns_port'($*)) dnl gen_require(` type isns_port_t; ') dontaudit $1 isns_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_isns_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_isns_port'($*)) dnl corenet_udp_send_isns_port($1) corenet_udp_receive_isns_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_isns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the isns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl corenet_dontaudit_udp_send_isns_port($1) corenet_dontaudit_udp_receive_isns_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_isns_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_isns_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the isns port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_isns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to isns port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_isns_port'($*)) dnl gen_require(` type isns_port_t; ') dontaudit $1 isns_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_isns_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the isns port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_isns_port'($*)) dnl gen_require(` type isns_port_t; ') allow $1 isns_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_isns_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to isns port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_isns_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_isns_port'($*)) dnl gen_require(` type isns_port_t; ') dontaudit $1 isns_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_isns_port'($*)) dnl ') ######################################## ## ## Send isns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_isns_client_packets'($*)) dnl gen_require(` type isns_client_packet_t; ') allow $1 isns_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_isns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send isns_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_client_packets'($*)) dnl gen_require(` type isns_client_packet_t; ') dontaudit $1 isns_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_client_packets'($*)) dnl ') ######################################## ## ## Receive isns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_client_packets'($*)) dnl gen_require(` type isns_client_packet_t; ') allow $1 isns_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_isns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive isns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_client_packets'($*)) dnl gen_require(` type isns_client_packet_t; ') dontaudit $1 isns_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_client_packets'($*)) dnl ') ######################################## ## ## Send and receive isns_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_client_packets'($*)) dnl corenet_send_isns_client_packets($1) corenet_receive_isns_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive isns_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl corenet_dontaudit_send_isns_client_packets($1) corenet_dontaudit_receive_isns_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to isns_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_isns_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_client_packets'($*)) dnl gen_require(` type isns_client_packet_t; ') allow $1 isns_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_client_packets'($*)) dnl ') ######################################## ## ## Send isns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_isns_server_packets'($*)) dnl gen_require(` type isns_server_packet_t; ') allow $1 isns_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_isns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send isns_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_isns_server_packets'($*)) dnl gen_require(` type isns_server_packet_t; ') dontaudit $1 isns_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_isns_server_packets'($*)) dnl ') ######################################## ## ## Receive isns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_isns_server_packets'($*)) dnl gen_require(` type isns_server_packet_t; ') allow $1 isns_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_isns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive isns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_isns_server_packets'($*)) dnl gen_require(` type isns_server_packet_t; ') dontaudit $1 isns_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_isns_server_packets'($*)) dnl ') ######################################## ## ## Send and receive isns_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_isns_server_packets'($*)) dnl corenet_send_isns_server_packets($1) corenet_receive_isns_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_isns_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive isns_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl corenet_dontaudit_send_isns_server_packets($1) corenet_dontaudit_receive_isns_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_isns_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to isns_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_isns_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_isns_server_packets'($*)) dnl gen_require(` type isns_server_packet_t; ') allow $1 isns_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_isns_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_client_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jabber_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') dontaudit $1 jabber_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_client_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jabber_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') dontaudit $1 jabber_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_client_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_client_port'($*)) dnl corenet_udp_send_jabber_client_port($1) corenet_udp_receive_jabber_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jabber_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl corenet_dontaudit_udp_send_jabber_client_port($1) corenet_dontaudit_udp_receive_jabber_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_client_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_client_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jabber_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jabber_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') dontaudit $1 jabber_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_client_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jabber_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') allow $1 jabber_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jabber_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jabber_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_client_port'($*)) dnl gen_require(` type jabber_client_port_t; ') dontaudit $1 jabber_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_client_port'($*)) dnl ') ######################################## ## ## Send jabber_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_client_packets'($*)) dnl gen_require(` type jabber_client_client_packet_t; ') allow $1 jabber_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl gen_require(` type jabber_client_client_packet_t; ') dontaudit $1 jabber_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Receive jabber_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_client_packets'($*)) dnl gen_require(` type jabber_client_client_packet_t; ') allow $1 jabber_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl gen_require(` type jabber_client_client_packet_t; ') dontaudit $1 jabber_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_client_packets'($*)) dnl corenet_send_jabber_client_client_packets($1) corenet_receive_jabber_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl corenet_dontaudit_send_jabber_client_client_packets($1) corenet_dontaudit_receive_jabber_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_client_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_client_packets'($*)) dnl gen_require(` type jabber_client_client_packet_t; ') allow $1 jabber_client_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_client_packets'($*)) dnl ') ######################################## ## ## Send jabber_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_client_server_packets'($*)) dnl gen_require(` type jabber_client_server_packet_t; ') allow $1 jabber_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl gen_require(` type jabber_client_server_packet_t; ') dontaudit $1 jabber_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Receive jabber_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_client_server_packets'($*)) dnl gen_require(` type jabber_client_server_packet_t; ') allow $1 jabber_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl gen_require(` type jabber_client_server_packet_t; ') dontaudit $1 jabber_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_client_server_packets'($*)) dnl corenet_send_jabber_client_server_packets($1) corenet_receive_jabber_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl corenet_dontaudit_send_jabber_client_server_packets($1) corenet_dontaudit_receive_jabber_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_client_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_client_server_packets'($*)) dnl gen_require(` type jabber_client_server_packet_t; ') allow $1 jabber_client_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jabber_interserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') dontaudit $1 jabber_interserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jabber_interserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') dontaudit $1 jabber_interserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl corenet_udp_send_jabber_interserver_port($1) corenet_udp_receive_jabber_interserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jabber_interserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl corenet_dontaudit_udp_send_jabber_interserver_port($1) corenet_dontaudit_udp_receive_jabber_interserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jabber_interserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') dontaudit $1 jabber_interserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jabber_interserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') allow $1 jabber_interserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jabber_interserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jabber_interserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_interserver_port'($*)) dnl gen_require(` type jabber_interserver_port_t; ') dontaudit $1 jabber_interserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_interserver_port'($*)) dnl ') ######################################## ## ## Send jabber_interserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_client_packets'($*)) dnl gen_require(` type jabber_interserver_client_packet_t; ') allow $1 jabber_interserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_interserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl gen_require(` type jabber_interserver_client_packet_t; ') dontaudit $1 jabber_interserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Receive jabber_interserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_client_packets'($*)) dnl gen_require(` type jabber_interserver_client_packet_t; ') allow $1 jabber_interserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_interserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl gen_require(` type jabber_interserver_client_packet_t; ') dontaudit $1 jabber_interserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_interserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl corenet_send_jabber_interserver_client_packets($1) corenet_receive_jabber_interserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_interserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl corenet_dontaudit_send_jabber_interserver_client_packets($1) corenet_dontaudit_receive_jabber_interserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_interserver_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_interserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl gen_require(` type jabber_interserver_client_packet_t; ') allow $1 jabber_interserver_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_client_packets'($*)) dnl ') ######################################## ## ## Send jabber_interserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_interserver_server_packets'($*)) dnl gen_require(` type jabber_interserver_server_packet_t; ') allow $1 jabber_interserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_interserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl gen_require(` type jabber_interserver_server_packet_t; ') dontaudit $1 jabber_interserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Receive jabber_interserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_interserver_server_packets'($*)) dnl gen_require(` type jabber_interserver_server_packet_t; ') allow $1 jabber_interserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_interserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl gen_require(` type jabber_interserver_server_packet_t; ') dontaudit $1 jabber_interserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_interserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl corenet_send_jabber_interserver_server_packets($1) corenet_receive_jabber_interserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_interserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl corenet_dontaudit_send_jabber_interserver_server_packets($1) corenet_dontaudit_receive_jabber_interserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_interserver_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_interserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl gen_require(` type jabber_interserver_server_packet_t; ') allow $1 jabber_interserver_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_interserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jabber_router_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jabber_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jabber_router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') dontaudit $1 jabber_router_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jabber_router_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jabber_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jabber_router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') dontaudit $1 jabber_router_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jabber_router_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jabber_router_port'($*)) dnl corenet_udp_send_jabber_router_port($1) corenet_udp_receive_jabber_router_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jabber_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jabber_router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jabber_router_port'($*)) dnl corenet_dontaudit_udp_send_jabber_router_port($1) corenet_dontaudit_udp_receive_jabber_router_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jabber_router_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jabber_router_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jabber_router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jabber_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jabber_router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') dontaudit $1 jabber_router_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jabber_router_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jabber_router port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') allow $1 jabber_router_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jabber_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jabber_router port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jabber_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jabber_router_port'($*)) dnl gen_require(` type jabber_router_port_t; ') dontaudit $1 jabber_router_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jabber_router_port'($*)) dnl ') ######################################## ## ## Send jabber_router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_router_client_packets'($*)) dnl gen_require(` type jabber_router_client_packet_t; ') allow $1 jabber_router_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_router_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_router_client_packets'($*)) dnl gen_require(` type jabber_router_client_packet_t; ') dontaudit $1 jabber_router_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Receive jabber_router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_router_client_packets'($*)) dnl gen_require(` type jabber_router_client_packet_t; ') allow $1 jabber_router_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_router_client_packets'($*)) dnl gen_require(` type jabber_router_client_packet_t; ') dontaudit $1 jabber_router_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_router_client_packets'($*)) dnl corenet_send_jabber_router_client_packets($1) corenet_receive_jabber_router_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_router_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_router_client_packets'($*)) dnl corenet_dontaudit_send_jabber_router_client_packets($1) corenet_dontaudit_receive_jabber_router_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_router_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_router_client_packets'($*)) dnl gen_require(` type jabber_router_client_packet_t; ') allow $1 jabber_router_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_router_client_packets'($*)) dnl ') ######################################## ## ## Send jabber_router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jabber_router_server_packets'($*)) dnl gen_require(` type jabber_router_server_packet_t; ') allow $1 jabber_router_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jabber_router_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jabber_router_server_packets'($*)) dnl gen_require(` type jabber_router_server_packet_t; ') dontaudit $1 jabber_router_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Receive jabber_router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jabber_router_server_packets'($*)) dnl gen_require(` type jabber_router_server_packet_t; ') allow $1 jabber_router_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jabber_router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jabber_router_server_packets'($*)) dnl gen_require(` type jabber_router_server_packet_t; ') dontaudit $1 jabber_router_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jabber_router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jabber_router_server_packets'($*)) dnl corenet_send_jabber_router_server_packets($1) corenet_receive_jabber_router_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jabber_router_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jabber_router_server_packets'($*)) dnl corenet_dontaudit_send_jabber_router_server_packets($1) corenet_dontaudit_receive_jabber_router_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jabber_router_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jabber_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jabber_router_server_packets'($*)) dnl gen_require(` type jabber_router_server_packet_t; ') allow $1 jabber_router_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jabber_router_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jacorb_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jacorb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jacorb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') dontaudit $1 jacorb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jacorb_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jacorb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jacorb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') dontaudit $1 jacorb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jacorb_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jacorb_port'($*)) dnl corenet_udp_send_jacorb_port($1) corenet_udp_receive_jacorb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jacorb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jacorb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jacorb_port'($*)) dnl corenet_dontaudit_udp_send_jacorb_port($1) corenet_dontaudit_udp_receive_jacorb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jacorb_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jacorb_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jacorb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jacorb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jacorb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') dontaudit $1 jacorb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jacorb_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jacorb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') allow $1 jacorb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jacorb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jacorb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jacorb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jacorb_port'($*)) dnl gen_require(` type jacorb_port_t; ') dontaudit $1 jacorb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jacorb_port'($*)) dnl ') ######################################## ## ## Send jacorb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jacorb_client_packets'($*)) dnl gen_require(` type jacorb_client_packet_t; ') allow $1 jacorb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jacorb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jacorb_client_packets'($*)) dnl gen_require(` type jacorb_client_packet_t; ') dontaudit $1 jacorb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Receive jacorb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jacorb_client_packets'($*)) dnl gen_require(` type jacorb_client_packet_t; ') allow $1 jacorb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jacorb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jacorb_client_packets'($*)) dnl gen_require(` type jacorb_client_packet_t; ') dontaudit $1 jacorb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jacorb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jacorb_client_packets'($*)) dnl corenet_send_jacorb_client_packets($1) corenet_receive_jacorb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jacorb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jacorb_client_packets'($*)) dnl corenet_dontaudit_send_jacorb_client_packets($1) corenet_dontaudit_receive_jacorb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jacorb_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jacorb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jacorb_client_packets'($*)) dnl gen_require(` type jacorb_client_packet_t; ') allow $1 jacorb_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jacorb_client_packets'($*)) dnl ') ######################################## ## ## Send jacorb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jacorb_server_packets'($*)) dnl gen_require(` type jacorb_server_packet_t; ') allow $1 jacorb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jacorb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jacorb_server_packets'($*)) dnl gen_require(` type jacorb_server_packet_t; ') dontaudit $1 jacorb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Receive jacorb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jacorb_server_packets'($*)) dnl gen_require(` type jacorb_server_packet_t; ') allow $1 jacorb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jacorb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jacorb_server_packets'($*)) dnl gen_require(` type jacorb_server_packet_t; ') dontaudit $1 jacorb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jacorb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jacorb_server_packets'($*)) dnl corenet_send_jacorb_server_packets($1) corenet_receive_jacorb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jacorb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jacorb_server_packets'($*)) dnl corenet_dontaudit_send_jacorb_server_packets($1) corenet_dontaudit_receive_jacorb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jacorb_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jacorb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jacorb_server_packets'($*)) dnl gen_require(` type jacorb_server_packet_t; ') allow $1 jacorb_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jacorb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_debug_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jboss_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') dontaudit $1 jboss_debug_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_debug_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jboss_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') dontaudit $1 jboss_debug_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_debug_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_debug_port'($*)) dnl corenet_udp_send_jboss_debug_port($1) corenet_udp_receive_jboss_debug_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jboss_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_debug_port'($*)) dnl corenet_dontaudit_udp_send_jboss_debug_port($1) corenet_dontaudit_udp_receive_jboss_debug_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_debug_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_debug_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jboss_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jboss_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') dontaudit $1 jboss_debug_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_debug_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jboss_debug port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') allow $1 jboss_debug_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jboss_debug port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jboss_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_debug_port'($*)) dnl gen_require(` type jboss_debug_port_t; ') dontaudit $1 jboss_debug_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_debug_port'($*)) dnl ') ######################################## ## ## Send jboss_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_debug_client_packets'($*)) dnl gen_require(` type jboss_debug_client_packet_t; ') allow $1 jboss_debug_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_debug_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_debug_client_packets'($*)) dnl gen_require(` type jboss_debug_client_packet_t; ') dontaudit $1 jboss_debug_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Receive jboss_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_debug_client_packets'($*)) dnl gen_require(` type jboss_debug_client_packet_t; ') allow $1 jboss_debug_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_debug_client_packets'($*)) dnl gen_require(` type jboss_debug_client_packet_t; ') dontaudit $1 jboss_debug_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_debug_client_packets'($*)) dnl corenet_send_jboss_debug_client_packets($1) corenet_receive_jboss_debug_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_debug_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_debug_client_packets'($*)) dnl corenet_dontaudit_send_jboss_debug_client_packets($1) corenet_dontaudit_receive_jboss_debug_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_debug_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_debug_client_packets'($*)) dnl gen_require(` type jboss_debug_client_packet_t; ') allow $1 jboss_debug_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_debug_client_packets'($*)) dnl ') ######################################## ## ## Send jboss_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_debug_server_packets'($*)) dnl gen_require(` type jboss_debug_server_packet_t; ') allow $1 jboss_debug_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_debug_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_debug_server_packets'($*)) dnl gen_require(` type jboss_debug_server_packet_t; ') dontaudit $1 jboss_debug_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Receive jboss_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_debug_server_packets'($*)) dnl gen_require(` type jboss_debug_server_packet_t; ') allow $1 jboss_debug_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_debug_server_packets'($*)) dnl gen_require(` type jboss_debug_server_packet_t; ') dontaudit $1 jboss_debug_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_debug_server_packets'($*)) dnl corenet_send_jboss_debug_server_packets($1) corenet_receive_jboss_debug_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_debug_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_debug_server_packets'($*)) dnl corenet_dontaudit_send_jboss_debug_server_packets($1) corenet_dontaudit_receive_jboss_debug_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_debug_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_debug_server_packets'($*)) dnl gen_require(` type jboss_debug_server_packet_t; ') allow $1 jboss_debug_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_debug_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jboss_messaging port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') dontaudit $1 jboss_messaging_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jboss_messaging port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') dontaudit $1 jboss_messaging_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_messaging_port'($*)) dnl corenet_udp_send_jboss_messaging_port($1) corenet_udp_receive_jboss_messaging_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jboss_messaging port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_messaging_port'($*)) dnl corenet_dontaudit_udp_send_jboss_messaging_port($1) corenet_dontaudit_udp_receive_jboss_messaging_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jboss_messaging port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') dontaudit $1 jboss_messaging_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jboss_messaging port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') allow $1 jboss_messaging_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jboss_messaging port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jboss_messaging_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_messaging_port'($*)) dnl gen_require(` type jboss_messaging_port_t; ') dontaudit $1 jboss_messaging_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_messaging_port'($*)) dnl ') ######################################## ## ## Send jboss_messaging_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_messaging_client_packets'($*)) dnl gen_require(` type jboss_messaging_client_packet_t; ') allow $1 jboss_messaging_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_messaging_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_messaging_client_packets'($*)) dnl gen_require(` type jboss_messaging_client_packet_t; ') dontaudit $1 jboss_messaging_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Receive jboss_messaging_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_messaging_client_packets'($*)) dnl gen_require(` type jboss_messaging_client_packet_t; ') allow $1 jboss_messaging_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_messaging_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_messaging_client_packets'($*)) dnl gen_require(` type jboss_messaging_client_packet_t; ') dontaudit $1 jboss_messaging_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_messaging_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_messaging_client_packets'($*)) dnl corenet_send_jboss_messaging_client_packets($1) corenet_receive_jboss_messaging_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_messaging_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_messaging_client_packets'($*)) dnl corenet_dontaudit_send_jboss_messaging_client_packets($1) corenet_dontaudit_receive_jboss_messaging_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_messaging_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_messaging_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_messaging_client_packets'($*)) dnl gen_require(` type jboss_messaging_client_packet_t; ') allow $1 jboss_messaging_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_messaging_client_packets'($*)) dnl ') ######################################## ## ## Send jboss_messaging_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_messaging_server_packets'($*)) dnl gen_require(` type jboss_messaging_server_packet_t; ') allow $1 jboss_messaging_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_messaging_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_messaging_server_packets'($*)) dnl gen_require(` type jboss_messaging_server_packet_t; ') dontaudit $1 jboss_messaging_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Receive jboss_messaging_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_messaging_server_packets'($*)) dnl gen_require(` type jboss_messaging_server_packet_t; ') allow $1 jboss_messaging_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_messaging_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_messaging_server_packets'($*)) dnl gen_require(` type jboss_messaging_server_packet_t; ') dontaudit $1 jboss_messaging_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_messaging_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_messaging_server_packets'($*)) dnl corenet_send_jboss_messaging_server_packets($1) corenet_receive_jboss_messaging_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_messaging_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_messaging_server_packets'($*)) dnl corenet_dontaudit_send_jboss_messaging_server_packets($1) corenet_dontaudit_receive_jboss_messaging_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_messaging_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_messaging_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_messaging_server_packets'($*)) dnl gen_require(` type jboss_messaging_server_packet_t; ') allow $1 jboss_messaging_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_messaging_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_jboss_management_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_jboss_management_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the jboss_management port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') dontaudit $1 jboss_management_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_jboss_management_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_jboss_management_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the jboss_management port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') dontaudit $1 jboss_management_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_jboss_management_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_jboss_management_port'($*)) dnl corenet_udp_send_jboss_management_port($1) corenet_udp_receive_jboss_management_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_jboss_management_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the jboss_management port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_jboss_management_port'($*)) dnl corenet_dontaudit_udp_send_jboss_management_port($1) corenet_dontaudit_udp_receive_jboss_management_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_jboss_management_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_jboss_management_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the jboss_management port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_jboss_management_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to jboss_management port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') dontaudit $1 jboss_management_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_jboss_management_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the jboss_management port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') allow $1 jboss_management_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_jboss_management_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to jboss_management port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_jboss_management_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_jboss_management_port'($*)) dnl gen_require(` type jboss_management_port_t; ') dontaudit $1 jboss_management_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_jboss_management_port'($*)) dnl ') ######################################## ## ## Send jboss_management_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_management_client_packets'($*)) dnl gen_require(` type jboss_management_client_packet_t; ') allow $1 jboss_management_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_management_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_management_client_packets'($*)) dnl gen_require(` type jboss_management_client_packet_t; ') dontaudit $1 jboss_management_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Receive jboss_management_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_management_client_packets'($*)) dnl gen_require(` type jboss_management_client_packet_t; ') allow $1 jboss_management_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_management_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_management_client_packets'($*)) dnl gen_require(` type jboss_management_client_packet_t; ') dontaudit $1 jboss_management_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_management_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_management_client_packets'($*)) dnl corenet_send_jboss_management_client_packets($1) corenet_receive_jboss_management_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_management_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_management_client_packets'($*)) dnl corenet_dontaudit_send_jboss_management_client_packets($1) corenet_dontaudit_receive_jboss_management_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_management_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_management_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_management_client_packets'($*)) dnl gen_require(` type jboss_management_client_packet_t; ') allow $1 jboss_management_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_management_client_packets'($*)) dnl ') ######################################## ## ## Send jboss_management_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_jboss_management_server_packets'($*)) dnl gen_require(` type jboss_management_server_packet_t; ') allow $1 jboss_management_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send jboss_management_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_jboss_management_server_packets'($*)) dnl gen_require(` type jboss_management_server_packet_t; ') dontaudit $1 jboss_management_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Receive jboss_management_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_jboss_management_server_packets'($*)) dnl gen_require(` type jboss_management_server_packet_t; ') allow $1 jboss_management_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive jboss_management_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_jboss_management_server_packets'($*)) dnl gen_require(` type jboss_management_server_packet_t; ') dontaudit $1 jboss_management_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Send and receive jboss_management_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_jboss_management_server_packets'($*)) dnl corenet_send_jboss_management_server_packets($1) corenet_receive_jboss_management_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive jboss_management_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_jboss_management_server_packets'($*)) dnl corenet_dontaudit_send_jboss_management_server_packets($1) corenet_dontaudit_receive_jboss_management_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to jboss_management_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_jboss_management_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_jboss_management_server_packets'($*)) dnl gen_require(` type jboss_management_server_packet_t; ') allow $1 jboss_management_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_jboss_management_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_journal_remote_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_journal_remote_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the journal_remote port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') dontaudit $1 journal_remote_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_journal_remote_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_journal_remote_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the journal_remote port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') dontaudit $1 journal_remote_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_journal_remote_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_journal_remote_port'($*)) dnl corenet_udp_send_journal_remote_port($1) corenet_udp_receive_journal_remote_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_journal_remote_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the journal_remote port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_journal_remote_port'($*)) dnl corenet_dontaudit_udp_send_journal_remote_port($1) corenet_dontaudit_udp_receive_journal_remote_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_journal_remote_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_journal_remote_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the journal_remote port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_journal_remote_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to journal_remote port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') dontaudit $1 journal_remote_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_journal_remote_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the journal_remote port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') allow $1 journal_remote_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_journal_remote_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to journal_remote port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_journal_remote_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_journal_remote_port'($*)) dnl gen_require(` type journal_remote_port_t; ') dontaudit $1 journal_remote_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_journal_remote_port'($*)) dnl ') ######################################## ## ## Send journal_remote_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_journal_remote_client_packets'($*)) dnl gen_require(` type journal_remote_client_packet_t; ') allow $1 journal_remote_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send journal_remote_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_journal_remote_client_packets'($*)) dnl gen_require(` type journal_remote_client_packet_t; ') dontaudit $1 journal_remote_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Receive journal_remote_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_journal_remote_client_packets'($*)) dnl gen_require(` type journal_remote_client_packet_t; ') allow $1 journal_remote_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive journal_remote_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_journal_remote_client_packets'($*)) dnl gen_require(` type journal_remote_client_packet_t; ') dontaudit $1 journal_remote_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Send and receive journal_remote_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_journal_remote_client_packets'($*)) dnl corenet_send_journal_remote_client_packets($1) corenet_receive_journal_remote_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive journal_remote_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_journal_remote_client_packets'($*)) dnl corenet_dontaudit_send_journal_remote_client_packets($1) corenet_dontaudit_receive_journal_remote_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to journal_remote_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_journal_remote_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_journal_remote_client_packets'($*)) dnl gen_require(` type journal_remote_client_packet_t; ') allow $1 journal_remote_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_journal_remote_client_packets'($*)) dnl ') ######################################## ## ## Send journal_remote_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_journal_remote_server_packets'($*)) dnl gen_require(` type journal_remote_server_packet_t; ') allow $1 journal_remote_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send journal_remote_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_journal_remote_server_packets'($*)) dnl gen_require(` type journal_remote_server_packet_t; ') dontaudit $1 journal_remote_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Receive journal_remote_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_journal_remote_server_packets'($*)) dnl gen_require(` type journal_remote_server_packet_t; ') allow $1 journal_remote_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive journal_remote_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_journal_remote_server_packets'($*)) dnl gen_require(` type journal_remote_server_packet_t; ') dontaudit $1 journal_remote_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Send and receive journal_remote_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_journal_remote_server_packets'($*)) dnl corenet_send_journal_remote_server_packets($1) corenet_receive_journal_remote_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive journal_remote_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_journal_remote_server_packets'($*)) dnl corenet_dontaudit_send_journal_remote_server_packets($1) corenet_dontaudit_receive_journal_remote_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to journal_remote_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_journal_remote_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_journal_remote_server_packets'($*)) dnl gen_require(` type journal_remote_server_packet_t; ') allow $1 journal_remote_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_journal_remote_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the kerberos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') dontaudit $1 kerberos_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the kerberos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') dontaudit $1 kerberos_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_port'($*)) dnl corenet_udp_send_kerberos_port($1) corenet_udp_receive_kerberos_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the kerberos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl corenet_dontaudit_udp_send_kerberos_port($1) corenet_dontaudit_udp_receive_kerberos_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the kerberos port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to kerberos port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') dontaudit $1 kerberos_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the kerberos port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') allow $1 kerberos_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to kerberos port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_kerberos_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_port'($*)) dnl gen_require(` type kerberos_port_t; ') dontaudit $1 kerberos_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_port'($*)) dnl ') ######################################## ## ## Send kerberos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_client_packets'($*)) dnl gen_require(` type kerberos_client_packet_t; ') allow $1 kerberos_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl gen_require(` type kerberos_client_packet_t; ') dontaudit $1 kerberos_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_client_packets'($*)) dnl gen_require(` type kerberos_client_packet_t; ') allow $1 kerberos_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl gen_require(` type kerberos_client_packet_t; ') dontaudit $1 kerberos_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_client_packets'($*)) dnl corenet_send_kerberos_client_packets($1) corenet_receive_kerberos_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl corenet_dontaudit_send_kerberos_client_packets($1) corenet_dontaudit_receive_kerberos_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_client_packets'($*)) dnl gen_require(` type kerberos_client_packet_t; ') allow $1 kerberos_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_client_packets'($*)) dnl ') ######################################## ## ## Send kerberos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_server_packets'($*)) dnl gen_require(` type kerberos_server_packet_t; ') allow $1 kerberos_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl gen_require(` type kerberos_server_packet_t; ') dontaudit $1 kerberos_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_server_packets'($*)) dnl gen_require(` type kerberos_server_packet_t; ') allow $1 kerberos_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl gen_require(` type kerberos_server_packet_t; ') dontaudit $1 kerberos_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_server_packets'($*)) dnl corenet_send_kerberos_server_packets($1) corenet_receive_kerberos_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl corenet_dontaudit_send_kerberos_server_packets($1) corenet_dontaudit_receive_kerberos_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_server_packets'($*)) dnl gen_require(` type kerberos_server_packet_t; ') allow $1 kerberos_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the kerberos_admin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') dontaudit $1 kerberos_admin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the kerberos_admin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') dontaudit $1 kerberos_admin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl corenet_udp_send_kerberos_admin_port($1) corenet_udp_receive_kerberos_admin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the kerberos_admin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl corenet_dontaudit_udp_send_kerberos_admin_port($1) corenet_dontaudit_udp_receive_kerberos_admin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to kerberos_admin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') dontaudit $1 kerberos_admin_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the kerberos_admin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') allow $1 kerberos_admin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to kerberos_admin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_kerberos_admin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_admin_port'($*)) dnl gen_require(` type kerberos_admin_port_t; ') dontaudit $1 kerberos_admin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_admin_port'($*)) dnl ') ######################################## ## ## Send kerberos_admin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_client_packets'($*)) dnl gen_require(` type kerberos_admin_client_packet_t; ') allow $1 kerberos_admin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_admin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl gen_require(` type kerberos_admin_client_packet_t; ') dontaudit $1 kerberos_admin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_admin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_client_packets'($*)) dnl gen_require(` type kerberos_admin_client_packet_t; ') allow $1 kerberos_admin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_admin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl gen_require(` type kerberos_admin_client_packet_t; ') dontaudit $1 kerberos_admin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_admin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl corenet_send_kerberos_admin_client_packets($1) corenet_receive_kerberos_admin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_admin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl corenet_dontaudit_send_kerberos_admin_client_packets($1) corenet_dontaudit_receive_kerberos_admin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_admin_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_admin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl gen_require(` type kerberos_admin_client_packet_t; ') allow $1 kerberos_admin_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_client_packets'($*)) dnl ') ######################################## ## ## Send kerberos_admin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_admin_server_packets'($*)) dnl gen_require(` type kerberos_admin_server_packet_t; ') allow $1 kerberos_admin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_admin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl gen_require(` type kerberos_admin_server_packet_t; ') dontaudit $1 kerberos_admin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_admin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_admin_server_packets'($*)) dnl gen_require(` type kerberos_admin_server_packet_t; ') allow $1 kerberos_admin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_admin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl gen_require(` type kerberos_admin_server_packet_t; ') dontaudit $1 kerberos_admin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_admin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl corenet_send_kerberos_admin_server_packets($1) corenet_receive_kerberos_admin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_admin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl corenet_dontaudit_send_kerberos_admin_server_packets($1) corenet_dontaudit_receive_kerberos_admin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_admin_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_admin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl gen_require(` type kerberos_admin_server_packet_t; ') allow $1 kerberos_admin_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_admin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kerberos_password_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_kerberos_password_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the kerberos_password port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') dontaudit $1 kerberos_password_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kerberos_password_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kerberos_password_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the kerberos_password port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') dontaudit $1 kerberos_password_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kerberos_password_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kerberos_password_port'($*)) dnl corenet_udp_send_kerberos_password_port($1) corenet_udp_receive_kerberos_password_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kerberos_password_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the kerberos_password port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kerberos_password_port'($*)) dnl corenet_dontaudit_udp_send_kerberos_password_port($1) corenet_dontaudit_udp_receive_kerberos_password_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kerberos_password_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kerberos_password_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the kerberos_password port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kerberos_password_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to kerberos_password port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') dontaudit $1 kerberos_password_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kerberos_password_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the kerberos_password port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') allow $1 kerberos_password_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kerberos_password_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to kerberos_password port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_kerberos_password_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kerberos_password_port'($*)) dnl gen_require(` type kerberos_password_port_t; ') dontaudit $1 kerberos_password_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kerberos_password_port'($*)) dnl ') ######################################## ## ## Send kerberos_password_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_password_client_packets'($*)) dnl gen_require(` type kerberos_password_client_packet_t; ') allow $1 kerberos_password_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_password_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_password_client_packets'($*)) dnl gen_require(` type kerberos_password_client_packet_t; ') dontaudit $1 kerberos_password_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_password_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_password_client_packets'($*)) dnl gen_require(` type kerberos_password_client_packet_t; ') allow $1 kerberos_password_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_password_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_password_client_packets'($*)) dnl gen_require(` type kerberos_password_client_packet_t; ') dontaudit $1 kerberos_password_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_password_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_password_client_packets'($*)) dnl corenet_send_kerberos_password_client_packets($1) corenet_receive_kerberos_password_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_password_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_password_client_packets'($*)) dnl corenet_dontaudit_send_kerberos_password_client_packets($1) corenet_dontaudit_receive_kerberos_password_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_password_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_password_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_password_client_packets'($*)) dnl gen_require(` type kerberos_password_client_packet_t; ') allow $1 kerberos_password_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_password_client_packets'($*)) dnl ') ######################################## ## ## Send kerberos_password_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kerberos_password_server_packets'($*)) dnl gen_require(` type kerberos_password_server_packet_t; ') allow $1 kerberos_password_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kerberos_password_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kerberos_password_server_packets'($*)) dnl gen_require(` type kerberos_password_server_packet_t; ') dontaudit $1 kerberos_password_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Receive kerberos_password_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kerberos_password_server_packets'($*)) dnl gen_require(` type kerberos_password_server_packet_t; ') allow $1 kerberos_password_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kerberos_password_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kerberos_password_server_packets'($*)) dnl gen_require(` type kerberos_password_server_packet_t; ') dontaudit $1 kerberos_password_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Send and receive kerberos_password_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kerberos_password_server_packets'($*)) dnl corenet_send_kerberos_password_server_packets($1) corenet_receive_kerberos_password_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kerberos_password_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kerberos_password_server_packets'($*)) dnl corenet_dontaudit_send_kerberos_password_server_packets($1) corenet_dontaudit_receive_kerberos_password_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kerberos_password_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kerberos_password_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kerberos_password_server_packets'($*)) dnl gen_require(` type kerberos_password_server_packet_t; ') allow $1 kerberos_password_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kerberos_password_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_keystone_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_keystone_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the keystone port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') dontaudit $1 keystone_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_keystone_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_keystone_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the keystone port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') dontaudit $1 keystone_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_keystone_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_keystone_port'($*)) dnl corenet_udp_send_keystone_port($1) corenet_udp_receive_keystone_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_keystone_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the keystone port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_keystone_port'($*)) dnl corenet_dontaudit_udp_send_keystone_port($1) corenet_dontaudit_udp_receive_keystone_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_keystone_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_keystone_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the keystone port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_keystone_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to keystone port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') dontaudit $1 keystone_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_keystone_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the keystone port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') allow $1 keystone_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_keystone_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to keystone port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_keystone_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_keystone_port'($*)) dnl gen_require(` type keystone_port_t; ') dontaudit $1 keystone_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_keystone_port'($*)) dnl ') ######################################## ## ## Send keystone_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_keystone_client_packets'($*)) dnl gen_require(` type keystone_client_packet_t; ') allow $1 keystone_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_keystone_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send keystone_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_keystone_client_packets'($*)) dnl gen_require(` type keystone_client_packet_t; ') dontaudit $1 keystone_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_keystone_client_packets'($*)) dnl ') ######################################## ## ## Receive keystone_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_keystone_client_packets'($*)) dnl gen_require(` type keystone_client_packet_t; ') allow $1 keystone_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_keystone_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive keystone_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_keystone_client_packets'($*)) dnl gen_require(` type keystone_client_packet_t; ') dontaudit $1 keystone_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_keystone_client_packets'($*)) dnl ') ######################################## ## ## Send and receive keystone_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_keystone_client_packets'($*)) dnl corenet_send_keystone_client_packets($1) corenet_receive_keystone_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_keystone_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive keystone_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_keystone_client_packets'($*)) dnl corenet_dontaudit_send_keystone_client_packets($1) corenet_dontaudit_receive_keystone_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_keystone_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to keystone_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_keystone_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_keystone_client_packets'($*)) dnl gen_require(` type keystone_client_packet_t; ') allow $1 keystone_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_keystone_client_packets'($*)) dnl ') ######################################## ## ## Send keystone_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_keystone_server_packets'($*)) dnl gen_require(` type keystone_server_packet_t; ') allow $1 keystone_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_keystone_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send keystone_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_keystone_server_packets'($*)) dnl gen_require(` type keystone_server_packet_t; ') dontaudit $1 keystone_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_keystone_server_packets'($*)) dnl ') ######################################## ## ## Receive keystone_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_keystone_server_packets'($*)) dnl gen_require(` type keystone_server_packet_t; ') allow $1 keystone_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_keystone_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive keystone_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_keystone_server_packets'($*)) dnl gen_require(` type keystone_server_packet_t; ') dontaudit $1 keystone_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_keystone_server_packets'($*)) dnl ') ######################################## ## ## Send and receive keystone_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_keystone_server_packets'($*)) dnl corenet_send_keystone_server_packets($1) corenet_receive_keystone_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_keystone_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive keystone_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_keystone_server_packets'($*)) dnl corenet_dontaudit_send_keystone_server_packets($1) corenet_dontaudit_receive_keystone_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_keystone_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to keystone_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_keystone_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_keystone_server_packets'($*)) dnl gen_require(` type keystone_server_packet_t; ') allow $1 keystone_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_keystone_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kubernetes_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_kubernetes_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the kubernetes port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') dontaudit $1 kubernetes_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kubernetes_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kubernetes_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the kubernetes port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') dontaudit $1 kubernetes_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kubernetes_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kubernetes_port'($*)) dnl corenet_udp_send_kubernetes_port($1) corenet_udp_receive_kubernetes_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kubernetes_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the kubernetes port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kubernetes_port'($*)) dnl corenet_dontaudit_udp_send_kubernetes_port($1) corenet_dontaudit_udp_receive_kubernetes_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kubernetes_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kubernetes_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the kubernetes port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kubernetes_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to kubernetes port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') dontaudit $1 kubernetes_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kubernetes_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the kubernetes port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') allow $1 kubernetes_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kubernetes_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to kubernetes port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_kubernetes_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kubernetes_port'($*)) dnl gen_require(` type kubernetes_port_t; ') dontaudit $1 kubernetes_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kubernetes_port'($*)) dnl ') ######################################## ## ## Send kubernetes_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kubernetes_client_packets'($*)) dnl gen_require(` type kubernetes_client_packet_t; ') allow $1 kubernetes_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kubernetes_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kubernetes_client_packets'($*)) dnl gen_require(` type kubernetes_client_packet_t; ') dontaudit $1 kubernetes_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Receive kubernetes_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kubernetes_client_packets'($*)) dnl gen_require(` type kubernetes_client_packet_t; ') allow $1 kubernetes_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kubernetes_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kubernetes_client_packets'($*)) dnl gen_require(` type kubernetes_client_packet_t; ') dontaudit $1 kubernetes_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Send and receive kubernetes_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kubernetes_client_packets'($*)) dnl corenet_send_kubernetes_client_packets($1) corenet_receive_kubernetes_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kubernetes_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kubernetes_client_packets'($*)) dnl corenet_dontaudit_send_kubernetes_client_packets($1) corenet_dontaudit_receive_kubernetes_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kubernetes_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kubernetes_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kubernetes_client_packets'($*)) dnl gen_require(` type kubernetes_client_packet_t; ') allow $1 kubernetes_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kubernetes_client_packets'($*)) dnl ') ######################################## ## ## Send kubernetes_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kubernetes_server_packets'($*)) dnl gen_require(` type kubernetes_server_packet_t; ') allow $1 kubernetes_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kubernetes_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kubernetes_server_packets'($*)) dnl gen_require(` type kubernetes_server_packet_t; ') dontaudit $1 kubernetes_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Receive kubernetes_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kubernetes_server_packets'($*)) dnl gen_require(` type kubernetes_server_packet_t; ') allow $1 kubernetes_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kubernetes_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kubernetes_server_packets'($*)) dnl gen_require(` type kubernetes_server_packet_t; ') dontaudit $1 kubernetes_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Send and receive kubernetes_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kubernetes_server_packets'($*)) dnl corenet_send_kubernetes_server_packets($1) corenet_receive_kubernetes_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kubernetes_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kubernetes_server_packets'($*)) dnl corenet_dontaudit_send_kubernetes_server_packets($1) corenet_dontaudit_receive_kubernetes_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kubernetes_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kubernetes_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kubernetes_server_packets'($*)) dnl gen_require(` type kubernetes_server_packet_t; ') allow $1 kubernetes_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kubernetes_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lltng_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lltng_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the lltng port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') dontaudit $1 lltng_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lltng_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lltng_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the lltng port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') dontaudit $1 lltng_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lltng_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lltng_port'($*)) dnl corenet_udp_send_lltng_port($1) corenet_udp_receive_lltng_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lltng_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the lltng port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lltng_port'($*)) dnl corenet_dontaudit_udp_send_lltng_port($1) corenet_dontaudit_udp_receive_lltng_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lltng_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lltng_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the lltng port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lltng_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to lltng port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') dontaudit $1 lltng_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lltng_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the lltng port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') allow $1 lltng_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lltng_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to lltng port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_lltng_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lltng_port'($*)) dnl gen_require(` type lltng_port_t; ') dontaudit $1 lltng_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lltng_port'($*)) dnl ') ######################################## ## ## Send lltng_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lltng_client_packets'($*)) dnl gen_require(` type lltng_client_packet_t; ') allow $1 lltng_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lltng_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lltng_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lltng_client_packets'($*)) dnl gen_require(` type lltng_client_packet_t; ') dontaudit $1 lltng_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lltng_client_packets'($*)) dnl ') ######################################## ## ## Receive lltng_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lltng_client_packets'($*)) dnl gen_require(` type lltng_client_packet_t; ') allow $1 lltng_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lltng_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lltng_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lltng_client_packets'($*)) dnl gen_require(` type lltng_client_packet_t; ') dontaudit $1 lltng_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lltng_client_packets'($*)) dnl ') ######################################## ## ## Send and receive lltng_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lltng_client_packets'($*)) dnl corenet_send_lltng_client_packets($1) corenet_receive_lltng_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lltng_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lltng_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lltng_client_packets'($*)) dnl corenet_dontaudit_send_lltng_client_packets($1) corenet_dontaudit_receive_lltng_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lltng_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lltng_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lltng_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lltng_client_packets'($*)) dnl gen_require(` type lltng_client_packet_t; ') allow $1 lltng_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lltng_client_packets'($*)) dnl ') ######################################## ## ## Send lltng_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lltng_server_packets'($*)) dnl gen_require(` type lltng_server_packet_t; ') allow $1 lltng_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lltng_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lltng_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lltng_server_packets'($*)) dnl gen_require(` type lltng_server_packet_t; ') dontaudit $1 lltng_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lltng_server_packets'($*)) dnl ') ######################################## ## ## Receive lltng_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lltng_server_packets'($*)) dnl gen_require(` type lltng_server_packet_t; ') allow $1 lltng_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lltng_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lltng_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lltng_server_packets'($*)) dnl gen_require(` type lltng_server_packet_t; ') dontaudit $1 lltng_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lltng_server_packets'($*)) dnl ') ######################################## ## ## Send and receive lltng_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lltng_server_packets'($*)) dnl corenet_send_lltng_server_packets($1) corenet_receive_lltng_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lltng_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lltng_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lltng_server_packets'($*)) dnl corenet_dontaudit_send_lltng_server_packets($1) corenet_dontaudit_receive_lltng_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lltng_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lltng_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lltng_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lltng_server_packets'($*)) dnl gen_require(` type lltng_server_packet_t; ') allow $1 lltng_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lltng_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_llmnr_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_llmnr_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the llmnr port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') dontaudit $1 llmnr_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_llmnr_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_llmnr_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the llmnr port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') dontaudit $1 llmnr_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_llmnr_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_llmnr_port'($*)) dnl corenet_udp_send_llmnr_port($1) corenet_udp_receive_llmnr_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_llmnr_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the llmnr port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl corenet_dontaudit_udp_send_llmnr_port($1) corenet_dontaudit_udp_receive_llmnr_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_llmnr_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_llmnr_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the llmnr port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_llmnr_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to llmnr port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') dontaudit $1 llmnr_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_llmnr_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the llmnr port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') allow $1 llmnr_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_llmnr_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to llmnr port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_llmnr_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_llmnr_port'($*)) dnl gen_require(` type llmnr_port_t; ') dontaudit $1 llmnr_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_llmnr_port'($*)) dnl ') ######################################## ## ## Send llmnr_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_client_packets'($*)) dnl gen_require(` type llmnr_client_packet_t; ') allow $1 llmnr_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send llmnr_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl gen_require(` type llmnr_client_packet_t; ') dontaudit $1 llmnr_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Receive llmnr_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_client_packets'($*)) dnl gen_require(` type llmnr_client_packet_t; ') allow $1 llmnr_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive llmnr_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl gen_require(` type llmnr_client_packet_t; ') dontaudit $1 llmnr_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Send and receive llmnr_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_client_packets'($*)) dnl corenet_send_llmnr_client_packets($1) corenet_receive_llmnr_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive llmnr_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl corenet_dontaudit_send_llmnr_client_packets($1) corenet_dontaudit_receive_llmnr_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to llmnr_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_llmnr_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_client_packets'($*)) dnl gen_require(` type llmnr_client_packet_t; ') allow $1 llmnr_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_client_packets'($*)) dnl ') ######################################## ## ## Send llmnr_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_llmnr_server_packets'($*)) dnl gen_require(` type llmnr_server_packet_t; ') allow $1 llmnr_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send llmnr_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl gen_require(` type llmnr_server_packet_t; ') dontaudit $1 llmnr_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Receive llmnr_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_llmnr_server_packets'($*)) dnl gen_require(` type llmnr_server_packet_t; ') allow $1 llmnr_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive llmnr_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl gen_require(` type llmnr_server_packet_t; ') dontaudit $1 llmnr_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Send and receive llmnr_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_llmnr_server_packets'($*)) dnl corenet_send_llmnr_server_packets($1) corenet_receive_llmnr_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive llmnr_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl corenet_dontaudit_send_llmnr_server_packets($1) corenet_dontaudit_receive_llmnr_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to llmnr_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_llmnr_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_llmnr_server_packets'($*)) dnl gen_require(` type llmnr_server_packet_t; ') allow $1 llmnr_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_llmnr_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rabbitmq_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rabbitmq_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rabbitmq port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') dontaudit $1 rabbitmq_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rabbitmq_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rabbitmq_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rabbitmq port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') dontaudit $1 rabbitmq_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rabbitmq_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rabbitmq_port'($*)) dnl corenet_udp_send_rabbitmq_port($1) corenet_udp_receive_rabbitmq_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rabbitmq_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rabbitmq port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rabbitmq_port'($*)) dnl corenet_dontaudit_udp_send_rabbitmq_port($1) corenet_dontaudit_udp_receive_rabbitmq_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rabbitmq_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rabbitmq_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rabbitmq port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rabbitmq_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rabbitmq port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') dontaudit $1 rabbitmq_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rabbitmq_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rabbitmq port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') allow $1 rabbitmq_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rabbitmq_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rabbitmq port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rabbitmq_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rabbitmq_port'($*)) dnl gen_require(` type rabbitmq_port_t; ') dontaudit $1 rabbitmq_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rabbitmq_port'($*)) dnl ') ######################################## ## ## Send rabbitmq_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rabbitmq_client_packets'($*)) dnl gen_require(` type rabbitmq_client_packet_t; ') allow $1 rabbitmq_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rabbitmq_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rabbitmq_client_packets'($*)) dnl gen_require(` type rabbitmq_client_packet_t; ') dontaudit $1 rabbitmq_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Receive rabbitmq_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rabbitmq_client_packets'($*)) dnl gen_require(` type rabbitmq_client_packet_t; ') allow $1 rabbitmq_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rabbitmq_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rabbitmq_client_packets'($*)) dnl gen_require(` type rabbitmq_client_packet_t; ') dontaudit $1 rabbitmq_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rabbitmq_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rabbitmq_client_packets'($*)) dnl corenet_send_rabbitmq_client_packets($1) corenet_receive_rabbitmq_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rabbitmq_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rabbitmq_client_packets'($*)) dnl corenet_dontaudit_send_rabbitmq_client_packets($1) corenet_dontaudit_receive_rabbitmq_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rabbitmq_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rabbitmq_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rabbitmq_client_packets'($*)) dnl gen_require(` type rabbitmq_client_packet_t; ') allow $1 rabbitmq_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rabbitmq_client_packets'($*)) dnl ') ######################################## ## ## Send rabbitmq_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rabbitmq_server_packets'($*)) dnl gen_require(` type rabbitmq_server_packet_t; ') allow $1 rabbitmq_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rabbitmq_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rabbitmq_server_packets'($*)) dnl gen_require(` type rabbitmq_server_packet_t; ') dontaudit $1 rabbitmq_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Receive rabbitmq_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rabbitmq_server_packets'($*)) dnl gen_require(` type rabbitmq_server_packet_t; ') allow $1 rabbitmq_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rabbitmq_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rabbitmq_server_packets'($*)) dnl gen_require(` type rabbitmq_server_packet_t; ') dontaudit $1 rabbitmq_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rabbitmq_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rabbitmq_server_packets'($*)) dnl corenet_send_rabbitmq_server_packets($1) corenet_receive_rabbitmq_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rabbitmq_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rabbitmq_server_packets'($*)) dnl corenet_dontaudit_send_rabbitmq_server_packets($1) corenet_dontaudit_receive_rabbitmq_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rabbitmq_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rabbitmq_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rabbitmq_server_packets'($*)) dnl gen_require(` type rabbitmq_server_packet_t; ') allow $1 rabbitmq_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rabbitmq_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rkt_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rkt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rkt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') dontaudit $1 rkt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rkt_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rkt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rkt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') dontaudit $1 rkt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rkt_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rkt_port'($*)) dnl corenet_udp_send_rkt_port($1) corenet_udp_receive_rkt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rkt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rkt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rkt_port'($*)) dnl corenet_dontaudit_udp_send_rkt_port($1) corenet_dontaudit_udp_receive_rkt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rkt_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rkt_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rkt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rkt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rkt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') dontaudit $1 rkt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rkt_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rkt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') allow $1 rkt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rkt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rkt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rkt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rkt_port'($*)) dnl gen_require(` type rkt_port_t; ') dontaudit $1 rkt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rkt_port'($*)) dnl ') ######################################## ## ## Send rkt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rkt_client_packets'($*)) dnl gen_require(` type rkt_client_packet_t; ') allow $1 rkt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rkt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rkt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rkt_client_packets'($*)) dnl gen_require(` type rkt_client_packet_t; ') dontaudit $1 rkt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rkt_client_packets'($*)) dnl ') ######################################## ## ## Receive rkt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rkt_client_packets'($*)) dnl gen_require(` type rkt_client_packet_t; ') allow $1 rkt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rkt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rkt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rkt_client_packets'($*)) dnl gen_require(` type rkt_client_packet_t; ') dontaudit $1 rkt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rkt_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rkt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rkt_client_packets'($*)) dnl corenet_send_rkt_client_packets($1) corenet_receive_rkt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rkt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rkt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rkt_client_packets'($*)) dnl corenet_dontaudit_send_rkt_client_packets($1) corenet_dontaudit_receive_rkt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rkt_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rkt_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rkt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rkt_client_packets'($*)) dnl gen_require(` type rkt_client_packet_t; ') allow $1 rkt_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rkt_client_packets'($*)) dnl ') ######################################## ## ## Send rkt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rkt_server_packets'($*)) dnl gen_require(` type rkt_server_packet_t; ') allow $1 rkt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rkt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rkt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rkt_server_packets'($*)) dnl gen_require(` type rkt_server_packet_t; ') dontaudit $1 rkt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rkt_server_packets'($*)) dnl ') ######################################## ## ## Receive rkt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rkt_server_packets'($*)) dnl gen_require(` type rkt_server_packet_t; ') allow $1 rkt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rkt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rkt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rkt_server_packets'($*)) dnl gen_require(` type rkt_server_packet_t; ') dontaudit $1 rkt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rkt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rkt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rkt_server_packets'($*)) dnl corenet_send_rkt_server_packets($1) corenet_receive_rkt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rkt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rkt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rkt_server_packets'($*)) dnl corenet_dontaudit_send_rkt_server_packets($1) corenet_dontaudit_receive_rkt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rkt_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rkt_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rkt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rkt_server_packets'($*)) dnl gen_require(` type rkt_server_packet_t; ') allow $1 rkt_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rkt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogin_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rlogin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') dontaudit $1 rlogin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogin_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rlogin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') dontaudit $1 rlogin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogin_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogin_port'($*)) dnl corenet_udp_send_rlogin_port($1) corenet_udp_receive_rlogin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rlogin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogin_port'($*)) dnl corenet_dontaudit_udp_send_rlogin_port($1) corenet_dontaudit_udp_receive_rlogin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogin_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogin_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rlogin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rlogin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') dontaudit $1 rlogin_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rlogin_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rlogin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') allow $1 rlogin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rlogin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rlogin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rlogin_port'($*)) dnl gen_require(` type rlogin_port_t; ') dontaudit $1 rlogin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rlogin_port'($*)) dnl ') ######################################## ## ## Send rlogin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rlogin_client_packets'($*)) dnl gen_require(` type rlogin_client_packet_t; ') allow $1 rlogin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rlogin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogin_client_packets'($*)) dnl gen_require(` type rlogin_client_packet_t; ') dontaudit $1 rlogin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Receive rlogin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogin_client_packets'($*)) dnl gen_require(` type rlogin_client_packet_t; ') allow $1 rlogin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rlogin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogin_client_packets'($*)) dnl gen_require(` type rlogin_client_packet_t; ') dontaudit $1 rlogin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rlogin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogin_client_packets'($*)) dnl corenet_send_rlogin_client_packets($1) corenet_receive_rlogin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rlogin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogin_client_packets'($*)) dnl corenet_dontaudit_send_rlogin_client_packets($1) corenet_dontaudit_receive_rlogin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rlogin_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rlogin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogin_client_packets'($*)) dnl gen_require(` type rlogin_client_packet_t; ') allow $1 rlogin_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogin_client_packets'($*)) dnl ') ######################################## ## ## Send rlogin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rlogin_server_packets'($*)) dnl gen_require(` type rlogin_server_packet_t; ') allow $1 rlogin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rlogin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogin_server_packets'($*)) dnl gen_require(` type rlogin_server_packet_t; ') dontaudit $1 rlogin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Receive rlogin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogin_server_packets'($*)) dnl gen_require(` type rlogin_server_packet_t; ') allow $1 rlogin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rlogin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogin_server_packets'($*)) dnl gen_require(` type rlogin_server_packet_t; ') dontaudit $1 rlogin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rlogin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogin_server_packets'($*)) dnl corenet_send_rlogin_server_packets($1) corenet_receive_rlogin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rlogin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogin_server_packets'($*)) dnl corenet_dontaudit_send_rlogin_server_packets($1) corenet_dontaudit_receive_rlogin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rlogin_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rlogin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogin_server_packets'($*)) dnl gen_require(` type rlogin_server_packet_t; ') allow $1 rlogin_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtsclient_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtsclient_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rtsclient port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') dontaudit $1 rtsclient_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtsclient_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtsclient_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rtsclient port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') dontaudit $1 rtsclient_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtsclient_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtsclient_port'($*)) dnl corenet_udp_send_rtsclient_port($1) corenet_udp_receive_rtsclient_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtsclient_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rtsclient port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtsclient_port'($*)) dnl corenet_dontaudit_udp_send_rtsclient_port($1) corenet_dontaudit_udp_receive_rtsclient_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtsclient_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtsclient_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rtsclient port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtsclient_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rtsclient port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') dontaudit $1 rtsclient_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtsclient_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rtsclient port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') allow $1 rtsclient_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtsclient_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rtsclient port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rtsclient_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtsclient_port'($*)) dnl gen_require(` type rtsclient_port_t; ') dontaudit $1 rtsclient_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtsclient_port'($*)) dnl ') ######################################## ## ## Send rtsclient_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtsclient_client_packets'($*)) dnl gen_require(` type rtsclient_client_packet_t; ') allow $1 rtsclient_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtsclient_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsclient_client_packets'($*)) dnl gen_require(` type rtsclient_client_packet_t; ') dontaudit $1 rtsclient_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Receive rtsclient_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsclient_client_packets'($*)) dnl gen_require(` type rtsclient_client_packet_t; ') allow $1 rtsclient_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtsclient_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsclient_client_packets'($*)) dnl gen_require(` type rtsclient_client_packet_t; ') dontaudit $1 rtsclient_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rtsclient_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsclient_client_packets'($*)) dnl corenet_send_rtsclient_client_packets($1) corenet_receive_rtsclient_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtsclient_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsclient_client_packets'($*)) dnl corenet_dontaudit_send_rtsclient_client_packets($1) corenet_dontaudit_receive_rtsclient_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtsclient_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtsclient_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsclient_client_packets'($*)) dnl gen_require(` type rtsclient_client_packet_t; ') allow $1 rtsclient_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsclient_client_packets'($*)) dnl ') ######################################## ## ## Send rtsclient_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtsclient_server_packets'($*)) dnl gen_require(` type rtsclient_server_packet_t; ') allow $1 rtsclient_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtsclient_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsclient_server_packets'($*)) dnl gen_require(` type rtsclient_server_packet_t; ') dontaudit $1 rtsclient_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Receive rtsclient_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsclient_server_packets'($*)) dnl gen_require(` type rtsclient_server_packet_t; ') allow $1 rtsclient_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtsclient_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsclient_server_packets'($*)) dnl gen_require(` type rtsclient_server_packet_t; ') dontaudit $1 rtsclient_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rtsclient_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsclient_server_packets'($*)) dnl corenet_send_rtsclient_server_packets($1) corenet_receive_rtsclient_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtsclient_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsclient_server_packets'($*)) dnl corenet_dontaudit_send_rtsclient_server_packets($1) corenet_dontaudit_receive_rtsclient_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtsclient_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtsclient_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsclient_server_packets'($*)) dnl gen_require(` type rtsclient_server_packet_t; ') allow $1 rtsclient_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsclient_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_kprop_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_kprop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the kprop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') dontaudit $1 kprop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_kprop_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_kprop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the kprop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') dontaudit $1 kprop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_kprop_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_kprop_port'($*)) dnl corenet_udp_send_kprop_port($1) corenet_udp_receive_kprop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_kprop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the kprop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl corenet_dontaudit_udp_send_kprop_port($1) corenet_dontaudit_udp_receive_kprop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_kprop_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_kprop_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the kprop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_kprop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to kprop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') dontaudit $1 kprop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_kprop_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the kprop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') allow $1 kprop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_kprop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to kprop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_kprop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_kprop_port'($*)) dnl gen_require(` type kprop_port_t; ') dontaudit $1 kprop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_kprop_port'($*)) dnl ') ######################################## ## ## Send kprop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_client_packets'($*)) dnl gen_require(` type kprop_client_packet_t; ') allow $1 kprop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kprop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kprop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_client_packets'($*)) dnl gen_require(` type kprop_client_packet_t; ') dontaudit $1 kprop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_client_packets'($*)) dnl ') ######################################## ## ## Receive kprop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_client_packets'($*)) dnl gen_require(` type kprop_client_packet_t; ') allow $1 kprop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kprop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl gen_require(` type kprop_client_packet_t; ') dontaudit $1 kprop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_client_packets'($*)) dnl ') ######################################## ## ## Send and receive kprop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_client_packets'($*)) dnl corenet_send_kprop_client_packets($1) corenet_receive_kprop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kprop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl corenet_dontaudit_send_kprop_client_packets($1) corenet_dontaudit_receive_kprop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kprop_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kprop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_client_packets'($*)) dnl gen_require(` type kprop_client_packet_t; ') allow $1 kprop_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_client_packets'($*)) dnl ') ######################################## ## ## Send kprop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_kprop_server_packets'($*)) dnl gen_require(` type kprop_server_packet_t; ') allow $1 kprop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_kprop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kprop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_kprop_server_packets'($*)) dnl gen_require(` type kprop_server_packet_t; ') dontaudit $1 kprop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_kprop_server_packets'($*)) dnl ') ######################################## ## ## Receive kprop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_kprop_server_packets'($*)) dnl gen_require(` type kprop_server_packet_t; ') allow $1 kprop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_kprop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive kprop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl gen_require(` type kprop_server_packet_t; ') dontaudit $1 kprop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_kprop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive kprop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_kprop_server_packets'($*)) dnl corenet_send_kprop_server_packets($1) corenet_receive_kprop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_kprop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive kprop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl corenet_dontaudit_send_kprop_server_packets($1) corenet_dontaudit_receive_kprop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_kprop_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to kprop_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_kprop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_kprop_server_packets'($*)) dnl gen_require(` type kprop_server_packet_t; ') allow $1 kprop_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_kprop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ktalkd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ktalkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ktalkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') dontaudit $1 ktalkd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ktalkd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ktalkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ktalkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') dontaudit $1 ktalkd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ktalkd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ktalkd_port'($*)) dnl corenet_udp_send_ktalkd_port($1) corenet_udp_receive_ktalkd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ktalkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ktalkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl corenet_dontaudit_udp_send_ktalkd_port($1) corenet_dontaudit_udp_receive_ktalkd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ktalkd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ktalkd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ktalkd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ktalkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ktalkd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') dontaudit $1 ktalkd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ktalkd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ktalkd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') allow $1 ktalkd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ktalkd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ktalkd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ktalkd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ktalkd_port'($*)) dnl gen_require(` type ktalkd_port_t; ') dontaudit $1 ktalkd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ktalkd_port'($*)) dnl ') ######################################## ## ## Send ktalkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_client_packets'($*)) dnl gen_require(` type ktalkd_client_packet_t; ') allow $1 ktalkd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ktalkd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl gen_require(` type ktalkd_client_packet_t; ') dontaudit $1 ktalkd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Receive ktalkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_client_packets'($*)) dnl gen_require(` type ktalkd_client_packet_t; ') allow $1 ktalkd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ktalkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl gen_require(` type ktalkd_client_packet_t; ') dontaudit $1 ktalkd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ktalkd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_client_packets'($*)) dnl corenet_send_ktalkd_client_packets($1) corenet_receive_ktalkd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ktalkd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl corenet_dontaudit_send_ktalkd_client_packets($1) corenet_dontaudit_receive_ktalkd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ktalkd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ktalkd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_client_packets'($*)) dnl gen_require(` type ktalkd_client_packet_t; ') allow $1 ktalkd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_client_packets'($*)) dnl ') ######################################## ## ## Send ktalkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ktalkd_server_packets'($*)) dnl gen_require(` type ktalkd_server_packet_t; ') allow $1 ktalkd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ktalkd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl gen_require(` type ktalkd_server_packet_t; ') dontaudit $1 ktalkd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Receive ktalkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ktalkd_server_packets'($*)) dnl gen_require(` type ktalkd_server_packet_t; ') allow $1 ktalkd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ktalkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl gen_require(` type ktalkd_server_packet_t; ') dontaudit $1 ktalkd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ktalkd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ktalkd_server_packets'($*)) dnl corenet_send_ktalkd_server_packets($1) corenet_receive_ktalkd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ktalkd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl corenet_dontaudit_send_ktalkd_server_packets($1) corenet_dontaudit_receive_ktalkd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ktalkd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ktalkd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ktalkd_server_packets'($*)) dnl gen_require(` type ktalkd_server_packet_t; ') allow $1 ktalkd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ktalkd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ldap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ldap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ldap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') dontaudit $1 ldap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ldap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ldap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ldap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') dontaudit $1 ldap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ldap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ldap_port'($*)) dnl corenet_udp_send_ldap_port($1) corenet_udp_receive_ldap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ldap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ldap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl corenet_dontaudit_udp_send_ldap_port($1) corenet_dontaudit_udp_receive_ldap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ldap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ldap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ldap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ldap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ldap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') dontaudit $1 ldap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ldap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ldap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') allow $1 ldap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ldap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ldap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ldap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ldap_port'($*)) dnl gen_require(` type ldap_port_t; ') dontaudit $1 ldap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ldap_port'($*)) dnl ') ######################################## ## ## Send ldap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_client_packets'($*)) dnl gen_require(` type ldap_client_packet_t; ') allow $1 ldap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ldap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ldap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_client_packets'($*)) dnl gen_require(` type ldap_client_packet_t; ') dontaudit $1 ldap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_client_packets'($*)) dnl ') ######################################## ## ## Receive ldap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_client_packets'($*)) dnl gen_require(` type ldap_client_packet_t; ') allow $1 ldap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ldap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl gen_require(` type ldap_client_packet_t; ') dontaudit $1 ldap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ldap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_client_packets'($*)) dnl corenet_send_ldap_client_packets($1) corenet_receive_ldap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ldap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl corenet_dontaudit_send_ldap_client_packets($1) corenet_dontaudit_receive_ldap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ldap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ldap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_client_packets'($*)) dnl gen_require(` type ldap_client_packet_t; ') allow $1 ldap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_client_packets'($*)) dnl ') ######################################## ## ## Send ldap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ldap_server_packets'($*)) dnl gen_require(` type ldap_server_packet_t; ') allow $1 ldap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ldap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ldap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ldap_server_packets'($*)) dnl gen_require(` type ldap_server_packet_t; ') dontaudit $1 ldap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ldap_server_packets'($*)) dnl ') ######################################## ## ## Receive ldap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ldap_server_packets'($*)) dnl gen_require(` type ldap_server_packet_t; ') allow $1 ldap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ldap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ldap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl gen_require(` type ldap_server_packet_t; ') dontaudit $1 ldap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ldap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ldap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ldap_server_packets'($*)) dnl corenet_send_ldap_server_packets($1) corenet_receive_ldap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ldap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ldap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl corenet_dontaudit_send_ldap_server_packets($1) corenet_dontaudit_receive_ldap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ldap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ldap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ldap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ldap_server_packets'($*)) dnl gen_require(` type ldap_server_packet_t; ') allow $1 ldap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ldap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lirc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lirc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the lirc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') dontaudit $1 lirc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lirc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lirc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the lirc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') dontaudit $1 lirc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lirc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lirc_port'($*)) dnl corenet_udp_send_lirc_port($1) corenet_udp_receive_lirc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lirc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the lirc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl corenet_dontaudit_udp_send_lirc_port($1) corenet_dontaudit_udp_receive_lirc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lirc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lirc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the lirc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lirc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to lirc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') dontaudit $1 lirc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lirc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the lirc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') allow $1 lirc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lirc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to lirc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_lirc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lirc_port'($*)) dnl gen_require(` type lirc_port_t; ') dontaudit $1 lirc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lirc_port'($*)) dnl ') ######################################## ## ## Send lirc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_client_packets'($*)) dnl gen_require(` type lirc_client_packet_t; ') allow $1 lirc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lirc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lirc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_client_packets'($*)) dnl gen_require(` type lirc_client_packet_t; ') dontaudit $1 lirc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_client_packets'($*)) dnl ') ######################################## ## ## Receive lirc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_client_packets'($*)) dnl gen_require(` type lirc_client_packet_t; ') allow $1 lirc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lirc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl gen_require(` type lirc_client_packet_t; ') dontaudit $1 lirc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive lirc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_client_packets'($*)) dnl corenet_send_lirc_client_packets($1) corenet_receive_lirc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lirc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl corenet_dontaudit_send_lirc_client_packets($1) corenet_dontaudit_receive_lirc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lirc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lirc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_client_packets'($*)) dnl gen_require(` type lirc_client_packet_t; ') allow $1 lirc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_client_packets'($*)) dnl ') ######################################## ## ## Send lirc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lirc_server_packets'($*)) dnl gen_require(` type lirc_server_packet_t; ') allow $1 lirc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lirc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lirc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lirc_server_packets'($*)) dnl gen_require(` type lirc_server_packet_t; ') dontaudit $1 lirc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lirc_server_packets'($*)) dnl ') ######################################## ## ## Receive lirc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lirc_server_packets'($*)) dnl gen_require(` type lirc_server_packet_t; ') allow $1 lirc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lirc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lirc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl gen_require(` type lirc_server_packet_t; ') dontaudit $1 lirc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lirc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive lirc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lirc_server_packets'($*)) dnl corenet_send_lirc_server_packets($1) corenet_receive_lirc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lirc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lirc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl corenet_dontaudit_send_lirc_server_packets($1) corenet_dontaudit_receive_lirc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lirc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lirc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lirc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lirc_server_packets'($*)) dnl gen_require(` type lirc_server_packet_t; ') allow $1 lirc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lirc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_luci_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_luci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the luci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_luci_port'($*)) dnl gen_require(` type luci_port_t; ') dontaudit $1 luci_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_luci_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_luci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the luci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_luci_port'($*)) dnl gen_require(` type luci_port_t; ') dontaudit $1 luci_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_luci_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_luci_port'($*)) dnl corenet_udp_send_luci_port($1) corenet_udp_receive_luci_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_luci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the luci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_luci_port'($*)) dnl corenet_dontaudit_udp_send_luci_port($1) corenet_dontaudit_udp_receive_luci_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_luci_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_luci_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the luci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_luci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to luci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_luci_port'($*)) dnl gen_require(` type luci_port_t; ') dontaudit $1 luci_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_luci_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the luci port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_luci_port'($*)) dnl gen_require(` type luci_port_t; ') allow $1 luci_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_luci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to luci port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_luci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_luci_port'($*)) dnl gen_require(` type luci_port_t; ') dontaudit $1 luci_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_luci_port'($*)) dnl ') ######################################## ## ## Send luci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_luci_client_packets'($*)) dnl gen_require(` type luci_client_packet_t; ') allow $1 luci_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_luci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send luci_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_luci_client_packets'($*)) dnl gen_require(` type luci_client_packet_t; ') dontaudit $1 luci_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_luci_client_packets'($*)) dnl ') ######################################## ## ## Receive luci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_luci_client_packets'($*)) dnl gen_require(` type luci_client_packet_t; ') allow $1 luci_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_luci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive luci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_luci_client_packets'($*)) dnl gen_require(` type luci_client_packet_t; ') dontaudit $1 luci_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_luci_client_packets'($*)) dnl ') ######################################## ## ## Send and receive luci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_luci_client_packets'($*)) dnl corenet_send_luci_client_packets($1) corenet_receive_luci_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_luci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive luci_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_luci_client_packets'($*)) dnl corenet_dontaudit_send_luci_client_packets($1) corenet_dontaudit_receive_luci_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_luci_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to luci_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_luci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_luci_client_packets'($*)) dnl gen_require(` type luci_client_packet_t; ') allow $1 luci_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_luci_client_packets'($*)) dnl ') ######################################## ## ## Send luci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_luci_server_packets'($*)) dnl gen_require(` type luci_server_packet_t; ') allow $1 luci_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_luci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send luci_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_luci_server_packets'($*)) dnl gen_require(` type luci_server_packet_t; ') dontaudit $1 luci_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_luci_server_packets'($*)) dnl ') ######################################## ## ## Receive luci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_luci_server_packets'($*)) dnl gen_require(` type luci_server_packet_t; ') allow $1 luci_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_luci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive luci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_luci_server_packets'($*)) dnl gen_require(` type luci_server_packet_t; ') dontaudit $1 luci_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_luci_server_packets'($*)) dnl ') ######################################## ## ## Send and receive luci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_luci_server_packets'($*)) dnl corenet_send_luci_server_packets($1) corenet_receive_luci_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_luci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive luci_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_luci_server_packets'($*)) dnl corenet_dontaudit_send_luci_server_packets($1) corenet_dontaudit_receive_luci_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_luci_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to luci_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_luci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_luci_server_packets'($*)) dnl gen_require(` type luci_server_packet_t; ') allow $1 luci_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_luci_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lmtp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lmtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the lmtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') dontaudit $1 lmtp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lmtp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lmtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the lmtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') dontaudit $1 lmtp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lmtp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lmtp_port'($*)) dnl corenet_udp_send_lmtp_port($1) corenet_udp_receive_lmtp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lmtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the lmtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl corenet_dontaudit_udp_send_lmtp_port($1) corenet_dontaudit_udp_receive_lmtp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lmtp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lmtp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the lmtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lmtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to lmtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') dontaudit $1 lmtp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lmtp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the lmtp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') allow $1 lmtp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lmtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to lmtp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_lmtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lmtp_port'($*)) dnl gen_require(` type lmtp_port_t; ') dontaudit $1 lmtp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lmtp_port'($*)) dnl ') ######################################## ## ## Send lmtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_client_packets'($*)) dnl gen_require(` type lmtp_client_packet_t; ') allow $1 lmtp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lmtp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl gen_require(` type lmtp_client_packet_t; ') dontaudit $1 lmtp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Receive lmtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_client_packets'($*)) dnl gen_require(` type lmtp_client_packet_t; ') allow $1 lmtp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lmtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl gen_require(` type lmtp_client_packet_t; ') dontaudit $1 lmtp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive lmtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_client_packets'($*)) dnl corenet_send_lmtp_client_packets($1) corenet_receive_lmtp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lmtp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl corenet_dontaudit_send_lmtp_client_packets($1) corenet_dontaudit_receive_lmtp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lmtp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lmtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_client_packets'($*)) dnl gen_require(` type lmtp_client_packet_t; ') allow $1 lmtp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_client_packets'($*)) dnl ') ######################################## ## ## Send lmtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lmtp_server_packets'($*)) dnl gen_require(` type lmtp_server_packet_t; ') allow $1 lmtp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lmtp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl gen_require(` type lmtp_server_packet_t; ') dontaudit $1 lmtp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Receive lmtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lmtp_server_packets'($*)) dnl gen_require(` type lmtp_server_packet_t; ') allow $1 lmtp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lmtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl gen_require(` type lmtp_server_packet_t; ') dontaudit $1 lmtp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive lmtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lmtp_server_packets'($*)) dnl corenet_send_lmtp_server_packets($1) corenet_receive_lmtp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lmtp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl corenet_dontaudit_send_lmtp_server_packets($1) corenet_dontaudit_receive_lmtp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lmtp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lmtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lmtp_server_packets'($*)) dnl gen_require(` type lmtp_server_packet_t; ') allow $1 lmtp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lmtp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lrrd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lrrd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the lrrd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') dontaudit $1 lrrd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lrrd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lrrd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the lrrd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') dontaudit $1 lrrd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lrrd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lrrd_port'($*)) dnl corenet_udp_send_lrrd_port($1) corenet_udp_receive_lrrd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lrrd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the lrrd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl corenet_dontaudit_udp_send_lrrd_port($1) corenet_dontaudit_udp_receive_lrrd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lrrd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lrrd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the lrrd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lrrd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to lrrd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') dontaudit $1 lrrd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lrrd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the lrrd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') allow $1 lrrd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lrrd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to lrrd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_lrrd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lrrd_port'($*)) dnl gen_require(` type lrrd_port_t; ') dontaudit $1 lrrd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lrrd_port'($*)) dnl ') ######################################## ## ## Send lrrd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_client_packets'($*)) dnl gen_require(` type lrrd_client_packet_t; ') allow $1 lrrd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lrrd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl gen_require(` type lrrd_client_packet_t; ') dontaudit $1 lrrd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Receive lrrd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_client_packets'($*)) dnl gen_require(` type lrrd_client_packet_t; ') allow $1 lrrd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lrrd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl gen_require(` type lrrd_client_packet_t; ') dontaudit $1 lrrd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive lrrd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_client_packets'($*)) dnl corenet_send_lrrd_client_packets($1) corenet_receive_lrrd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lrrd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl corenet_dontaudit_send_lrrd_client_packets($1) corenet_dontaudit_receive_lrrd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lrrd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lrrd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_client_packets'($*)) dnl gen_require(` type lrrd_client_packet_t; ') allow $1 lrrd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_client_packets'($*)) dnl ') ######################################## ## ## Send lrrd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lrrd_server_packets'($*)) dnl gen_require(` type lrrd_server_packet_t; ') allow $1 lrrd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lrrd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl gen_require(` type lrrd_server_packet_t; ') dontaudit $1 lrrd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Receive lrrd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lrrd_server_packets'($*)) dnl gen_require(` type lrrd_server_packet_t; ') allow $1 lrrd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lrrd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl gen_require(` type lrrd_server_packet_t; ') dontaudit $1 lrrd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive lrrd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lrrd_server_packets'($*)) dnl corenet_send_lrrd_server_packets($1) corenet_receive_lrrd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lrrd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl corenet_dontaudit_send_lrrd_server_packets($1) corenet_dontaudit_receive_lrrd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lrrd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lrrd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lrrd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lrrd_server_packets'($*)) dnl gen_require(` type lrrd_server_packet_t; ') allow $1 lrrd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lrrd_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the lsm_plugin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') dontaudit $1 lsm_plugin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the lsm_plugin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') dontaudit $1 lsm_plugin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lsm_plugin_port'($*)) dnl corenet_udp_send_lsm_plugin_port($1) corenet_udp_receive_lsm_plugin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the lsm_plugin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_lsm_plugin_port'($*)) dnl corenet_dontaudit_udp_send_lsm_plugin_port($1) corenet_dontaudit_udp_receive_lsm_plugin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to lsm_plugin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') dontaudit $1 lsm_plugin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the lsm_plugin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') allow $1 lsm_plugin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to lsm_plugin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_lsm_plugin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_lsm_plugin_port'($*)) dnl gen_require(` type lsm_plugin_port_t; ') dontaudit $1 lsm_plugin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_lsm_plugin_port'($*)) dnl ') ######################################## ## ## Send lsm_plugin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lsm_plugin_client_packets'($*)) dnl gen_require(` type lsm_plugin_client_packet_t; ') allow $1 lsm_plugin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lsm_plugin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lsm_plugin_client_packets'($*)) dnl gen_require(` type lsm_plugin_client_packet_t; ') dontaudit $1 lsm_plugin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Receive lsm_plugin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lsm_plugin_client_packets'($*)) dnl gen_require(` type lsm_plugin_client_packet_t; ') allow $1 lsm_plugin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lsm_plugin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lsm_plugin_client_packets'($*)) dnl gen_require(` type lsm_plugin_client_packet_t; ') dontaudit $1 lsm_plugin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Send and receive lsm_plugin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lsm_plugin_client_packets'($*)) dnl corenet_send_lsm_plugin_client_packets($1) corenet_receive_lsm_plugin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lsm_plugin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lsm_plugin_client_packets'($*)) dnl corenet_dontaudit_send_lsm_plugin_client_packets($1) corenet_dontaudit_receive_lsm_plugin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lsm_plugin_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lsm_plugin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lsm_plugin_client_packets'($*)) dnl gen_require(` type lsm_plugin_client_packet_t; ') allow $1 lsm_plugin_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lsm_plugin_client_packets'($*)) dnl ') ######################################## ## ## Send lsm_plugin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_lsm_plugin_server_packets'($*)) dnl gen_require(` type lsm_plugin_server_packet_t; ') allow $1 lsm_plugin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send lsm_plugin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_lsm_plugin_server_packets'($*)) dnl gen_require(` type lsm_plugin_server_packet_t; ') dontaudit $1 lsm_plugin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Receive lsm_plugin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_lsm_plugin_server_packets'($*)) dnl gen_require(` type lsm_plugin_server_packet_t; ') allow $1 lsm_plugin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive lsm_plugin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_lsm_plugin_server_packets'($*)) dnl gen_require(` type lsm_plugin_server_packet_t; ') dontaudit $1 lsm_plugin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive lsm_plugin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_lsm_plugin_server_packets'($*)) dnl corenet_send_lsm_plugin_server_packets($1) corenet_receive_lsm_plugin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive lsm_plugin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_lsm_plugin_server_packets'($*)) dnl corenet_dontaudit_send_lsm_plugin_server_packets($1) corenet_dontaudit_receive_lsm_plugin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to lsm_plugin_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_lsm_plugin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_lsm_plugin_server_packets'($*)) dnl gen_require(` type lsm_plugin_server_packet_t; ') allow $1 lsm_plugin_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_lsm_plugin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_l2tp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_l2tp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the l2tp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') dontaudit $1 l2tp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_l2tp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_l2tp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the l2tp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') dontaudit $1 l2tp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_l2tp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_l2tp_port'($*)) dnl corenet_udp_send_l2tp_port($1) corenet_udp_receive_l2tp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_l2tp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the l2tp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl corenet_dontaudit_udp_send_l2tp_port($1) corenet_dontaudit_udp_receive_l2tp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_l2tp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_l2tp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the l2tp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_l2tp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to l2tp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') dontaudit $1 l2tp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_l2tp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the l2tp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') allow $1 l2tp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_l2tp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to l2tp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_l2tp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_l2tp_port'($*)) dnl gen_require(` type l2tp_port_t; ') dontaudit $1 l2tp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_l2tp_port'($*)) dnl ') ######################################## ## ## Send l2tp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_client_packets'($*)) dnl gen_require(` type l2tp_client_packet_t; ') allow $1 l2tp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send l2tp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl gen_require(` type l2tp_client_packet_t; ') dontaudit $1 l2tp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Receive l2tp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_client_packets'($*)) dnl gen_require(` type l2tp_client_packet_t; ') allow $1 l2tp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive l2tp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl gen_require(` type l2tp_client_packet_t; ') dontaudit $1 l2tp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive l2tp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_client_packets'($*)) dnl corenet_send_l2tp_client_packets($1) corenet_receive_l2tp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive l2tp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl corenet_dontaudit_send_l2tp_client_packets($1) corenet_dontaudit_receive_l2tp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to l2tp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_l2tp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_client_packets'($*)) dnl gen_require(` type l2tp_client_packet_t; ') allow $1 l2tp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_client_packets'($*)) dnl ') ######################################## ## ## Send l2tp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_l2tp_server_packets'($*)) dnl gen_require(` type l2tp_server_packet_t; ') allow $1 l2tp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send l2tp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl gen_require(` type l2tp_server_packet_t; ') dontaudit $1 l2tp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Receive l2tp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_l2tp_server_packets'($*)) dnl gen_require(` type l2tp_server_packet_t; ') allow $1 l2tp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive l2tp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl gen_require(` type l2tp_server_packet_t; ') dontaudit $1 l2tp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive l2tp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_l2tp_server_packets'($*)) dnl corenet_send_l2tp_server_packets($1) corenet_receive_l2tp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive l2tp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl corenet_dontaudit_send_l2tp_server_packets($1) corenet_dontaudit_receive_l2tp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to l2tp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_l2tp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_l2tp_server_packets'($*)) dnl gen_require(` type l2tp_server_packet_t; ') allow $1 l2tp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_l2tp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mail_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mail_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mail port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mail_port'($*)) dnl gen_require(` type mail_port_t; ') dontaudit $1 mail_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mail_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mail_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mail port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mail_port'($*)) dnl gen_require(` type mail_port_t; ') dontaudit $1 mail_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mail_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mail_port'($*)) dnl corenet_udp_send_mail_port($1) corenet_udp_receive_mail_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mail_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mail port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl corenet_dontaudit_udp_send_mail_port($1) corenet_dontaudit_udp_receive_mail_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mail_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mail_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mail port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mail_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mail port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mail_port'($*)) dnl gen_require(` type mail_port_t; ') dontaudit $1 mail_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mail_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mail port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mail_port'($*)) dnl gen_require(` type mail_port_t; ') allow $1 mail_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mail_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mail port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mail_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mail_port'($*)) dnl gen_require(` type mail_port_t; ') dontaudit $1 mail_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mail_port'($*)) dnl ') ######################################## ## ## Send mail_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mail_client_packets'($*)) dnl gen_require(` type mail_client_packet_t; ') allow $1 mail_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mail_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mail_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_client_packets'($*)) dnl gen_require(` type mail_client_packet_t; ') dontaudit $1 mail_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_client_packets'($*)) dnl ') ######################################## ## ## Receive mail_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_client_packets'($*)) dnl gen_require(` type mail_client_packet_t; ') allow $1 mail_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mail_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mail_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_client_packets'($*)) dnl gen_require(` type mail_client_packet_t; ') dontaudit $1 mail_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mail_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_client_packets'($*)) dnl corenet_send_mail_client_packets($1) corenet_receive_mail_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mail_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl corenet_dontaudit_send_mail_client_packets($1) corenet_dontaudit_receive_mail_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mail_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mail_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_client_packets'($*)) dnl gen_require(` type mail_client_packet_t; ') allow $1 mail_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_client_packets'($*)) dnl ') ######################################## ## ## Send mail_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mail_server_packets'($*)) dnl gen_require(` type mail_server_packet_t; ') allow $1 mail_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mail_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mail_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mail_server_packets'($*)) dnl gen_require(` type mail_server_packet_t; ') dontaudit $1 mail_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mail_server_packets'($*)) dnl ') ######################################## ## ## Receive mail_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mail_server_packets'($*)) dnl gen_require(` type mail_server_packet_t; ') allow $1 mail_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mail_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mail_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mail_server_packets'($*)) dnl gen_require(` type mail_server_packet_t; ') dontaudit $1 mail_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mail_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mail_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mail_server_packets'($*)) dnl corenet_send_mail_server_packets($1) corenet_receive_mail_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mail_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mail_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl corenet_dontaudit_send_mail_server_packets($1) corenet_dontaudit_receive_mail_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mail_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mail_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mail_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mail_server_packets'($*)) dnl gen_require(` type mail_server_packet_t; ') allow $1 mail_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mail_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mailbox_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mailbox_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mailbox port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') dontaudit $1 mailbox_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mailbox_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mailbox_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mailbox port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') dontaudit $1 mailbox_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mailbox_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mailbox_port'($*)) dnl corenet_udp_send_mailbox_port($1) corenet_udp_receive_mailbox_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mailbox_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mailbox port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mailbox_port'($*)) dnl corenet_dontaudit_udp_send_mailbox_port($1) corenet_dontaudit_udp_receive_mailbox_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mailbox_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mailbox_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mailbox port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mailbox_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mailbox port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') dontaudit $1 mailbox_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mailbox_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mailbox port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') allow $1 mailbox_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mailbox_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mailbox port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mailbox_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mailbox_port'($*)) dnl gen_require(` type mailbox_port_t; ') dontaudit $1 mailbox_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mailbox_port'($*)) dnl ') ######################################## ## ## Send mailbox_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mailbox_client_packets'($*)) dnl gen_require(` type mailbox_client_packet_t; ') allow $1 mailbox_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mailbox_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mailbox_client_packets'($*)) dnl gen_require(` type mailbox_client_packet_t; ') dontaudit $1 mailbox_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Receive mailbox_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mailbox_client_packets'($*)) dnl gen_require(` type mailbox_client_packet_t; ') allow $1 mailbox_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mailbox_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mailbox_client_packets'($*)) dnl gen_require(` type mailbox_client_packet_t; ') dontaudit $1 mailbox_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mailbox_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mailbox_client_packets'($*)) dnl corenet_send_mailbox_client_packets($1) corenet_receive_mailbox_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mailbox_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mailbox_client_packets'($*)) dnl corenet_dontaudit_send_mailbox_client_packets($1) corenet_dontaudit_receive_mailbox_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mailbox_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mailbox_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mailbox_client_packets'($*)) dnl gen_require(` type mailbox_client_packet_t; ') allow $1 mailbox_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mailbox_client_packets'($*)) dnl ') ######################################## ## ## Send mailbox_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mailbox_server_packets'($*)) dnl gen_require(` type mailbox_server_packet_t; ') allow $1 mailbox_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mailbox_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mailbox_server_packets'($*)) dnl gen_require(` type mailbox_server_packet_t; ') dontaudit $1 mailbox_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Receive mailbox_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mailbox_server_packets'($*)) dnl gen_require(` type mailbox_server_packet_t; ') allow $1 mailbox_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mailbox_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mailbox_server_packets'($*)) dnl gen_require(` type mailbox_server_packet_t; ') dontaudit $1 mailbox_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mailbox_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mailbox_server_packets'($*)) dnl corenet_send_mailbox_server_packets($1) corenet_receive_mailbox_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mailbox_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mailbox_server_packets'($*)) dnl corenet_dontaudit_send_mailbox_server_packets($1) corenet_dontaudit_receive_mailbox_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mailbox_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mailbox_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mailbox_server_packets'($*)) dnl gen_require(` type mailbox_server_packet_t; ') allow $1 mailbox_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mailbox_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_matahari_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_matahari_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the matahari port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') dontaudit $1 matahari_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_matahari_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_matahari_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the matahari port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') dontaudit $1 matahari_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_matahari_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_matahari_port'($*)) dnl corenet_udp_send_matahari_port($1) corenet_udp_receive_matahari_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_matahari_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the matahari port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl corenet_dontaudit_udp_send_matahari_port($1) corenet_dontaudit_udp_receive_matahari_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_matahari_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_matahari_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the matahari port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_matahari_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to matahari port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') dontaudit $1 matahari_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_matahari_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the matahari port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') allow $1 matahari_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_matahari_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to matahari port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_matahari_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_matahari_port'($*)) dnl gen_require(` type matahari_port_t; ') dontaudit $1 matahari_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_matahari_port'($*)) dnl ') ######################################## ## ## Send matahari_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_client_packets'($*)) dnl gen_require(` type matahari_client_packet_t; ') allow $1 matahari_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_matahari_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send matahari_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_client_packets'($*)) dnl gen_require(` type matahari_client_packet_t; ') dontaudit $1 matahari_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_client_packets'($*)) dnl ') ######################################## ## ## Receive matahari_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_client_packets'($*)) dnl gen_require(` type matahari_client_packet_t; ') allow $1 matahari_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive matahari_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl gen_require(` type matahari_client_packet_t; ') dontaudit $1 matahari_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_client_packets'($*)) dnl ') ######################################## ## ## Send and receive matahari_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_client_packets'($*)) dnl corenet_send_matahari_client_packets($1) corenet_receive_matahari_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive matahari_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl corenet_dontaudit_send_matahari_client_packets($1) corenet_dontaudit_receive_matahari_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to matahari_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_matahari_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_client_packets'($*)) dnl gen_require(` type matahari_client_packet_t; ') allow $1 matahari_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_client_packets'($*)) dnl ') ######################################## ## ## Send matahari_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_matahari_server_packets'($*)) dnl gen_require(` type matahari_server_packet_t; ') allow $1 matahari_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_matahari_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send matahari_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_matahari_server_packets'($*)) dnl gen_require(` type matahari_server_packet_t; ') dontaudit $1 matahari_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_matahari_server_packets'($*)) dnl ') ######################################## ## ## Receive matahari_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_matahari_server_packets'($*)) dnl gen_require(` type matahari_server_packet_t; ') allow $1 matahari_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_matahari_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive matahari_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl gen_require(` type matahari_server_packet_t; ') dontaudit $1 matahari_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_matahari_server_packets'($*)) dnl ') ######################################## ## ## Send and receive matahari_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_matahari_server_packets'($*)) dnl corenet_send_matahari_server_packets($1) corenet_receive_matahari_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_matahari_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive matahari_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl corenet_dontaudit_send_matahari_server_packets($1) corenet_dontaudit_receive_matahari_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_matahari_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to matahari_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_matahari_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_matahari_server_packets'($*)) dnl gen_require(` type matahari_server_packet_t; ') allow $1 matahari_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_matahari_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_memcache_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_memcache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the memcache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') dontaudit $1 memcache_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_memcache_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_memcache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the memcache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') dontaudit $1 memcache_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_memcache_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_memcache_port'($*)) dnl corenet_udp_send_memcache_port($1) corenet_udp_receive_memcache_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_memcache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the memcache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl corenet_dontaudit_udp_send_memcache_port($1) corenet_dontaudit_udp_receive_memcache_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_memcache_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_memcache_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the memcache port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_memcache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to memcache port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') dontaudit $1 memcache_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_memcache_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the memcache port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') allow $1 memcache_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_memcache_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to memcache port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_memcache_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_memcache_port'($*)) dnl gen_require(` type memcache_port_t; ') dontaudit $1 memcache_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_memcache_port'($*)) dnl ') ######################################## ## ## Send memcache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_client_packets'($*)) dnl gen_require(` type memcache_client_packet_t; ') allow $1 memcache_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_memcache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send memcache_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_client_packets'($*)) dnl gen_require(` type memcache_client_packet_t; ') dontaudit $1 memcache_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_client_packets'($*)) dnl ') ######################################## ## ## Receive memcache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_client_packets'($*)) dnl gen_require(` type memcache_client_packet_t; ') allow $1 memcache_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive memcache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl gen_require(` type memcache_client_packet_t; ') dontaudit $1 memcache_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_client_packets'($*)) dnl ') ######################################## ## ## Send and receive memcache_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_client_packets'($*)) dnl corenet_send_memcache_client_packets($1) corenet_receive_memcache_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive memcache_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl corenet_dontaudit_send_memcache_client_packets($1) corenet_dontaudit_receive_memcache_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to memcache_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_memcache_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_client_packets'($*)) dnl gen_require(` type memcache_client_packet_t; ') allow $1 memcache_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_client_packets'($*)) dnl ') ######################################## ## ## Send memcache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_memcache_server_packets'($*)) dnl gen_require(` type memcache_server_packet_t; ') allow $1 memcache_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_memcache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send memcache_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_memcache_server_packets'($*)) dnl gen_require(` type memcache_server_packet_t; ') dontaudit $1 memcache_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_memcache_server_packets'($*)) dnl ') ######################################## ## ## Receive memcache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_memcache_server_packets'($*)) dnl gen_require(` type memcache_server_packet_t; ') allow $1 memcache_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_memcache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive memcache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl gen_require(` type memcache_server_packet_t; ') dontaudit $1 memcache_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_memcache_server_packets'($*)) dnl ') ######################################## ## ## Send and receive memcache_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_memcache_server_packets'($*)) dnl corenet_send_memcache_server_packets($1) corenet_receive_memcache_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_memcache_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive memcache_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl corenet_dontaudit_send_memcache_server_packets($1) corenet_dontaudit_receive_memcache_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_memcache_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to memcache_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_memcache_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_memcache_server_packets'($*)) dnl gen_require(` type memcache_server_packet_t; ') allow $1 memcache_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_memcache_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_milter_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_milter_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the milter port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_milter_port'($*)) dnl gen_require(` type milter_port_t; ') dontaudit $1 milter_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_milter_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_milter_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the milter port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_milter_port'($*)) dnl gen_require(` type milter_port_t; ') dontaudit $1 milter_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_milter_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_milter_port'($*)) dnl corenet_udp_send_milter_port($1) corenet_udp_receive_milter_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_milter_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the milter port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl corenet_dontaudit_udp_send_milter_port($1) corenet_dontaudit_udp_receive_milter_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_milter_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_milter_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the milter port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_milter_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to milter port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_milter_port'($*)) dnl gen_require(` type milter_port_t; ') dontaudit $1 milter_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_milter_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the milter port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_milter_port'($*)) dnl gen_require(` type milter_port_t; ') allow $1 milter_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_milter_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to milter port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_milter_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_milter_port'($*)) dnl gen_require(` type milter_port_t; ') dontaudit $1 milter_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_milter_port'($*)) dnl ') ######################################## ## ## Send milter_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_milter_client_packets'($*)) dnl gen_require(` type milter_client_packet_t; ') allow $1 milter_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_milter_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send milter_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_client_packets'($*)) dnl gen_require(` type milter_client_packet_t; ') dontaudit $1 milter_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_client_packets'($*)) dnl ') ######################################## ## ## Receive milter_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_client_packets'($*)) dnl gen_require(` type milter_client_packet_t; ') allow $1 milter_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_milter_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive milter_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_client_packets'($*)) dnl gen_require(` type milter_client_packet_t; ') dontaudit $1 milter_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_client_packets'($*)) dnl ') ######################################## ## ## Send and receive milter_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_client_packets'($*)) dnl corenet_send_milter_client_packets($1) corenet_receive_milter_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive milter_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl corenet_dontaudit_send_milter_client_packets($1) corenet_dontaudit_receive_milter_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to milter_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_milter_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_client_packets'($*)) dnl gen_require(` type milter_client_packet_t; ') allow $1 milter_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_client_packets'($*)) dnl ') ######################################## ## ## Send milter_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_milter_server_packets'($*)) dnl gen_require(` type milter_server_packet_t; ') allow $1 milter_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_milter_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send milter_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_milter_server_packets'($*)) dnl gen_require(` type milter_server_packet_t; ') dontaudit $1 milter_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_milter_server_packets'($*)) dnl ') ######################################## ## ## Receive milter_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_milter_server_packets'($*)) dnl gen_require(` type milter_server_packet_t; ') allow $1 milter_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_milter_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive milter_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_milter_server_packets'($*)) dnl gen_require(` type milter_server_packet_t; ') dontaudit $1 milter_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_milter_server_packets'($*)) dnl ') ######################################## ## ## Send and receive milter_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_milter_server_packets'($*)) dnl corenet_send_milter_server_packets($1) corenet_receive_milter_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_milter_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive milter_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl corenet_dontaudit_send_milter_server_packets($1) corenet_dontaudit_receive_milter_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_milter_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to milter_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_milter_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_milter_server_packets'($*)) dnl gen_require(` type milter_server_packet_t; ') allow $1 milter_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_milter_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mmcc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mmcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mmcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') dontaudit $1 mmcc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mmcc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mmcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mmcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') dontaudit $1 mmcc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mmcc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mmcc_port'($*)) dnl corenet_udp_send_mmcc_port($1) corenet_udp_receive_mmcc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mmcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mmcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl corenet_dontaudit_udp_send_mmcc_port($1) corenet_dontaudit_udp_receive_mmcc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mmcc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mmcc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mmcc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mmcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mmcc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') dontaudit $1 mmcc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mmcc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mmcc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') allow $1 mmcc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mmcc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mmcc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mmcc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mmcc_port'($*)) dnl gen_require(` type mmcc_port_t; ') dontaudit $1 mmcc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mmcc_port'($*)) dnl ') ######################################## ## ## Send mmcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_client_packets'($*)) dnl gen_require(` type mmcc_client_packet_t; ') allow $1 mmcc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mmcc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl gen_require(` type mmcc_client_packet_t; ') dontaudit $1 mmcc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Receive mmcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_client_packets'($*)) dnl gen_require(` type mmcc_client_packet_t; ') allow $1 mmcc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mmcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl gen_require(` type mmcc_client_packet_t; ') dontaudit $1 mmcc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mmcc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_client_packets'($*)) dnl corenet_send_mmcc_client_packets($1) corenet_receive_mmcc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mmcc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl corenet_dontaudit_send_mmcc_client_packets($1) corenet_dontaudit_receive_mmcc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mmcc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mmcc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_client_packets'($*)) dnl gen_require(` type mmcc_client_packet_t; ') allow $1 mmcc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_client_packets'($*)) dnl ') ######################################## ## ## Send mmcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mmcc_server_packets'($*)) dnl gen_require(` type mmcc_server_packet_t; ') allow $1 mmcc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mmcc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl gen_require(` type mmcc_server_packet_t; ') dontaudit $1 mmcc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Receive mmcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mmcc_server_packets'($*)) dnl gen_require(` type mmcc_server_packet_t; ') allow $1 mmcc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mmcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl gen_require(` type mmcc_server_packet_t; ') dontaudit $1 mmcc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mmcc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mmcc_server_packets'($*)) dnl corenet_send_mmcc_server_packets($1) corenet_receive_mmcc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mmcc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl corenet_dontaudit_send_mmcc_server_packets($1) corenet_dontaudit_receive_mmcc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mmcc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mmcc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mmcc_server_packets'($*)) dnl gen_require(` type mmcc_server_packet_t; ') allow $1 mmcc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mmcc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mongod_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mongod_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mongod port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') dontaudit $1 mongod_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mongod_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mongod_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mongod port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') dontaudit $1 mongod_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mongod_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mongod_port'($*)) dnl corenet_udp_send_mongod_port($1) corenet_udp_receive_mongod_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mongod_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mongod port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mongod_port'($*)) dnl corenet_dontaudit_udp_send_mongod_port($1) corenet_dontaudit_udp_receive_mongod_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mongod_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mongod_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mongod port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mongod_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mongod port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') dontaudit $1 mongod_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mongod_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mongod port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') allow $1 mongod_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mongod_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mongod port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mongod_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mongod_port'($*)) dnl gen_require(` type mongod_port_t; ') dontaudit $1 mongod_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mongod_port'($*)) dnl ') ######################################## ## ## Send mongod_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mongod_client_packets'($*)) dnl gen_require(` type mongod_client_packet_t; ') allow $1 mongod_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mongod_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mongod_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mongod_client_packets'($*)) dnl gen_require(` type mongod_client_packet_t; ') dontaudit $1 mongod_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mongod_client_packets'($*)) dnl ') ######################################## ## ## Receive mongod_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mongod_client_packets'($*)) dnl gen_require(` type mongod_client_packet_t; ') allow $1 mongod_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mongod_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mongod_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mongod_client_packets'($*)) dnl gen_require(` type mongod_client_packet_t; ') dontaudit $1 mongod_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mongod_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mongod_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mongod_client_packets'($*)) dnl corenet_send_mongod_client_packets($1) corenet_receive_mongod_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mongod_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mongod_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mongod_client_packets'($*)) dnl corenet_dontaudit_send_mongod_client_packets($1) corenet_dontaudit_receive_mongod_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mongod_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mongod_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mongod_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mongod_client_packets'($*)) dnl gen_require(` type mongod_client_packet_t; ') allow $1 mongod_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mongod_client_packets'($*)) dnl ') ######################################## ## ## Send mongod_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mongod_server_packets'($*)) dnl gen_require(` type mongod_server_packet_t; ') allow $1 mongod_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mongod_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mongod_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mongod_server_packets'($*)) dnl gen_require(` type mongod_server_packet_t; ') dontaudit $1 mongod_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mongod_server_packets'($*)) dnl ') ######################################## ## ## Receive mongod_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mongod_server_packets'($*)) dnl gen_require(` type mongod_server_packet_t; ') allow $1 mongod_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mongod_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mongod_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mongod_server_packets'($*)) dnl gen_require(` type mongod_server_packet_t; ') dontaudit $1 mongod_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mongod_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mongod_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mongod_server_packets'($*)) dnl corenet_send_mongod_server_packets($1) corenet_receive_mongod_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mongod_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mongod_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mongod_server_packets'($*)) dnl corenet_dontaudit_send_mongod_server_packets($1) corenet_dontaudit_receive_mongod_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mongod_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mongod_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mongod_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mongod_server_packets'($*)) dnl gen_require(` type mongod_server_packet_t; ') allow $1 mongod_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mongod_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_monopd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_monopd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the monopd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') dontaudit $1 monopd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_monopd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_monopd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the monopd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') dontaudit $1 monopd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_monopd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_monopd_port'($*)) dnl corenet_udp_send_monopd_port($1) corenet_udp_receive_monopd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_monopd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the monopd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl corenet_dontaudit_udp_send_monopd_port($1) corenet_dontaudit_udp_receive_monopd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_monopd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_monopd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the monopd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_monopd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to monopd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') dontaudit $1 monopd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_monopd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the monopd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') allow $1 monopd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_monopd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to monopd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_monopd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_monopd_port'($*)) dnl gen_require(` type monopd_port_t; ') dontaudit $1 monopd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_monopd_port'($*)) dnl ') ######################################## ## ## Send monopd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_client_packets'($*)) dnl gen_require(` type monopd_client_packet_t; ') allow $1 monopd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_monopd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send monopd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_client_packets'($*)) dnl gen_require(` type monopd_client_packet_t; ') dontaudit $1 monopd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_client_packets'($*)) dnl ') ######################################## ## ## Receive monopd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_client_packets'($*)) dnl gen_require(` type monopd_client_packet_t; ') allow $1 monopd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive monopd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl gen_require(` type monopd_client_packet_t; ') dontaudit $1 monopd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive monopd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_client_packets'($*)) dnl corenet_send_monopd_client_packets($1) corenet_receive_monopd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive monopd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl corenet_dontaudit_send_monopd_client_packets($1) corenet_dontaudit_receive_monopd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to monopd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_monopd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_client_packets'($*)) dnl gen_require(` type monopd_client_packet_t; ') allow $1 monopd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_client_packets'($*)) dnl ') ######################################## ## ## Send monopd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_monopd_server_packets'($*)) dnl gen_require(` type monopd_server_packet_t; ') allow $1 monopd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_monopd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send monopd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_monopd_server_packets'($*)) dnl gen_require(` type monopd_server_packet_t; ') dontaudit $1 monopd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_monopd_server_packets'($*)) dnl ') ######################################## ## ## Receive monopd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_monopd_server_packets'($*)) dnl gen_require(` type monopd_server_packet_t; ') allow $1 monopd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_monopd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive monopd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl gen_require(` type monopd_server_packet_t; ') dontaudit $1 monopd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_monopd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive monopd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_monopd_server_packets'($*)) dnl corenet_send_monopd_server_packets($1) corenet_receive_monopd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_monopd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive monopd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl corenet_dontaudit_send_monopd_server_packets($1) corenet_dontaudit_receive_monopd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_monopd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to monopd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_monopd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_monopd_server_packets'($*)) dnl gen_require(` type monopd_server_packet_t; ') allow $1 monopd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_monopd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mountd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mountd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mountd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') dontaudit $1 mountd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mountd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mountd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mountd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') dontaudit $1 mountd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mountd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mountd_port'($*)) dnl corenet_udp_send_mountd_port($1) corenet_udp_receive_mountd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mountd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mountd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl corenet_dontaudit_udp_send_mountd_port($1) corenet_dontaudit_udp_receive_mountd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mountd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mountd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mountd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mountd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mountd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') dontaudit $1 mountd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mountd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mountd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') allow $1 mountd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mountd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mountd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mountd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mountd_port'($*)) dnl gen_require(` type mountd_port_t; ') dontaudit $1 mountd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mountd_port'($*)) dnl ') ######################################## ## ## Send mountd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_client_packets'($*)) dnl gen_require(` type mountd_client_packet_t; ') allow $1 mountd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mountd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mountd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_client_packets'($*)) dnl gen_require(` type mountd_client_packet_t; ') dontaudit $1 mountd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_client_packets'($*)) dnl ') ######################################## ## ## Receive mountd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_client_packets'($*)) dnl gen_require(` type mountd_client_packet_t; ') allow $1 mountd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mountd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl gen_require(` type mountd_client_packet_t; ') dontaudit $1 mountd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mountd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_client_packets'($*)) dnl corenet_send_mountd_client_packets($1) corenet_receive_mountd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mountd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl corenet_dontaudit_send_mountd_client_packets($1) corenet_dontaudit_receive_mountd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mountd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mountd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_client_packets'($*)) dnl gen_require(` type mountd_client_packet_t; ') allow $1 mountd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_client_packets'($*)) dnl ') ######################################## ## ## Send mountd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mountd_server_packets'($*)) dnl gen_require(` type mountd_server_packet_t; ') allow $1 mountd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mountd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mountd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mountd_server_packets'($*)) dnl gen_require(` type mountd_server_packet_t; ') dontaudit $1 mountd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mountd_server_packets'($*)) dnl ') ######################################## ## ## Receive mountd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mountd_server_packets'($*)) dnl gen_require(` type mountd_server_packet_t; ') allow $1 mountd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mountd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mountd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl gen_require(` type mountd_server_packet_t; ') dontaudit $1 mountd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mountd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mountd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mountd_server_packets'($*)) dnl corenet_send_mountd_server_packets($1) corenet_receive_mountd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mountd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mountd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl corenet_dontaudit_send_mountd_server_packets($1) corenet_dontaudit_receive_mountd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mountd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mountd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mountd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mountd_server_packets'($*)) dnl gen_require(` type mountd_server_packet_t; ') allow $1 mountd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mountd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the movaz_ssc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') dontaudit $1 movaz_ssc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the movaz_ssc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') dontaudit $1 movaz_ssc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl corenet_udp_send_movaz_ssc_port($1) corenet_udp_receive_movaz_ssc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the movaz_ssc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl corenet_dontaudit_udp_send_movaz_ssc_port($1) corenet_dontaudit_udp_receive_movaz_ssc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to movaz_ssc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') dontaudit $1 movaz_ssc_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the movaz_ssc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') allow $1 movaz_ssc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to movaz_ssc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_movaz_ssc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_movaz_ssc_port'($*)) dnl gen_require(` type movaz_ssc_port_t; ') dontaudit $1 movaz_ssc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_movaz_ssc_port'($*)) dnl ') ######################################## ## ## Send movaz_ssc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_client_packets'($*)) dnl gen_require(` type movaz_ssc_client_packet_t; ') allow $1 movaz_ssc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send movaz_ssc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl gen_require(` type movaz_ssc_client_packet_t; ') dontaudit $1 movaz_ssc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Receive movaz_ssc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_client_packets'($*)) dnl gen_require(` type movaz_ssc_client_packet_t; ') allow $1 movaz_ssc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive movaz_ssc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl gen_require(` type movaz_ssc_client_packet_t; ') dontaudit $1 movaz_ssc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive movaz_ssc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl corenet_send_movaz_ssc_client_packets($1) corenet_receive_movaz_ssc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive movaz_ssc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl corenet_dontaudit_send_movaz_ssc_client_packets($1) corenet_dontaudit_receive_movaz_ssc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to movaz_ssc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_movaz_ssc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl gen_require(` type movaz_ssc_client_packet_t; ') allow $1 movaz_ssc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_client_packets'($*)) dnl ') ######################################## ## ## Send movaz_ssc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_movaz_ssc_server_packets'($*)) dnl gen_require(` type movaz_ssc_server_packet_t; ') allow $1 movaz_ssc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send movaz_ssc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl gen_require(` type movaz_ssc_server_packet_t; ') dontaudit $1 movaz_ssc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Receive movaz_ssc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_movaz_ssc_server_packets'($*)) dnl gen_require(` type movaz_ssc_server_packet_t; ') allow $1 movaz_ssc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive movaz_ssc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl gen_require(` type movaz_ssc_server_packet_t; ') dontaudit $1 movaz_ssc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive movaz_ssc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl corenet_send_movaz_ssc_server_packets($1) corenet_receive_movaz_ssc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive movaz_ssc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl corenet_dontaudit_send_movaz_ssc_server_packets($1) corenet_dontaudit_receive_movaz_ssc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to movaz_ssc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_movaz_ssc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl gen_require(` type movaz_ssc_server_packet_t; ') allow $1 movaz_ssc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_movaz_ssc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mpd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') dontaudit $1 mpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mpd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') dontaudit $1 mpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mpd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mpd_port'($*)) dnl corenet_udp_send_mpd_port($1) corenet_udp_receive_mpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl corenet_dontaudit_udp_send_mpd_port($1) corenet_dontaudit_udp_receive_mpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mpd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mpd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') dontaudit $1 mpd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mpd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') allow $1 mpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mpd_port'($*)) dnl gen_require(` type mpd_port_t; ') dontaudit $1 mpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mpd_port'($*)) dnl ') ######################################## ## ## Send mpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_client_packets'($*)) dnl gen_require(` type mpd_client_packet_t; ') allow $1 mpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_client_packets'($*)) dnl gen_require(` type mpd_client_packet_t; ') dontaudit $1 mpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_client_packets'($*)) dnl ') ######################################## ## ## Receive mpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_client_packets'($*)) dnl gen_require(` type mpd_client_packet_t; ') allow $1 mpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl gen_require(` type mpd_client_packet_t; ') dontaudit $1 mpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_client_packets'($*)) dnl corenet_send_mpd_client_packets($1) corenet_receive_mpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl corenet_dontaudit_send_mpd_client_packets($1) corenet_dontaudit_receive_mpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mpd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_client_packets'($*)) dnl gen_require(` type mpd_client_packet_t; ') allow $1 mpd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_client_packets'($*)) dnl ') ######################################## ## ## Send mpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mpd_server_packets'($*)) dnl gen_require(` type mpd_server_packet_t; ') allow $1 mpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mpd_server_packets'($*)) dnl gen_require(` type mpd_server_packet_t; ') dontaudit $1 mpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mpd_server_packets'($*)) dnl ') ######################################## ## ## Receive mpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mpd_server_packets'($*)) dnl gen_require(` type mpd_server_packet_t; ') allow $1 mpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl gen_require(` type mpd_server_packet_t; ') dontaudit $1 mpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mpd_server_packets'($*)) dnl corenet_send_mpd_server_packets($1) corenet_receive_mpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl corenet_dontaudit_send_mpd_server_packets($1) corenet_dontaudit_receive_mpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mpd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mpd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mpd_server_packets'($*)) dnl gen_require(` type mpd_server_packet_t; ') allow $1 mpd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_msnp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_msnp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the msnp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') dontaudit $1 msnp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_msnp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_msnp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the msnp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') dontaudit $1 msnp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_msnp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_msnp_port'($*)) dnl corenet_udp_send_msnp_port($1) corenet_udp_receive_msnp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_msnp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the msnp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl corenet_dontaudit_udp_send_msnp_port($1) corenet_dontaudit_udp_receive_msnp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_msnp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_msnp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the msnp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_msnp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to msnp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') dontaudit $1 msnp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_msnp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the msnp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') allow $1 msnp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_msnp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to msnp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_msnp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_msnp_port'($*)) dnl gen_require(` type msnp_port_t; ') dontaudit $1 msnp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_msnp_port'($*)) dnl ') ######################################## ## ## Send msnp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_client_packets'($*)) dnl gen_require(` type msnp_client_packet_t; ') allow $1 msnp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_msnp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send msnp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_client_packets'($*)) dnl gen_require(` type msnp_client_packet_t; ') dontaudit $1 msnp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_client_packets'($*)) dnl ') ######################################## ## ## Receive msnp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_client_packets'($*)) dnl gen_require(` type msnp_client_packet_t; ') allow $1 msnp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive msnp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl gen_require(` type msnp_client_packet_t; ') dontaudit $1 msnp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive msnp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_client_packets'($*)) dnl corenet_send_msnp_client_packets($1) corenet_receive_msnp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive msnp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl corenet_dontaudit_send_msnp_client_packets($1) corenet_dontaudit_receive_msnp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to msnp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_msnp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_client_packets'($*)) dnl gen_require(` type msnp_client_packet_t; ') allow $1 msnp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_client_packets'($*)) dnl ') ######################################## ## ## Send msnp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_msnp_server_packets'($*)) dnl gen_require(` type msnp_server_packet_t; ') allow $1 msnp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_msnp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send msnp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_msnp_server_packets'($*)) dnl gen_require(` type msnp_server_packet_t; ') dontaudit $1 msnp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_msnp_server_packets'($*)) dnl ') ######################################## ## ## Receive msnp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_msnp_server_packets'($*)) dnl gen_require(` type msnp_server_packet_t; ') allow $1 msnp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_msnp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive msnp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl gen_require(` type msnp_server_packet_t; ') dontaudit $1 msnp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_msnp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive msnp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_msnp_server_packets'($*)) dnl corenet_send_msnp_server_packets($1) corenet_receive_msnp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_msnp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive msnp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl corenet_dontaudit_send_msnp_server_packets($1) corenet_dontaudit_receive_msnp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_msnp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to msnp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_msnp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_msnp_server_packets'($*)) dnl gen_require(` type msnp_server_packet_t; ') allow $1 msnp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_msnp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mssql_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mssql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mssql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') dontaudit $1 mssql_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mssql_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mssql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mssql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') dontaudit $1 mssql_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mssql_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mssql_port'($*)) dnl corenet_udp_send_mssql_port($1) corenet_udp_receive_mssql_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mssql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mssql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl corenet_dontaudit_udp_send_mssql_port($1) corenet_dontaudit_udp_receive_mssql_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mssql_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mssql_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mssql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mssql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mssql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') dontaudit $1 mssql_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mssql_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mssql port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') allow $1 mssql_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mssql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mssql port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mssql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mssql_port'($*)) dnl gen_require(` type mssql_port_t; ') dontaudit $1 mssql_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mssql_port'($*)) dnl ') ######################################## ## ## Send mssql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_client_packets'($*)) dnl gen_require(` type mssql_client_packet_t; ') allow $1 mssql_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mssql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mssql_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_client_packets'($*)) dnl gen_require(` type mssql_client_packet_t; ') dontaudit $1 mssql_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_client_packets'($*)) dnl ') ######################################## ## ## Receive mssql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_client_packets'($*)) dnl gen_require(` type mssql_client_packet_t; ') allow $1 mssql_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mssql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl gen_require(` type mssql_client_packet_t; ') dontaudit $1 mssql_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mssql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_client_packets'($*)) dnl corenet_send_mssql_client_packets($1) corenet_receive_mssql_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mssql_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl corenet_dontaudit_send_mssql_client_packets($1) corenet_dontaudit_receive_mssql_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mssql_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mssql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_client_packets'($*)) dnl gen_require(` type mssql_client_packet_t; ') allow $1 mssql_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_client_packets'($*)) dnl ') ######################################## ## ## Send mssql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mssql_server_packets'($*)) dnl gen_require(` type mssql_server_packet_t; ') allow $1 mssql_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mssql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mssql_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mssql_server_packets'($*)) dnl gen_require(` type mssql_server_packet_t; ') dontaudit $1 mssql_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mssql_server_packets'($*)) dnl ') ######################################## ## ## Receive mssql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mssql_server_packets'($*)) dnl gen_require(` type mssql_server_packet_t; ') allow $1 mssql_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mssql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mssql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl gen_require(` type mssql_server_packet_t; ') dontaudit $1 mssql_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mssql_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mssql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mssql_server_packets'($*)) dnl corenet_send_mssql_server_packets($1) corenet_receive_mssql_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mssql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mssql_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl corenet_dontaudit_send_mssql_server_packets($1) corenet_dontaudit_receive_mssql_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mssql_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mssql_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mssql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mssql_server_packets'($*)) dnl gen_require(` type mssql_server_packet_t; ') allow $1 mssql_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mssql_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ms_streaming_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ms_streaming_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ms_streaming port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') dontaudit $1 ms_streaming_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ms_streaming_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ms_streaming_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ms_streaming port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') dontaudit $1 ms_streaming_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ms_streaming_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl corenet_udp_send_ms_streaming_port($1) corenet_udp_receive_ms_streaming_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ms_streaming_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ms_streaming port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl corenet_dontaudit_udp_send_ms_streaming_port($1) corenet_dontaudit_udp_receive_ms_streaming_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ms_streaming_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ms_streaming_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ms_streaming port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ms_streaming_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ms_streaming port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') dontaudit $1 ms_streaming_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ms_streaming_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ms_streaming port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') allow $1 ms_streaming_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ms_streaming_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ms_streaming port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ms_streaming_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ms_streaming_port'($*)) dnl gen_require(` type ms_streaming_port_t; ') dontaudit $1 ms_streaming_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ms_streaming_port'($*)) dnl ') ######################################## ## ## Send ms_streaming_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_client_packets'($*)) dnl gen_require(` type ms_streaming_client_packet_t; ') allow $1 ms_streaming_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ms_streaming_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl gen_require(` type ms_streaming_client_packet_t; ') dontaudit $1 ms_streaming_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Receive ms_streaming_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_client_packets'($*)) dnl gen_require(` type ms_streaming_client_packet_t; ') allow $1 ms_streaming_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ms_streaming_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl gen_require(` type ms_streaming_client_packet_t; ') dontaudit $1 ms_streaming_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ms_streaming_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl corenet_send_ms_streaming_client_packets($1) corenet_receive_ms_streaming_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ms_streaming_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl corenet_dontaudit_send_ms_streaming_client_packets($1) corenet_dontaudit_receive_ms_streaming_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ms_streaming_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ms_streaming_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_client_packets'($*)) dnl gen_require(` type ms_streaming_client_packet_t; ') allow $1 ms_streaming_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_client_packets'($*)) dnl ') ######################################## ## ## Send ms_streaming_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ms_streaming_server_packets'($*)) dnl gen_require(` type ms_streaming_server_packet_t; ') allow $1 ms_streaming_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ms_streaming_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl gen_require(` type ms_streaming_server_packet_t; ') dontaudit $1 ms_streaming_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Receive ms_streaming_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ms_streaming_server_packets'($*)) dnl gen_require(` type ms_streaming_server_packet_t; ') allow $1 ms_streaming_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ms_streaming_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl gen_require(` type ms_streaming_server_packet_t; ') dontaudit $1 ms_streaming_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ms_streaming_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl corenet_send_ms_streaming_server_packets($1) corenet_receive_ms_streaming_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ms_streaming_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl corenet_dontaudit_send_ms_streaming_server_packets($1) corenet_dontaudit_receive_ms_streaming_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ms_streaming_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ms_streaming_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ms_streaming_server_packets'($*)) dnl gen_require(` type ms_streaming_server_packet_t; ') allow $1 ms_streaming_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ms_streaming_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_munin_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_munin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the munin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_munin_port'($*)) dnl gen_require(` type munin_port_t; ') dontaudit $1 munin_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_munin_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_munin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the munin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_munin_port'($*)) dnl gen_require(` type munin_port_t; ') dontaudit $1 munin_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_munin_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_munin_port'($*)) dnl corenet_udp_send_munin_port($1) corenet_udp_receive_munin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_munin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the munin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl corenet_dontaudit_udp_send_munin_port($1) corenet_dontaudit_udp_receive_munin_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_munin_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_munin_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the munin port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_munin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to munin port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_munin_port'($*)) dnl gen_require(` type munin_port_t; ') dontaudit $1 munin_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_munin_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the munin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_munin_port'($*)) dnl gen_require(` type munin_port_t; ') allow $1 munin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_munin_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to munin port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_munin_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_munin_port'($*)) dnl gen_require(` type munin_port_t; ') dontaudit $1 munin_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_munin_port'($*)) dnl ') ######################################## ## ## Send munin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_munin_client_packets'($*)) dnl gen_require(` type munin_client_packet_t; ') allow $1 munin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_munin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send munin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_client_packets'($*)) dnl gen_require(` type munin_client_packet_t; ') dontaudit $1 munin_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_client_packets'($*)) dnl ') ######################################## ## ## Receive munin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_client_packets'($*)) dnl gen_require(` type munin_client_packet_t; ') allow $1 munin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_munin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive munin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_client_packets'($*)) dnl gen_require(` type munin_client_packet_t; ') dontaudit $1 munin_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_client_packets'($*)) dnl ') ######################################## ## ## Send and receive munin_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_client_packets'($*)) dnl corenet_send_munin_client_packets($1) corenet_receive_munin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive munin_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl corenet_dontaudit_send_munin_client_packets($1) corenet_dontaudit_receive_munin_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to munin_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_munin_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_client_packets'($*)) dnl gen_require(` type munin_client_packet_t; ') allow $1 munin_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_client_packets'($*)) dnl ') ######################################## ## ## Send munin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_munin_server_packets'($*)) dnl gen_require(` type munin_server_packet_t; ') allow $1 munin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_munin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send munin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_munin_server_packets'($*)) dnl gen_require(` type munin_server_packet_t; ') dontaudit $1 munin_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_munin_server_packets'($*)) dnl ') ######################################## ## ## Receive munin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_munin_server_packets'($*)) dnl gen_require(` type munin_server_packet_t; ') allow $1 munin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_munin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive munin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_munin_server_packets'($*)) dnl gen_require(` type munin_server_packet_t; ') dontaudit $1 munin_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_munin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive munin_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_munin_server_packets'($*)) dnl corenet_send_munin_server_packets($1) corenet_receive_munin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_munin_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive munin_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl corenet_dontaudit_send_munin_server_packets($1) corenet_dontaudit_receive_munin_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_munin_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to munin_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_munin_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_munin_server_packets'($*)) dnl gen_require(` type munin_server_packet_t; ') allow $1 munin_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_munin_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mxi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mxi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mxi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') dontaudit $1 mxi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mxi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mxi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mxi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') dontaudit $1 mxi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mxi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mxi_port'($*)) dnl corenet_udp_send_mxi_port($1) corenet_udp_receive_mxi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mxi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mxi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl corenet_dontaudit_udp_send_mxi_port($1) corenet_dontaudit_udp_receive_mxi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mxi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mxi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mxi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mxi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mxi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') dontaudit $1 mxi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mxi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mxi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') allow $1 mxi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mxi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mxi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mxi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mxi_port'($*)) dnl gen_require(` type mxi_port_t; ') dontaudit $1 mxi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mxi_port'($*)) dnl ') ######################################## ## ## Send mxi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_client_packets'($*)) dnl gen_require(` type mxi_client_packet_t; ') allow $1 mxi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mxi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mxi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_client_packets'($*)) dnl gen_require(` type mxi_client_packet_t; ') dontaudit $1 mxi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_client_packets'($*)) dnl ') ######################################## ## ## Receive mxi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_client_packets'($*)) dnl gen_require(` type mxi_client_packet_t; ') allow $1 mxi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mxi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl gen_require(` type mxi_client_packet_t; ') dontaudit $1 mxi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mxi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_client_packets'($*)) dnl corenet_send_mxi_client_packets($1) corenet_receive_mxi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mxi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl corenet_dontaudit_send_mxi_client_packets($1) corenet_dontaudit_receive_mxi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mxi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mxi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_client_packets'($*)) dnl gen_require(` type mxi_client_packet_t; ') allow $1 mxi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_client_packets'($*)) dnl ') ######################################## ## ## Send mxi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mxi_server_packets'($*)) dnl gen_require(` type mxi_server_packet_t; ') allow $1 mxi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mxi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mxi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mxi_server_packets'($*)) dnl gen_require(` type mxi_server_packet_t; ') dontaudit $1 mxi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mxi_server_packets'($*)) dnl ') ######################################## ## ## Receive mxi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mxi_server_packets'($*)) dnl gen_require(` type mxi_server_packet_t; ') allow $1 mxi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mxi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mxi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl gen_require(` type mxi_server_packet_t; ') dontaudit $1 mxi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mxi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mxi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mxi_server_packets'($*)) dnl corenet_send_mxi_server_packets($1) corenet_receive_mxi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mxi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mxi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl corenet_dontaudit_send_mxi_server_packets($1) corenet_dontaudit_receive_mxi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mxi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mxi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mxi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mxi_server_packets'($*)) dnl gen_require(` type mxi_server_packet_t; ') allow $1 mxi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mxi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqld_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqld_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mysqld port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') dontaudit $1 mysqld_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqld_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqld_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mysqld port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') dontaudit $1 mysqld_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqld_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqld_port'($*)) dnl corenet_udp_send_mysqld_port($1) corenet_udp_receive_mysqld_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqld_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mysqld port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl corenet_dontaudit_udp_send_mysqld_port($1) corenet_dontaudit_udp_receive_mysqld_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqld_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqld_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mysqld port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqld_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mysqld port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') dontaudit $1 mysqld_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mysqld_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mysqld port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') allow $1 mysqld_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqld_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mysqld port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mysqld_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mysqld_port'($*)) dnl gen_require(` type mysqld_port_t; ') dontaudit $1 mysqld_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mysqld_port'($*)) dnl ') ######################################## ## ## Send mysqld_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_client_packets'($*)) dnl gen_require(` type mysqld_client_packet_t; ') allow $1 mysqld_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mysqld_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl gen_require(` type mysqld_client_packet_t; ') dontaudit $1 mysqld_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Receive mysqld_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_client_packets'($*)) dnl gen_require(` type mysqld_client_packet_t; ') allow $1 mysqld_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mysqld_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl gen_require(` type mysqld_client_packet_t; ') dontaudit $1 mysqld_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mysqld_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_client_packets'($*)) dnl corenet_send_mysqld_client_packets($1) corenet_receive_mysqld_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mysqld_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl corenet_dontaudit_send_mysqld_client_packets($1) corenet_dontaudit_receive_mysqld_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mysqld_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mysqld_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_client_packets'($*)) dnl gen_require(` type mysqld_client_packet_t; ') allow $1 mysqld_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_client_packets'($*)) dnl ') ######################################## ## ## Send mysqld_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mysqld_server_packets'($*)) dnl gen_require(` type mysqld_server_packet_t; ') allow $1 mysqld_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mysqld_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl gen_require(` type mysqld_server_packet_t; ') dontaudit $1 mysqld_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Receive mysqld_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqld_server_packets'($*)) dnl gen_require(` type mysqld_server_packet_t; ') allow $1 mysqld_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mysqld_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl gen_require(` type mysqld_server_packet_t; ') dontaudit $1 mysqld_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mysqld_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqld_server_packets'($*)) dnl corenet_send_mysqld_server_packets($1) corenet_receive_mysqld_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mysqld_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl corenet_dontaudit_send_mysqld_server_packets($1) corenet_dontaudit_receive_mysqld_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mysqld_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mysqld_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqld_server_packets'($*)) dnl gen_require(` type mysqld_server_packet_t; ') allow $1 mysqld_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqld_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') dontaudit $1 mysqlmanagerd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') dontaudit $1 mysqlmanagerd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl corenet_udp_send_mysqlmanagerd_port($1) corenet_udp_receive_mysqlmanagerd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mysqlmanagerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl corenet_dontaudit_udp_send_mysqlmanagerd_port($1) corenet_dontaudit_udp_receive_mysqlmanagerd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mysqlmanagerd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') dontaudit $1 mysqlmanagerd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') allow $1 mysqlmanagerd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mysqlmanagerd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mysqlmanagerd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mysqlmanagerd_port'($*)) dnl gen_require(` type mysqlmanagerd_port_t; ') dontaudit $1 mysqlmanagerd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mysqlmanagerd_port'($*)) dnl ') ######################################## ## ## Send mysqlmanagerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_client_packets'($*)) dnl gen_require(` type mysqlmanagerd_client_packet_t; ') allow $1 mysqlmanagerd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mysqlmanagerd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl gen_require(` type mysqlmanagerd_client_packet_t; ') dontaudit $1 mysqlmanagerd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Receive mysqlmanagerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl gen_require(` type mysqlmanagerd_client_packet_t; ') allow $1 mysqlmanagerd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mysqlmanagerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl gen_require(` type mysqlmanagerd_client_packet_t; ') dontaudit $1 mysqlmanagerd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mysqlmanagerd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl corenet_send_mysqlmanagerd_client_packets($1) corenet_receive_mysqlmanagerd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mysqlmanagerd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl corenet_dontaudit_send_mysqlmanagerd_client_packets($1) corenet_dontaudit_receive_mysqlmanagerd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mysqlmanagerd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mysqlmanagerd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl gen_require(` type mysqlmanagerd_client_packet_t; ') allow $1 mysqlmanagerd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_client_packets'($*)) dnl ') ######################################## ## ## Send mysqlmanagerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mysqlmanagerd_server_packets'($*)) dnl gen_require(` type mysqlmanagerd_server_packet_t; ') allow $1 mysqlmanagerd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mysqlmanagerd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl gen_require(` type mysqlmanagerd_server_packet_t; ') dontaudit $1 mysqlmanagerd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Receive mysqlmanagerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl gen_require(` type mysqlmanagerd_server_packet_t; ') allow $1 mysqlmanagerd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mysqlmanagerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl gen_require(` type mysqlmanagerd_server_packet_t; ') dontaudit $1 mysqlmanagerd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mysqlmanagerd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl corenet_send_mysqlmanagerd_server_packets($1) corenet_receive_mysqlmanagerd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mysqlmanagerd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl corenet_dontaudit_send_mysqlmanagerd_server_packets($1) corenet_dontaudit_receive_mysqlmanagerd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mysqlmanagerd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mysqlmanagerd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl gen_require(` type mysqlmanagerd_server_packet_t; ') allow $1 mysqlmanagerd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mysqlmanagerd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_mythtv_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_mythtv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the mythtv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') dontaudit $1 mythtv_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_mythtv_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_mythtv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the mythtv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') dontaudit $1 mythtv_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_mythtv_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_mythtv_port'($*)) dnl corenet_udp_send_mythtv_port($1) corenet_udp_receive_mythtv_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_mythtv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the mythtv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_mythtv_port'($*)) dnl corenet_dontaudit_udp_send_mythtv_port($1) corenet_dontaudit_udp_receive_mythtv_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_mythtv_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_mythtv_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the mythtv port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_mythtv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to mythtv port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') dontaudit $1 mythtv_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_mythtv_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the mythtv port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') allow $1 mythtv_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_mythtv_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to mythtv port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_mythtv_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_mythtv_port'($*)) dnl gen_require(` type mythtv_port_t; ') dontaudit $1 mythtv_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_mythtv_port'($*)) dnl ') ######################################## ## ## Send mythtv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mythtv_client_packets'($*)) dnl gen_require(` type mythtv_client_packet_t; ') allow $1 mythtv_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mythtv_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mythtv_client_packets'($*)) dnl gen_require(` type mythtv_client_packet_t; ') dontaudit $1 mythtv_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Receive mythtv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mythtv_client_packets'($*)) dnl gen_require(` type mythtv_client_packet_t; ') allow $1 mythtv_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mythtv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mythtv_client_packets'($*)) dnl gen_require(` type mythtv_client_packet_t; ') dontaudit $1 mythtv_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Send and receive mythtv_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mythtv_client_packets'($*)) dnl corenet_send_mythtv_client_packets($1) corenet_receive_mythtv_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mythtv_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mythtv_client_packets'($*)) dnl corenet_dontaudit_send_mythtv_client_packets($1) corenet_dontaudit_receive_mythtv_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mythtv_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mythtv_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mythtv_client_packets'($*)) dnl gen_require(` type mythtv_client_packet_t; ') allow $1 mythtv_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mythtv_client_packets'($*)) dnl ') ######################################## ## ## Send mythtv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_mythtv_server_packets'($*)) dnl gen_require(` type mythtv_server_packet_t; ') allow $1 mythtv_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send mythtv_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_mythtv_server_packets'($*)) dnl gen_require(` type mythtv_server_packet_t; ') dontaudit $1 mythtv_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Receive mythtv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_mythtv_server_packets'($*)) dnl gen_require(` type mythtv_server_packet_t; ') allow $1 mythtv_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive mythtv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_mythtv_server_packets'($*)) dnl gen_require(` type mythtv_server_packet_t; ') dontaudit $1 mythtv_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Send and receive mythtv_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_mythtv_server_packets'($*)) dnl corenet_send_mythtv_server_packets($1) corenet_receive_mythtv_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive mythtv_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_mythtv_server_packets'($*)) dnl corenet_dontaudit_send_mythtv_server_packets($1) corenet_dontaudit_receive_mythtv_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to mythtv_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_mythtv_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_mythtv_server_packets'($*)) dnl gen_require(` type mythtv_server_packet_t; ') allow $1 mythtv_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_mythtv_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nessus_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nessus_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nessus port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') dontaudit $1 nessus_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nessus_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nessus_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nessus port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') dontaudit $1 nessus_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nessus_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nessus_port'($*)) dnl corenet_udp_send_nessus_port($1) corenet_udp_receive_nessus_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nessus_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nessus port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl corenet_dontaudit_udp_send_nessus_port($1) corenet_dontaudit_udp_receive_nessus_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nessus_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nessus_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nessus port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nessus_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nessus port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') dontaudit $1 nessus_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nessus_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nessus port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') allow $1 nessus_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nessus_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nessus port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nessus_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nessus_port'($*)) dnl gen_require(` type nessus_port_t; ') dontaudit $1 nessus_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nessus_port'($*)) dnl ') ######################################## ## ## Send nessus_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_client_packets'($*)) dnl gen_require(` type nessus_client_packet_t; ') allow $1 nessus_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nessus_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nessus_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_client_packets'($*)) dnl gen_require(` type nessus_client_packet_t; ') dontaudit $1 nessus_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_client_packets'($*)) dnl ') ######################################## ## ## Receive nessus_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_client_packets'($*)) dnl gen_require(` type nessus_client_packet_t; ') allow $1 nessus_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nessus_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl gen_require(` type nessus_client_packet_t; ') dontaudit $1 nessus_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nessus_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_client_packets'($*)) dnl corenet_send_nessus_client_packets($1) corenet_receive_nessus_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nessus_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl corenet_dontaudit_send_nessus_client_packets($1) corenet_dontaudit_receive_nessus_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nessus_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nessus_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_client_packets'($*)) dnl gen_require(` type nessus_client_packet_t; ') allow $1 nessus_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_client_packets'($*)) dnl ') ######################################## ## ## Send nessus_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nessus_server_packets'($*)) dnl gen_require(` type nessus_server_packet_t; ') allow $1 nessus_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nessus_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nessus_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nessus_server_packets'($*)) dnl gen_require(` type nessus_server_packet_t; ') dontaudit $1 nessus_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nessus_server_packets'($*)) dnl ') ######################################## ## ## Receive nessus_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nessus_server_packets'($*)) dnl gen_require(` type nessus_server_packet_t; ') allow $1 nessus_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nessus_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nessus_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl gen_require(` type nessus_server_packet_t; ') dontaudit $1 nessus_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nessus_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nessus_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nessus_server_packets'($*)) dnl corenet_send_nessus_server_packets($1) corenet_receive_nessus_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nessus_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nessus_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl corenet_dontaudit_send_nessus_server_packets($1) corenet_dontaudit_receive_nessus_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nessus_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nessus_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nessus_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nessus_server_packets'($*)) dnl gen_require(` type nessus_server_packet_t; ') allow $1 nessus_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nessus_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netport_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_netport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the netport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netport_port'($*)) dnl gen_require(` type netport_port_t; ') dontaudit $1 netport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netport_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the netport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netport_port'($*)) dnl gen_require(` type netport_port_t; ') dontaudit $1 netport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netport_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netport_port'($*)) dnl corenet_udp_send_netport_port($1) corenet_udp_receive_netport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the netport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl corenet_dontaudit_udp_send_netport_port($1) corenet_dontaudit_udp_receive_netport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netport_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netport_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the netport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to netport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_netport_port'($*)) dnl gen_require(` type netport_port_t; ') dontaudit $1 netport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_netport_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the netport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netport_port'($*)) dnl gen_require(` type netport_port_t; ') allow $1 netport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to netport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_netport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_netport_port'($*)) dnl gen_require(` type netport_port_t; ') dontaudit $1 netport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_netport_port'($*)) dnl ') ######################################## ## ## Send netport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_netport_client_packets'($*)) dnl gen_require(` type netport_client_packet_t; ') allow $1 netport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_netport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send netport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_client_packets'($*)) dnl gen_require(` type netport_client_packet_t; ') dontaudit $1 netport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_client_packets'($*)) dnl ') ######################################## ## ## Receive netport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_client_packets'($*)) dnl gen_require(` type netport_client_packet_t; ') allow $1 netport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_netport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive netport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_client_packets'($*)) dnl gen_require(` type netport_client_packet_t; ') dontaudit $1 netport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_client_packets'($*)) dnl ') ######################################## ## ## Send and receive netport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_client_packets'($*)) dnl corenet_send_netport_client_packets($1) corenet_receive_netport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive netport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl corenet_dontaudit_send_netport_client_packets($1) corenet_dontaudit_receive_netport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to netport_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_netport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_client_packets'($*)) dnl gen_require(` type netport_client_packet_t; ') allow $1 netport_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_client_packets'($*)) dnl ') ######################################## ## ## Send netport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_netport_server_packets'($*)) dnl gen_require(` type netport_server_packet_t; ') allow $1 netport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_netport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send netport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netport_server_packets'($*)) dnl gen_require(` type netport_server_packet_t; ') dontaudit $1 netport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netport_server_packets'($*)) dnl ') ######################################## ## ## Receive netport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_netport_server_packets'($*)) dnl gen_require(` type netport_server_packet_t; ') allow $1 netport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_netport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive netport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netport_server_packets'($*)) dnl gen_require(` type netport_server_packet_t; ') dontaudit $1 netport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive netport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netport_server_packets'($*)) dnl corenet_send_netport_server_packets($1) corenet_receive_netport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive netport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl corenet_dontaudit_send_netport_server_packets($1) corenet_dontaudit_receive_netport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netport_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to netport_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_netport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netport_server_packets'($*)) dnl gen_require(` type netport_server_packet_t; ') allow $1 netport_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_netport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_netsupport_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_netsupport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the netsupport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') dontaudit $1 netsupport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_netsupport_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_netsupport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the netsupport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') dontaudit $1 netsupport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_netsupport_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_netsupport_port'($*)) dnl corenet_udp_send_netsupport_port($1) corenet_udp_receive_netsupport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_netsupport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the netsupport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl corenet_dontaudit_udp_send_netsupport_port($1) corenet_dontaudit_udp_receive_netsupport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_netsupport_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_netsupport_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the netsupport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_netsupport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to netsupport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') dontaudit $1 netsupport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_netsupport_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the netsupport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') allow $1 netsupport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_netsupport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to netsupport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_netsupport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_netsupport_port'($*)) dnl gen_require(` type netsupport_port_t; ') dontaudit $1 netsupport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_netsupport_port'($*)) dnl ') ######################################## ## ## Send netsupport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_client_packets'($*)) dnl gen_require(` type netsupport_client_packet_t; ') allow $1 netsupport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send netsupport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl gen_require(` type netsupport_client_packet_t; ') dontaudit $1 netsupport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Receive netsupport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_client_packets'($*)) dnl gen_require(` type netsupport_client_packet_t; ') allow $1 netsupport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive netsupport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl gen_require(` type netsupport_client_packet_t; ') dontaudit $1 netsupport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Send and receive netsupport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_client_packets'($*)) dnl corenet_send_netsupport_client_packets($1) corenet_receive_netsupport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive netsupport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl corenet_dontaudit_send_netsupport_client_packets($1) corenet_dontaudit_receive_netsupport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to netsupport_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_netsupport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_client_packets'($*)) dnl gen_require(` type netsupport_client_packet_t; ') allow $1 netsupport_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_client_packets'($*)) dnl ') ######################################## ## ## Send netsupport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_netsupport_server_packets'($*)) dnl gen_require(` type netsupport_server_packet_t; ') allow $1 netsupport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send netsupport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl gen_require(` type netsupport_server_packet_t; ') dontaudit $1 netsupport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Receive netsupport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_netsupport_server_packets'($*)) dnl gen_require(` type netsupport_server_packet_t; ') allow $1 netsupport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive netsupport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl gen_require(` type netsupport_server_packet_t; ') dontaudit $1 netsupport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive netsupport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_netsupport_server_packets'($*)) dnl corenet_send_netsupport_server_packets($1) corenet_receive_netsupport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive netsupport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl corenet_dontaudit_send_netsupport_server_packets($1) corenet_dontaudit_receive_netsupport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to netsupport_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_netsupport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_netsupport_server_packets'($*)) dnl gen_require(` type netsupport_server_packet_t; ') allow $1 netsupport_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_netsupport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nfs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') dontaudit $1 nfs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nfs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') dontaudit $1 nfs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nfs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nfs_port'($*)) dnl corenet_udp_send_nfs_port($1) corenet_udp_receive_nfs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl corenet_dontaudit_udp_send_nfs_port($1) corenet_dontaudit_udp_receive_nfs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nfs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nfs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') dontaudit $1 nfs_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nfs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nfs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') allow $1 nfs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nfs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nfs_port'($*)) dnl gen_require(` type nfs_port_t; ') dontaudit $1 nfs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nfs_port'($*)) dnl ') ######################################## ## ## Send nfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_client_packets'($*)) dnl gen_require(` type nfs_client_packet_t; ') allow $1 nfs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nfs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_client_packets'($*)) dnl gen_require(` type nfs_client_packet_t; ') dontaudit $1 nfs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_client_packets'($*)) dnl ') ######################################## ## ## Receive nfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_client_packets'($*)) dnl gen_require(` type nfs_client_packet_t; ') allow $1 nfs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl gen_require(` type nfs_client_packet_t; ') dontaudit $1 nfs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_client_packets'($*)) dnl corenet_send_nfs_client_packets($1) corenet_receive_nfs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nfs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl corenet_dontaudit_send_nfs_client_packets($1) corenet_dontaudit_receive_nfs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nfs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_client_packets'($*)) dnl gen_require(` type nfs_client_packet_t; ') allow $1 nfs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_client_packets'($*)) dnl ') ######################################## ## ## Send nfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nfs_server_packets'($*)) dnl gen_require(` type nfs_server_packet_t; ') allow $1 nfs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nfs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nfs_server_packets'($*)) dnl gen_require(` type nfs_server_packet_t; ') dontaudit $1 nfs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nfs_server_packets'($*)) dnl ') ######################################## ## ## Receive nfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nfs_server_packets'($*)) dnl gen_require(` type nfs_server_packet_t; ') allow $1 nfs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl gen_require(` type nfs_server_packet_t; ') dontaudit $1 nfs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nfs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nfs_server_packets'($*)) dnl corenet_send_nfs_server_packets($1) corenet_receive_nfs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nfs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl corenet_dontaudit_send_nfs_server_packets($1) corenet_dontaudit_receive_nfs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nfs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nfs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nfs_server_packets'($*)) dnl gen_require(` type nfs_server_packet_t; ') allow $1 nfs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nfs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmbd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nmbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') dontaudit $1 nmbd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmbd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nmbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') dontaudit $1 nmbd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmbd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmbd_port'($*)) dnl corenet_udp_send_nmbd_port($1) corenet_udp_receive_nmbd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nmbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl corenet_dontaudit_udp_send_nmbd_port($1) corenet_dontaudit_udp_receive_nmbd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmbd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmbd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nmbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nmbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') dontaudit $1 nmbd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nmbd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nmbd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') allow $1 nmbd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nmbd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nmbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nmbd_port'($*)) dnl gen_require(` type nmbd_port_t; ') dontaudit $1 nmbd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nmbd_port'($*)) dnl ') ######################################## ## ## Send nmbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_client_packets'($*)) dnl gen_require(` type nmbd_client_packet_t; ') allow $1 nmbd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nmbd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl gen_require(` type nmbd_client_packet_t; ') dontaudit $1 nmbd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Receive nmbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_client_packets'($*)) dnl gen_require(` type nmbd_client_packet_t; ') allow $1 nmbd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nmbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl gen_require(` type nmbd_client_packet_t; ') dontaudit $1 nmbd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nmbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_client_packets'($*)) dnl corenet_send_nmbd_client_packets($1) corenet_receive_nmbd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nmbd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl corenet_dontaudit_send_nmbd_client_packets($1) corenet_dontaudit_receive_nmbd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nmbd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nmbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_client_packets'($*)) dnl gen_require(` type nmbd_client_packet_t; ') allow $1 nmbd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_client_packets'($*)) dnl ') ######################################## ## ## Send nmbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nmbd_server_packets'($*)) dnl gen_require(` type nmbd_server_packet_t; ') allow $1 nmbd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nmbd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl gen_require(` type nmbd_server_packet_t; ') dontaudit $1 nmbd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Receive nmbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nmbd_server_packets'($*)) dnl gen_require(` type nmbd_server_packet_t; ') allow $1 nmbd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nmbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl gen_require(` type nmbd_server_packet_t; ') dontaudit $1 nmbd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nmbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmbd_server_packets'($*)) dnl corenet_send_nmbd_server_packets($1) corenet_receive_nmbd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nmbd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl corenet_dontaudit_send_nmbd_server_packets($1) corenet_dontaudit_receive_nmbd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nmbd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nmbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmbd_server_packets'($*)) dnl gen_require(` type nmbd_server_packet_t; ') allow $1 nmbd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmbd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nmea_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nmea_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nmea port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') dontaudit $1 nmea_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nmea_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nmea_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nmea port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') dontaudit $1 nmea_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nmea_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nmea_port'($*)) dnl corenet_udp_send_nmea_port($1) corenet_udp_receive_nmea_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nmea_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nmea port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nmea_port'($*)) dnl corenet_dontaudit_udp_send_nmea_port($1) corenet_dontaudit_udp_receive_nmea_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nmea_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nmea_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nmea port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nmea_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nmea port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') dontaudit $1 nmea_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nmea_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nmea port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') allow $1 nmea_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nmea_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nmea port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nmea_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nmea_port'($*)) dnl gen_require(` type nmea_port_t; ') dontaudit $1 nmea_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nmea_port'($*)) dnl ') ######################################## ## ## Send nmea_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nmea_client_packets'($*)) dnl gen_require(` type nmea_client_packet_t; ') allow $1 nmea_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nmea_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nmea_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmea_client_packets'($*)) dnl gen_require(` type nmea_client_packet_t; ') dontaudit $1 nmea_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmea_client_packets'($*)) dnl ') ######################################## ## ## Receive nmea_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nmea_client_packets'($*)) dnl gen_require(` type nmea_client_packet_t; ') allow $1 nmea_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nmea_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nmea_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmea_client_packets'($*)) dnl gen_require(` type nmea_client_packet_t; ') dontaudit $1 nmea_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmea_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nmea_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmea_client_packets'($*)) dnl corenet_send_nmea_client_packets($1) corenet_receive_nmea_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmea_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nmea_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmea_client_packets'($*)) dnl corenet_dontaudit_send_nmea_client_packets($1) corenet_dontaudit_receive_nmea_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmea_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nmea_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nmea_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmea_client_packets'($*)) dnl gen_require(` type nmea_client_packet_t; ') allow $1 nmea_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmea_client_packets'($*)) dnl ') ######################################## ## ## Send nmea_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nmea_server_packets'($*)) dnl gen_require(` type nmea_server_packet_t; ') allow $1 nmea_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nmea_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nmea_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nmea_server_packets'($*)) dnl gen_require(` type nmea_server_packet_t; ') dontaudit $1 nmea_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nmea_server_packets'($*)) dnl ') ######################################## ## ## Receive nmea_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nmea_server_packets'($*)) dnl gen_require(` type nmea_server_packet_t; ') allow $1 nmea_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nmea_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nmea_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nmea_server_packets'($*)) dnl gen_require(` type nmea_server_packet_t; ') dontaudit $1 nmea_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nmea_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nmea_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nmea_server_packets'($*)) dnl corenet_send_nmea_server_packets($1) corenet_receive_nmea_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nmea_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nmea_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nmea_server_packets'($*)) dnl corenet_dontaudit_send_nmea_server_packets($1) corenet_dontaudit_receive_nmea_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nmea_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nmea_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nmea_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nmea_server_packets'($*)) dnl gen_require(` type nmea_server_packet_t; ') allow $1 nmea_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nmea_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nodejs_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') dontaudit $1 nodejs_debug_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nodejs_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') dontaudit $1 nodejs_debug_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nodejs_debug_port'($*)) dnl corenet_udp_send_nodejs_debug_port($1) corenet_udp_receive_nodejs_debug_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nodejs_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nodejs_debug_port'($*)) dnl corenet_dontaudit_udp_send_nodejs_debug_port($1) corenet_dontaudit_udp_receive_nodejs_debug_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nodejs_debug port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') dontaudit $1 nodejs_debug_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nodejs_debug port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') allow $1 nodejs_debug_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nodejs_debug port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nodejs_debug_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nodejs_debug_port'($*)) dnl gen_require(` type nodejs_debug_port_t; ') dontaudit $1 nodejs_debug_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nodejs_debug_port'($*)) dnl ') ######################################## ## ## Send nodejs_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nodejs_debug_client_packets'($*)) dnl gen_require(` type nodejs_debug_client_packet_t; ') allow $1 nodejs_debug_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nodejs_debug_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nodejs_debug_client_packets'($*)) dnl gen_require(` type nodejs_debug_client_packet_t; ') dontaudit $1 nodejs_debug_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Receive nodejs_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nodejs_debug_client_packets'($*)) dnl gen_require(` type nodejs_debug_client_packet_t; ') allow $1 nodejs_debug_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nodejs_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nodejs_debug_client_packets'($*)) dnl gen_require(` type nodejs_debug_client_packet_t; ') dontaudit $1 nodejs_debug_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nodejs_debug_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nodejs_debug_client_packets'($*)) dnl corenet_send_nodejs_debug_client_packets($1) corenet_receive_nodejs_debug_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nodejs_debug_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nodejs_debug_client_packets'($*)) dnl corenet_dontaudit_send_nodejs_debug_client_packets($1) corenet_dontaudit_receive_nodejs_debug_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nodejs_debug_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nodejs_debug_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nodejs_debug_client_packets'($*)) dnl gen_require(` type nodejs_debug_client_packet_t; ') allow $1 nodejs_debug_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nodejs_debug_client_packets'($*)) dnl ') ######################################## ## ## Send nodejs_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nodejs_debug_server_packets'($*)) dnl gen_require(` type nodejs_debug_server_packet_t; ') allow $1 nodejs_debug_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nodejs_debug_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nodejs_debug_server_packets'($*)) dnl gen_require(` type nodejs_debug_server_packet_t; ') dontaudit $1 nodejs_debug_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Receive nodejs_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nodejs_debug_server_packets'($*)) dnl gen_require(` type nodejs_debug_server_packet_t; ') allow $1 nodejs_debug_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nodejs_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nodejs_debug_server_packets'($*)) dnl gen_require(` type nodejs_debug_server_packet_t; ') dontaudit $1 nodejs_debug_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nodejs_debug_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nodejs_debug_server_packets'($*)) dnl corenet_send_nodejs_debug_server_packets($1) corenet_receive_nodejs_debug_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nodejs_debug_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nodejs_debug_server_packets'($*)) dnl corenet_dontaudit_send_nodejs_debug_server_packets($1) corenet_dontaudit_receive_nodejs_debug_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nodejs_debug_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nodejs_debug_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nodejs_debug_server_packets'($*)) dnl gen_require(` type nodejs_debug_server_packet_t; ') allow $1 nodejs_debug_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nodejs_debug_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nsca_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nsca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nsca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') dontaudit $1 nsca_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nsca_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nsca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nsca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') dontaudit $1 nsca_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nsca_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nsca_port'($*)) dnl corenet_udp_send_nsca_port($1) corenet_udp_receive_nsca_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nsca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nsca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nsca_port'($*)) dnl corenet_dontaudit_udp_send_nsca_port($1) corenet_dontaudit_udp_receive_nsca_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nsca_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nsca_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nsca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nsca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nsca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') dontaudit $1 nsca_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nsca_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nsca port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') allow $1 nsca_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nsca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nsca port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nsca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nsca_port'($*)) dnl gen_require(` type nsca_port_t; ') dontaudit $1 nsca_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nsca_port'($*)) dnl ') ######################################## ## ## Send nsca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nsca_client_packets'($*)) dnl gen_require(` type nsca_client_packet_t; ') allow $1 nsca_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nsca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nsca_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsca_client_packets'($*)) dnl gen_require(` type nsca_client_packet_t; ') dontaudit $1 nsca_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsca_client_packets'($*)) dnl ') ######################################## ## ## Receive nsca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nsca_client_packets'($*)) dnl gen_require(` type nsca_client_packet_t; ') allow $1 nsca_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nsca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nsca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsca_client_packets'($*)) dnl gen_require(` type nsca_client_packet_t; ') dontaudit $1 nsca_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsca_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nsca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsca_client_packets'($*)) dnl corenet_send_nsca_client_packets($1) corenet_receive_nsca_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nsca_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsca_client_packets'($*)) dnl corenet_dontaudit_send_nsca_client_packets($1) corenet_dontaudit_receive_nsca_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsca_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nsca_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nsca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsca_client_packets'($*)) dnl gen_require(` type nsca_client_packet_t; ') allow $1 nsca_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsca_client_packets'($*)) dnl ') ######################################## ## ## Send nsca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nsca_server_packets'($*)) dnl gen_require(` type nsca_server_packet_t; ') allow $1 nsca_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nsca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nsca_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsca_server_packets'($*)) dnl gen_require(` type nsca_server_packet_t; ') dontaudit $1 nsca_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsca_server_packets'($*)) dnl ') ######################################## ## ## Receive nsca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nsca_server_packets'($*)) dnl gen_require(` type nsca_server_packet_t; ') allow $1 nsca_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nsca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nsca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsca_server_packets'($*)) dnl gen_require(` type nsca_server_packet_t; ') dontaudit $1 nsca_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsca_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nsca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsca_server_packets'($*)) dnl corenet_send_nsca_server_packets($1) corenet_receive_nsca_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nsca_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsca_server_packets'($*)) dnl corenet_dontaudit_send_nsca_server_packets($1) corenet_dontaudit_receive_nsca_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsca_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nsca_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nsca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsca_server_packets'($*)) dnl gen_require(` type nsca_server_packet_t; ') allow $1 nsca_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsca_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntop_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ntop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') dontaudit $1 ntop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntop_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ntop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') dontaudit $1 ntop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntop_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntop_port'($*)) dnl corenet_udp_send_ntop_port($1) corenet_udp_receive_ntop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ntop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl corenet_dontaudit_udp_send_ntop_port($1) corenet_dontaudit_udp_receive_ntop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntop_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntop_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ntop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ntop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') dontaudit $1 ntop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntop_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ntop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') allow $1 ntop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ntop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ntop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntop_port'($*)) dnl gen_require(` type ntop_port_t; ') dontaudit $1 ntop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntop_port'($*)) dnl ') ######################################## ## ## Send ntop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_client_packets'($*)) dnl gen_require(` type ntop_client_packet_t; ') allow $1 ntop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_client_packets'($*)) dnl gen_require(` type ntop_client_packet_t; ') dontaudit $1 ntop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_client_packets'($*)) dnl ') ######################################## ## ## Receive ntop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_client_packets'($*)) dnl gen_require(` type ntop_client_packet_t; ') allow $1 ntop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl gen_require(` type ntop_client_packet_t; ') dontaudit $1 ntop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ntop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_client_packets'($*)) dnl corenet_send_ntop_client_packets($1) corenet_receive_ntop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl corenet_dontaudit_send_ntop_client_packets($1) corenet_dontaudit_receive_ntop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntop_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_client_packets'($*)) dnl gen_require(` type ntop_client_packet_t; ') allow $1 ntop_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_client_packets'($*)) dnl ') ######################################## ## ## Send ntop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntop_server_packets'($*)) dnl gen_require(` type ntop_server_packet_t; ') allow $1 ntop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntop_server_packets'($*)) dnl gen_require(` type ntop_server_packet_t; ') dontaudit $1 ntop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntop_server_packets'($*)) dnl ') ######################################## ## ## Receive ntop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntop_server_packets'($*)) dnl gen_require(` type ntop_server_packet_t; ') allow $1 ntop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl gen_require(` type ntop_server_packet_t; ') dontaudit $1 ntop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ntop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntop_server_packets'($*)) dnl corenet_send_ntop_server_packets($1) corenet_receive_ntop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl corenet_dontaudit_send_ntop_server_packets($1) corenet_dontaudit_receive_ntop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntop_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntop_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntop_server_packets'($*)) dnl gen_require(` type ntop_server_packet_t; ') allow $1 ntop_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ntp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') dontaudit $1 ntp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ntp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') dontaudit $1 ntp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntp_port'($*)) dnl corenet_udp_send_ntp_port($1) corenet_udp_receive_ntp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ntp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl corenet_dontaudit_udp_send_ntp_port($1) corenet_dontaudit_udp_receive_ntp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ntp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ntp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') dontaudit $1 ntp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ntp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') allow $1 ntp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ntp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ntp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntp_port'($*)) dnl gen_require(` type ntp_port_t; ') dontaudit $1 ntp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntp_port'($*)) dnl ') ######################################## ## ## Send ntp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_client_packets'($*)) dnl gen_require(` type ntp_client_packet_t; ') allow $1 ntp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_client_packets'($*)) dnl gen_require(` type ntp_client_packet_t; ') dontaudit $1 ntp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_client_packets'($*)) dnl ') ######################################## ## ## Receive ntp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_client_packets'($*)) dnl gen_require(` type ntp_client_packet_t; ') allow $1 ntp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl gen_require(` type ntp_client_packet_t; ') dontaudit $1 ntp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ntp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_client_packets'($*)) dnl corenet_send_ntp_client_packets($1) corenet_receive_ntp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl corenet_dontaudit_send_ntp_client_packets($1) corenet_dontaudit_receive_ntp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_client_packets'($*)) dnl gen_require(` type ntp_client_packet_t; ') allow $1 ntp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_client_packets'($*)) dnl ') ######################################## ## ## Send ntp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntp_server_packets'($*)) dnl gen_require(` type ntp_server_packet_t; ') allow $1 ntp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntp_server_packets'($*)) dnl gen_require(` type ntp_server_packet_t; ') dontaudit $1 ntp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntp_server_packets'($*)) dnl ') ######################################## ## ## Receive ntp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntp_server_packets'($*)) dnl gen_require(` type ntp_server_packet_t; ') allow $1 ntp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl gen_require(` type ntp_server_packet_t; ') dontaudit $1 ntp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ntp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntp_server_packets'($*)) dnl corenet_send_ntp_server_packets($1) corenet_receive_ntp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl corenet_dontaudit_send_ntp_server_packets($1) corenet_dontaudit_receive_ntp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntp_server_packets'($*)) dnl gen_require(` type ntp_server_packet_t; ') allow $1 ntp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ntske_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ntske_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ntske port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') dontaudit $1 ntske_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ntske_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ntske_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ntske port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') dontaudit $1 ntske_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ntske_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ntske_port'($*)) dnl corenet_udp_send_ntske_port($1) corenet_udp_receive_ntske_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ntske_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ntske port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ntske_port'($*)) dnl corenet_dontaudit_udp_send_ntske_port($1) corenet_dontaudit_udp_receive_ntske_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ntske_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ntske_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ntske port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ntske_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ntske port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') dontaudit $1 ntske_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ntske_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ntske port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') allow $1 ntske_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ntske_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ntske port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ntske_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ntske_port'($*)) dnl gen_require(` type ntske_port_t; ') dontaudit $1 ntske_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ntske_port'($*)) dnl ') ######################################## ## ## Send ntske_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntske_client_packets'($*)) dnl gen_require(` type ntske_client_packet_t; ') allow $1 ntske_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntske_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntske_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntske_client_packets'($*)) dnl gen_require(` type ntske_client_packet_t; ') dontaudit $1 ntske_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntske_client_packets'($*)) dnl ') ######################################## ## ## Receive ntske_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntske_client_packets'($*)) dnl gen_require(` type ntske_client_packet_t; ') allow $1 ntske_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntske_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntske_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntske_client_packets'($*)) dnl gen_require(` type ntske_client_packet_t; ') dontaudit $1 ntske_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntske_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ntske_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntske_client_packets'($*)) dnl corenet_send_ntske_client_packets($1) corenet_receive_ntske_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntske_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntske_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntske_client_packets'($*)) dnl corenet_dontaudit_send_ntske_client_packets($1) corenet_dontaudit_receive_ntske_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntske_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntske_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntske_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntske_client_packets'($*)) dnl gen_require(` type ntske_client_packet_t; ') allow $1 ntske_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntske_client_packets'($*)) dnl ') ######################################## ## ## Send ntske_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ntske_server_packets'($*)) dnl gen_require(` type ntske_server_packet_t; ') allow $1 ntske_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ntske_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ntske_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ntske_server_packets'($*)) dnl gen_require(` type ntske_server_packet_t; ') dontaudit $1 ntske_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ntske_server_packets'($*)) dnl ') ######################################## ## ## Receive ntske_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ntske_server_packets'($*)) dnl gen_require(` type ntske_server_packet_t; ') allow $1 ntske_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ntske_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ntske_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ntske_server_packets'($*)) dnl gen_require(` type ntske_server_packet_t; ') dontaudit $1 ntske_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ntske_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ntske_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ntske_server_packets'($*)) dnl corenet_send_ntske_server_packets($1) corenet_receive_ntske_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ntske_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ntske_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ntske_server_packets'($*)) dnl corenet_dontaudit_send_ntske_server_packets($1) corenet_dontaudit_receive_ntske_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ntske_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ntske_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ntske_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ntske_server_packets'($*)) dnl gen_require(` type ntske_server_packet_t; ') allow $1 ntske_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ntske_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oracle_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_oracle_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the oracle port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') dontaudit $1 oracle_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oracle_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oracle_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the oracle port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') dontaudit $1 oracle_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oracle_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oracle_port'($*)) dnl corenet_udp_send_oracle_port($1) corenet_udp_receive_oracle_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oracle_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the oracle port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oracle_port'($*)) dnl corenet_dontaudit_udp_send_oracle_port($1) corenet_dontaudit_udp_receive_oracle_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oracle_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oracle_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the oracle port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oracle_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to oracle port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') dontaudit $1 oracle_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_oracle_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the oracle port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') allow $1 oracle_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oracle_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to oracle port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_oracle_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_oracle_port'($*)) dnl gen_require(` type oracle_port_t; ') dontaudit $1 oracle_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_oracle_port'($*)) dnl ') ######################################## ## ## Send oracle_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_oracle_client_packets'($*)) dnl gen_require(` type oracle_client_packet_t; ') allow $1 oracle_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_oracle_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send oracle_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracle_client_packets'($*)) dnl gen_require(` type oracle_client_packet_t; ') dontaudit $1 oracle_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracle_client_packets'($*)) dnl ') ######################################## ## ## Receive oracle_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_oracle_client_packets'($*)) dnl gen_require(` type oracle_client_packet_t; ') allow $1 oracle_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_oracle_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive oracle_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracle_client_packets'($*)) dnl gen_require(` type oracle_client_packet_t; ') dontaudit $1 oracle_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracle_client_packets'($*)) dnl ') ######################################## ## ## Send and receive oracle_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracle_client_packets'($*)) dnl corenet_send_oracle_client_packets($1) corenet_receive_oracle_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracle_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive oracle_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracle_client_packets'($*)) dnl corenet_dontaudit_send_oracle_client_packets($1) corenet_dontaudit_receive_oracle_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracle_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to oracle_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_oracle_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracle_client_packets'($*)) dnl gen_require(` type oracle_client_packet_t; ') allow $1 oracle_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracle_client_packets'($*)) dnl ') ######################################## ## ## Send oracle_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_oracle_server_packets'($*)) dnl gen_require(` type oracle_server_packet_t; ') allow $1 oracle_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_oracle_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send oracle_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oracle_server_packets'($*)) dnl gen_require(` type oracle_server_packet_t; ') dontaudit $1 oracle_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oracle_server_packets'($*)) dnl ') ######################################## ## ## Receive oracle_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_oracle_server_packets'($*)) dnl gen_require(` type oracle_server_packet_t; ') allow $1 oracle_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_oracle_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive oracle_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oracle_server_packets'($*)) dnl gen_require(` type oracle_server_packet_t; ') dontaudit $1 oracle_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oracle_server_packets'($*)) dnl ') ######################################## ## ## Send and receive oracle_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oracle_server_packets'($*)) dnl corenet_send_oracle_server_packets($1) corenet_receive_oracle_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oracle_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive oracle_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oracle_server_packets'($*)) dnl corenet_dontaudit_send_oracle_server_packets($1) corenet_dontaudit_receive_oracle_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oracle_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to oracle_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_oracle_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oracle_server_packets'($*)) dnl gen_require(` type oracle_server_packet_t; ') allow $1 oracle_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_oracle_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_oa_system_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_oa_system_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the oa_system port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') dontaudit $1 oa_system_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_oa_system_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_oa_system_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the oa_system port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') dontaudit $1 oa_system_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_oa_system_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_oa_system_port'($*)) dnl corenet_udp_send_oa_system_port($1) corenet_udp_receive_oa_system_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_oa_system_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the oa_system port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl corenet_dontaudit_udp_send_oa_system_port($1) corenet_dontaudit_udp_receive_oa_system_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_oa_system_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_oa_system_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the oa_system port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_oa_system_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to oa_system port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') dontaudit $1 oa_system_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_oa_system_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the oa_system port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') allow $1 oa_system_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_oa_system_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to oa_system port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_oa_system_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_oa_system_port'($*)) dnl gen_require(` type oa_system_port_t; ') dontaudit $1 oa_system_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_oa_system_port'($*)) dnl ') ######################################## ## ## Send oa_system_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_client_packets'($*)) dnl gen_require(` type oa_system_client_packet_t; ') allow $1 oa_system_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send oa_system_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl gen_require(` type oa_system_client_packet_t; ') dontaudit $1 oa_system_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Receive oa_system_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_client_packets'($*)) dnl gen_require(` type oa_system_client_packet_t; ') allow $1 oa_system_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive oa_system_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl gen_require(` type oa_system_client_packet_t; ') dontaudit $1 oa_system_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Send and receive oa_system_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_client_packets'($*)) dnl corenet_send_oa_system_client_packets($1) corenet_receive_oa_system_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive oa_system_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl corenet_dontaudit_send_oa_system_client_packets($1) corenet_dontaudit_receive_oa_system_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to oa_system_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_oa_system_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_client_packets'($*)) dnl gen_require(` type oa_system_client_packet_t; ') allow $1 oa_system_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_client_packets'($*)) dnl ') ######################################## ## ## Send oa_system_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_oa_system_server_packets'($*)) dnl gen_require(` type oa_system_server_packet_t; ') allow $1 oa_system_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send oa_system_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl gen_require(` type oa_system_server_packet_t; ') dontaudit $1 oa_system_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Receive oa_system_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_oa_system_server_packets'($*)) dnl gen_require(` type oa_system_server_packet_t; ') allow $1 oa_system_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive oa_system_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl gen_require(` type oa_system_server_packet_t; ') dontaudit $1 oa_system_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Send and receive oa_system_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_oa_system_server_packets'($*)) dnl corenet_send_oa_system_server_packets($1) corenet_receive_oa_system_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive oa_system_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl corenet_dontaudit_send_oa_system_server_packets($1) corenet_dontaudit_receive_oa_system_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to oa_system_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_oa_system_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_oa_system_server_packets'($*)) dnl gen_require(` type oa_system_server_packet_t; ') allow $1 oa_system_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_oa_system_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ocsp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') dontaudit $1 ocsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ocsp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') dontaudit $1 ocsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ocsp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ocsp_port'($*)) dnl corenet_udp_send_ocsp_port($1) corenet_udp_receive_ocsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl corenet_dontaudit_udp_send_ocsp_port($1) corenet_dontaudit_udp_receive_ocsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ocsp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ocsp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') dontaudit $1 ocsp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ocsp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ocsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') allow $1 ocsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ocsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ocsp_port'($*)) dnl gen_require(` type ocsp_port_t; ') dontaudit $1 ocsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ocsp_port'($*)) dnl ') ######################################## ## ## Send ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_client_packets'($*)) dnl gen_require(` type ocsp_client_packet_t; ') allow $1 ocsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ocsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl gen_require(` type ocsp_client_packet_t; ') dontaudit $1 ocsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Receive ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_client_packets'($*)) dnl gen_require(` type ocsp_client_packet_t; ') allow $1 ocsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl gen_require(` type ocsp_client_packet_t; ') dontaudit $1 ocsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_client_packets'($*)) dnl corenet_send_ocsp_client_packets($1) corenet_receive_ocsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ocsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl corenet_dontaudit_send_ocsp_client_packets($1) corenet_dontaudit_receive_ocsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ocsp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_client_packets'($*)) dnl gen_require(` type ocsp_client_packet_t; ') allow $1 ocsp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Send ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ocsp_server_packets'($*)) dnl gen_require(` type ocsp_server_packet_t; ') allow $1 ocsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ocsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl gen_require(` type ocsp_server_packet_t; ') dontaudit $1 ocsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Receive ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ocsp_server_packets'($*)) dnl gen_require(` type ocsp_server_packet_t; ') allow $1 ocsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl gen_require(` type ocsp_server_packet_t; ') dontaudit $1 ocsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ocsp_server_packets'($*)) dnl corenet_send_ocsp_server_packets($1) corenet_receive_ocsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ocsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl corenet_dontaudit_send_ocsp_server_packets($1) corenet_dontaudit_receive_ocsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ocsp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ocsp_server_packets'($*)) dnl gen_require(` type ocsp_server_packet_t; ') allow $1 ocsp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openflow_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openflow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openflow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') dontaudit $1 openflow_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openflow_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openflow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openflow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') dontaudit $1 openflow_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openflow_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openflow_port'($*)) dnl corenet_udp_send_openflow_port($1) corenet_udp_receive_openflow_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openflow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openflow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openflow_port'($*)) dnl corenet_dontaudit_udp_send_openflow_port($1) corenet_dontaudit_udp_receive_openflow_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openflow_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openflow_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openflow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openflow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openflow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') dontaudit $1 openflow_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openflow_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openflow port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') allow $1 openflow_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openflow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openflow port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openflow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openflow_port'($*)) dnl gen_require(` type openflow_port_t; ') dontaudit $1 openflow_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openflow_port'($*)) dnl ') ######################################## ## ## Send openflow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openflow_client_packets'($*)) dnl gen_require(` type openflow_client_packet_t; ') allow $1 openflow_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openflow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openflow_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openflow_client_packets'($*)) dnl gen_require(` type openflow_client_packet_t; ') dontaudit $1 openflow_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openflow_client_packets'($*)) dnl ') ######################################## ## ## Receive openflow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openflow_client_packets'($*)) dnl gen_require(` type openflow_client_packet_t; ') allow $1 openflow_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openflow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openflow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openflow_client_packets'($*)) dnl gen_require(` type openflow_client_packet_t; ') dontaudit $1 openflow_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openflow_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openflow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openflow_client_packets'($*)) dnl corenet_send_openflow_client_packets($1) corenet_receive_openflow_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openflow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openflow_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openflow_client_packets'($*)) dnl corenet_dontaudit_send_openflow_client_packets($1) corenet_dontaudit_receive_openflow_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openflow_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openflow_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openflow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openflow_client_packets'($*)) dnl gen_require(` type openflow_client_packet_t; ') allow $1 openflow_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openflow_client_packets'($*)) dnl ') ######################################## ## ## Send openflow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openflow_server_packets'($*)) dnl gen_require(` type openflow_server_packet_t; ') allow $1 openflow_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openflow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openflow_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openflow_server_packets'($*)) dnl gen_require(` type openflow_server_packet_t; ') dontaudit $1 openflow_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openflow_server_packets'($*)) dnl ') ######################################## ## ## Receive openflow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openflow_server_packets'($*)) dnl gen_require(` type openflow_server_packet_t; ') allow $1 openflow_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openflow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openflow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openflow_server_packets'($*)) dnl gen_require(` type openflow_server_packet_t; ') dontaudit $1 openflow_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openflow_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openflow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openflow_server_packets'($*)) dnl corenet_send_openflow_server_packets($1) corenet_receive_openflow_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openflow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openflow_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openflow_server_packets'($*)) dnl corenet_dontaudit_send_openflow_server_packets($1) corenet_dontaudit_receive_openflow_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openflow_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openflow_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openflow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openflow_server_packets'($*)) dnl gen_require(` type openflow_server_packet_t; ') allow $1 openflow_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openflow_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openhpid_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openhpid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openhpid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') dontaudit $1 openhpid_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openhpid_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openhpid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openhpid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') dontaudit $1 openhpid_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openhpid_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openhpid_port'($*)) dnl corenet_udp_send_openhpid_port($1) corenet_udp_receive_openhpid_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openhpid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openhpid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl corenet_dontaudit_udp_send_openhpid_port($1) corenet_dontaudit_udp_receive_openhpid_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openhpid_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openhpid_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openhpid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openhpid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openhpid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') dontaudit $1 openhpid_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openhpid_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openhpid port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') allow $1 openhpid_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openhpid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openhpid port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openhpid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openhpid_port'($*)) dnl gen_require(` type openhpid_port_t; ') dontaudit $1 openhpid_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openhpid_port'($*)) dnl ') ######################################## ## ## Send openhpid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_client_packets'($*)) dnl gen_require(` type openhpid_client_packet_t; ') allow $1 openhpid_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openhpid_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl gen_require(` type openhpid_client_packet_t; ') dontaudit $1 openhpid_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Receive openhpid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_client_packets'($*)) dnl gen_require(` type openhpid_client_packet_t; ') allow $1 openhpid_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openhpid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl gen_require(` type openhpid_client_packet_t; ') dontaudit $1 openhpid_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openhpid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_client_packets'($*)) dnl corenet_send_openhpid_client_packets($1) corenet_receive_openhpid_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openhpid_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl corenet_dontaudit_send_openhpid_client_packets($1) corenet_dontaudit_receive_openhpid_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openhpid_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openhpid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_client_packets'($*)) dnl gen_require(` type openhpid_client_packet_t; ') allow $1 openhpid_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_client_packets'($*)) dnl ') ######################################## ## ## Send openhpid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openhpid_server_packets'($*)) dnl gen_require(` type openhpid_server_packet_t; ') allow $1 openhpid_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openhpid_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl gen_require(` type openhpid_server_packet_t; ') dontaudit $1 openhpid_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Receive openhpid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openhpid_server_packets'($*)) dnl gen_require(` type openhpid_server_packet_t; ') allow $1 openhpid_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openhpid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl gen_require(` type openhpid_server_packet_t; ') dontaudit $1 openhpid_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openhpid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openhpid_server_packets'($*)) dnl corenet_send_openhpid_server_packets($1) corenet_receive_openhpid_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openhpid_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl corenet_dontaudit_send_openhpid_server_packets($1) corenet_dontaudit_receive_openhpid_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openhpid_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openhpid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openhpid_server_packets'($*)) dnl gen_require(` type openhpid_server_packet_t; ') allow $1 openhpid_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openhpid_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvpn_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvpn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openvpn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') dontaudit $1 openvpn_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvpn_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvpn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openvpn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') dontaudit $1 openvpn_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvpn_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvpn_port'($*)) dnl corenet_udp_send_openvpn_port($1) corenet_udp_receive_openvpn_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvpn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openvpn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl corenet_dontaudit_udp_send_openvpn_port($1) corenet_dontaudit_udp_receive_openvpn_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvpn_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvpn_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openvpn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvpn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openvpn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') dontaudit $1 openvpn_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openvpn_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openvpn port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') allow $1 openvpn_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvpn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openvpn port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openvpn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openvpn_port'($*)) dnl gen_require(` type openvpn_port_t; ') dontaudit $1 openvpn_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openvpn_port'($*)) dnl ') ######################################## ## ## Send openvpn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_client_packets'($*)) dnl gen_require(` type openvpn_client_packet_t; ') allow $1 openvpn_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openvpn_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl gen_require(` type openvpn_client_packet_t; ') dontaudit $1 openvpn_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Receive openvpn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_client_packets'($*)) dnl gen_require(` type openvpn_client_packet_t; ') allow $1 openvpn_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openvpn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl gen_require(` type openvpn_client_packet_t; ') dontaudit $1 openvpn_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openvpn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_client_packets'($*)) dnl corenet_send_openvpn_client_packets($1) corenet_receive_openvpn_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openvpn_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl corenet_dontaudit_send_openvpn_client_packets($1) corenet_dontaudit_receive_openvpn_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openvpn_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openvpn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_client_packets'($*)) dnl gen_require(` type openvpn_client_packet_t; ') allow $1 openvpn_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_client_packets'($*)) dnl ') ######################################## ## ## Send openvpn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openvpn_server_packets'($*)) dnl gen_require(` type openvpn_server_packet_t; ') allow $1 openvpn_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openvpn_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl gen_require(` type openvpn_server_packet_t; ') dontaudit $1 openvpn_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Receive openvpn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openvpn_server_packets'($*)) dnl gen_require(` type openvpn_server_packet_t; ') allow $1 openvpn_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openvpn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl gen_require(` type openvpn_server_packet_t; ') dontaudit $1 openvpn_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openvpn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvpn_server_packets'($*)) dnl corenet_send_openvpn_server_packets($1) corenet_receive_openvpn_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openvpn_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl corenet_dontaudit_send_openvpn_server_packets($1) corenet_dontaudit_receive_openvpn_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openvpn_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openvpn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvpn_server_packets'($*)) dnl gen_require(` type openvpn_server_packet_t; ') allow $1 openvpn_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvpn_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openvswitch_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openvswitch_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openvswitch port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') dontaudit $1 openvswitch_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openvswitch_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openvswitch_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openvswitch port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') dontaudit $1 openvswitch_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openvswitch_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openvswitch_port'($*)) dnl corenet_udp_send_openvswitch_port($1) corenet_udp_receive_openvswitch_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openvswitch_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openvswitch port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openvswitch_port'($*)) dnl corenet_dontaudit_udp_send_openvswitch_port($1) corenet_dontaudit_udp_receive_openvswitch_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openvswitch_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openvswitch_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openvswitch port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openvswitch_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openvswitch port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') dontaudit $1 openvswitch_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openvswitch_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openvswitch port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') allow $1 openvswitch_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openvswitch_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openvswitch port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openvswitch_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openvswitch_port'($*)) dnl gen_require(` type openvswitch_port_t; ') dontaudit $1 openvswitch_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openvswitch_port'($*)) dnl ') ######################################## ## ## Send openvswitch_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openvswitch_client_packets'($*)) dnl gen_require(` type openvswitch_client_packet_t; ') allow $1 openvswitch_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openvswitch_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvswitch_client_packets'($*)) dnl gen_require(` type openvswitch_client_packet_t; ') dontaudit $1 openvswitch_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Receive openvswitch_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openvswitch_client_packets'($*)) dnl gen_require(` type openvswitch_client_packet_t; ') allow $1 openvswitch_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openvswitch_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvswitch_client_packets'($*)) dnl gen_require(` type openvswitch_client_packet_t; ') dontaudit $1 openvswitch_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openvswitch_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvswitch_client_packets'($*)) dnl corenet_send_openvswitch_client_packets($1) corenet_receive_openvswitch_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openvswitch_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvswitch_client_packets'($*)) dnl corenet_dontaudit_send_openvswitch_client_packets($1) corenet_dontaudit_receive_openvswitch_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openvswitch_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openvswitch_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvswitch_client_packets'($*)) dnl gen_require(` type openvswitch_client_packet_t; ') allow $1 openvswitch_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvswitch_client_packets'($*)) dnl ') ######################################## ## ## Send openvswitch_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openvswitch_server_packets'($*)) dnl gen_require(` type openvswitch_server_packet_t; ') allow $1 openvswitch_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openvswitch_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openvswitch_server_packets'($*)) dnl gen_require(` type openvswitch_server_packet_t; ') dontaudit $1 openvswitch_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Receive openvswitch_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openvswitch_server_packets'($*)) dnl gen_require(` type openvswitch_server_packet_t; ') allow $1 openvswitch_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openvswitch_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openvswitch_server_packets'($*)) dnl gen_require(` type openvswitch_server_packet_t; ') dontaudit $1 openvswitch_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openvswitch_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openvswitch_server_packets'($*)) dnl corenet_send_openvswitch_server_packets($1) corenet_receive_openvswitch_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openvswitch_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openvswitch_server_packets'($*)) dnl corenet_dontaudit_send_openvswitch_server_packets($1) corenet_dontaudit_receive_openvswitch_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openvswitch_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openvswitch_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openvswitch_server_packets'($*)) dnl gen_require(` type openvswitch_server_packet_t; ') allow $1 openvswitch_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openvswitch_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openqa_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openqa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openqa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') dontaudit $1 openqa_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openqa_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openqa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openqa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') dontaudit $1 openqa_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openqa_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openqa_port'($*)) dnl corenet_udp_send_openqa_port($1) corenet_udp_receive_openqa_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openqa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openqa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openqa_port'($*)) dnl corenet_dontaudit_udp_send_openqa_port($1) corenet_dontaudit_udp_receive_openqa_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openqa_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openqa_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openqa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openqa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openqa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') dontaudit $1 openqa_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openqa_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openqa port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') allow $1 openqa_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openqa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openqa port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openqa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openqa_port'($*)) dnl gen_require(` type openqa_port_t; ') dontaudit $1 openqa_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openqa_port'($*)) dnl ') ######################################## ## ## Send openqa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_client_packets'($*)) dnl gen_require(` type openqa_client_packet_t; ') allow $1 openqa_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openqa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openqa_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_client_packets'($*)) dnl gen_require(` type openqa_client_packet_t; ') dontaudit $1 openqa_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_client_packets'($*)) dnl ') ######################################## ## ## Receive openqa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_client_packets'($*)) dnl gen_require(` type openqa_client_packet_t; ') allow $1 openqa_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openqa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_client_packets'($*)) dnl gen_require(` type openqa_client_packet_t; ') dontaudit $1 openqa_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openqa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_client_packets'($*)) dnl corenet_send_openqa_client_packets($1) corenet_receive_openqa_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openqa_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_client_packets'($*)) dnl corenet_dontaudit_send_openqa_client_packets($1) corenet_dontaudit_receive_openqa_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openqa_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openqa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_client_packets'($*)) dnl gen_require(` type openqa_client_packet_t; ') allow $1 openqa_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_client_packets'($*)) dnl ') ######################################## ## ## Send openqa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_server_packets'($*)) dnl gen_require(` type openqa_server_packet_t; ') allow $1 openqa_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openqa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openqa_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_server_packets'($*)) dnl gen_require(` type openqa_server_packet_t; ') dontaudit $1 openqa_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_server_packets'($*)) dnl ') ######################################## ## ## Receive openqa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_server_packets'($*)) dnl gen_require(` type openqa_server_packet_t; ') allow $1 openqa_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openqa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_server_packets'($*)) dnl gen_require(` type openqa_server_packet_t; ') dontaudit $1 openqa_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openqa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_server_packets'($*)) dnl corenet_send_openqa_server_packets($1) corenet_receive_openqa_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openqa_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_server_packets'($*)) dnl corenet_dontaudit_send_openqa_server_packets($1) corenet_dontaudit_receive_openqa_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openqa_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openqa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_server_packets'($*)) dnl gen_require(` type openqa_server_packet_t; ') allow $1 openqa_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the openqa_websockets port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') dontaudit $1 openqa_websockets_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the openqa_websockets port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') dontaudit $1 openqa_websockets_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_openqa_websockets_port'($*)) dnl corenet_udp_send_openqa_websockets_port($1) corenet_udp_receive_openqa_websockets_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the openqa_websockets port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_openqa_websockets_port'($*)) dnl corenet_dontaudit_udp_send_openqa_websockets_port($1) corenet_dontaudit_udp_receive_openqa_websockets_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to openqa_websockets port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') dontaudit $1 openqa_websockets_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the openqa_websockets port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') allow $1 openqa_websockets_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to openqa_websockets port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_openqa_websockets_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_openqa_websockets_port'($*)) dnl gen_require(` type openqa_websockets_port_t; ') dontaudit $1 openqa_websockets_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_openqa_websockets_port'($*)) dnl ') ######################################## ## ## Send openqa_websockets_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_websockets_client_packets'($*)) dnl gen_require(` type openqa_websockets_client_packet_t; ') allow $1 openqa_websockets_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openqa_websockets_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_websockets_client_packets'($*)) dnl gen_require(` type openqa_websockets_client_packet_t; ') dontaudit $1 openqa_websockets_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Receive openqa_websockets_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_websockets_client_packets'($*)) dnl gen_require(` type openqa_websockets_client_packet_t; ') allow $1 openqa_websockets_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openqa_websockets_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_websockets_client_packets'($*)) dnl gen_require(` type openqa_websockets_client_packet_t; ') dontaudit $1 openqa_websockets_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Send and receive openqa_websockets_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_websockets_client_packets'($*)) dnl corenet_send_openqa_websockets_client_packets($1) corenet_receive_openqa_websockets_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openqa_websockets_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_websockets_client_packets'($*)) dnl corenet_dontaudit_send_openqa_websockets_client_packets($1) corenet_dontaudit_receive_openqa_websockets_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openqa_websockets_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openqa_websockets_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_websockets_client_packets'($*)) dnl gen_require(` type openqa_websockets_client_packet_t; ') allow $1 openqa_websockets_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_websockets_client_packets'($*)) dnl ') ######################################## ## ## Send openqa_websockets_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_openqa_websockets_server_packets'($*)) dnl gen_require(` type openqa_websockets_server_packet_t; ') allow $1 openqa_websockets_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send openqa_websockets_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_openqa_websockets_server_packets'($*)) dnl gen_require(` type openqa_websockets_server_packet_t; ') dontaudit $1 openqa_websockets_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Receive openqa_websockets_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_openqa_websockets_server_packets'($*)) dnl gen_require(` type openqa_websockets_server_packet_t; ') allow $1 openqa_websockets_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive openqa_websockets_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_openqa_websockets_server_packets'($*)) dnl gen_require(` type openqa_websockets_server_packet_t; ') dontaudit $1 openqa_websockets_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Send and receive openqa_websockets_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_openqa_websockets_server_packets'($*)) dnl corenet_send_openqa_websockets_server_packets($1) corenet_receive_openqa_websockets_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive openqa_websockets_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_openqa_websockets_server_packets'($*)) dnl corenet_dontaudit_send_openqa_websockets_server_packets($1) corenet_dontaudit_receive_openqa_websockets_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to openqa_websockets_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_openqa_websockets_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_openqa_websockets_server_packets'($*)) dnl gen_require(` type openqa_websockets_server_packet_t; ') allow $1 openqa_websockets_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_openqa_websockets_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_osapi_compute_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_osapi_compute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the osapi_compute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') dontaudit $1 osapi_compute_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_osapi_compute_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_osapi_compute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the osapi_compute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') dontaudit $1 osapi_compute_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_osapi_compute_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_osapi_compute_port'($*)) dnl corenet_udp_send_osapi_compute_port($1) corenet_udp_receive_osapi_compute_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_osapi_compute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the osapi_compute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_osapi_compute_port'($*)) dnl corenet_dontaudit_udp_send_osapi_compute_port($1) corenet_dontaudit_udp_receive_osapi_compute_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_osapi_compute_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_osapi_compute_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the osapi_compute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_osapi_compute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to osapi_compute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') dontaudit $1 osapi_compute_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_osapi_compute_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the osapi_compute port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') allow $1 osapi_compute_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_osapi_compute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to osapi_compute port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_osapi_compute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_osapi_compute_port'($*)) dnl gen_require(` type osapi_compute_port_t; ') dontaudit $1 osapi_compute_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_osapi_compute_port'($*)) dnl ') ######################################## ## ## Send osapi_compute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_osapi_compute_client_packets'($*)) dnl gen_require(` type osapi_compute_client_packet_t; ') allow $1 osapi_compute_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send osapi_compute_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_osapi_compute_client_packets'($*)) dnl gen_require(` type osapi_compute_client_packet_t; ') dontaudit $1 osapi_compute_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Receive osapi_compute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_osapi_compute_client_packets'($*)) dnl gen_require(` type osapi_compute_client_packet_t; ') allow $1 osapi_compute_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive osapi_compute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_osapi_compute_client_packets'($*)) dnl gen_require(` type osapi_compute_client_packet_t; ') dontaudit $1 osapi_compute_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Send and receive osapi_compute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_osapi_compute_client_packets'($*)) dnl corenet_send_osapi_compute_client_packets($1) corenet_receive_osapi_compute_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive osapi_compute_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_osapi_compute_client_packets'($*)) dnl corenet_dontaudit_send_osapi_compute_client_packets($1) corenet_dontaudit_receive_osapi_compute_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to osapi_compute_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_osapi_compute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_osapi_compute_client_packets'($*)) dnl gen_require(` type osapi_compute_client_packet_t; ') allow $1 osapi_compute_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_osapi_compute_client_packets'($*)) dnl ') ######################################## ## ## Send osapi_compute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_osapi_compute_server_packets'($*)) dnl gen_require(` type osapi_compute_server_packet_t; ') allow $1 osapi_compute_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send osapi_compute_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_osapi_compute_server_packets'($*)) dnl gen_require(` type osapi_compute_server_packet_t; ') dontaudit $1 osapi_compute_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Receive osapi_compute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_osapi_compute_server_packets'($*)) dnl gen_require(` type osapi_compute_server_packet_t; ') allow $1 osapi_compute_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive osapi_compute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_osapi_compute_server_packets'($*)) dnl gen_require(` type osapi_compute_server_packet_t; ') dontaudit $1 osapi_compute_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Send and receive osapi_compute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_osapi_compute_server_packets'($*)) dnl corenet_send_osapi_compute_server_packets($1) corenet_receive_osapi_compute_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive osapi_compute_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_osapi_compute_server_packets'($*)) dnl corenet_dontaudit_send_osapi_compute_server_packets($1) corenet_dontaudit_receive_osapi_compute_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to osapi_compute_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_osapi_compute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_osapi_compute_server_packets'($*)) dnl gen_require(` type osapi_compute_server_packet_t; ') allow $1 osapi_compute_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_osapi_compute_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ovsdb_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ovsdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ovsdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') dontaudit $1 ovsdb_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ovsdb_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ovsdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ovsdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') dontaudit $1 ovsdb_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ovsdb_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ovsdb_port'($*)) dnl corenet_udp_send_ovsdb_port($1) corenet_udp_receive_ovsdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ovsdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ovsdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ovsdb_port'($*)) dnl corenet_dontaudit_udp_send_ovsdb_port($1) corenet_dontaudit_udp_receive_ovsdb_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ovsdb_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ovsdb_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ovsdb port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ovsdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ovsdb port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') dontaudit $1 ovsdb_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ovsdb_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ovsdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') allow $1 ovsdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ovsdb_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ovsdb port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ovsdb_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ovsdb_port'($*)) dnl gen_require(` type ovsdb_port_t; ') dontaudit $1 ovsdb_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ovsdb_port'($*)) dnl ') ######################################## ## ## Send ovsdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ovsdb_client_packets'($*)) dnl gen_require(` type ovsdb_client_packet_t; ') allow $1 ovsdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ovsdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ovsdb_client_packets'($*)) dnl gen_require(` type ovsdb_client_packet_t; ') dontaudit $1 ovsdb_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Receive ovsdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ovsdb_client_packets'($*)) dnl gen_require(` type ovsdb_client_packet_t; ') allow $1 ovsdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ovsdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ovsdb_client_packets'($*)) dnl gen_require(` type ovsdb_client_packet_t; ') dontaudit $1 ovsdb_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ovsdb_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ovsdb_client_packets'($*)) dnl corenet_send_ovsdb_client_packets($1) corenet_receive_ovsdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ovsdb_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ovsdb_client_packets'($*)) dnl corenet_dontaudit_send_ovsdb_client_packets($1) corenet_dontaudit_receive_ovsdb_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ovsdb_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ovsdb_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ovsdb_client_packets'($*)) dnl gen_require(` type ovsdb_client_packet_t; ') allow $1 ovsdb_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ovsdb_client_packets'($*)) dnl ') ######################################## ## ## Send ovsdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ovsdb_server_packets'($*)) dnl gen_require(` type ovsdb_server_packet_t; ') allow $1 ovsdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ovsdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ovsdb_server_packets'($*)) dnl gen_require(` type ovsdb_server_packet_t; ') dontaudit $1 ovsdb_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Receive ovsdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ovsdb_server_packets'($*)) dnl gen_require(` type ovsdb_server_packet_t; ') allow $1 ovsdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ovsdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ovsdb_server_packets'($*)) dnl gen_require(` type ovsdb_server_packet_t; ') dontaudit $1 ovsdb_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ovsdb_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ovsdb_server_packets'($*)) dnl corenet_send_ovsdb_server_packets($1) corenet_receive_ovsdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ovsdb_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ovsdb_server_packets'($*)) dnl corenet_dontaudit_send_ovsdb_server_packets($1) corenet_dontaudit_receive_ovsdb_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ovsdb_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ovsdb_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ovsdb_server_packets'($*)) dnl gen_require(` type ovsdb_server_packet_t; ') allow $1 ovsdb_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ovsdb_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pdps_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pdps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pdps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') dontaudit $1 pdps_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pdps_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pdps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pdps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') dontaudit $1 pdps_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pdps_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pdps_port'($*)) dnl corenet_udp_send_pdps_port($1) corenet_udp_receive_pdps_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pdps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pdps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl corenet_dontaudit_udp_send_pdps_port($1) corenet_dontaudit_udp_receive_pdps_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pdps_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pdps_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pdps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pdps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pdps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') dontaudit $1 pdps_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pdps_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pdps port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') allow $1 pdps_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pdps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pdps port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pdps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pdps_port'($*)) dnl gen_require(` type pdps_port_t; ') dontaudit $1 pdps_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pdps_port'($*)) dnl ') ######################################## ## ## Send pdps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_client_packets'($*)) dnl gen_require(` type pdps_client_packet_t; ') allow $1 pdps_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pdps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pdps_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_client_packets'($*)) dnl gen_require(` type pdps_client_packet_t; ') dontaudit $1 pdps_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_client_packets'($*)) dnl ') ######################################## ## ## Receive pdps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_client_packets'($*)) dnl gen_require(` type pdps_client_packet_t; ') allow $1 pdps_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pdps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl gen_require(` type pdps_client_packet_t; ') dontaudit $1 pdps_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pdps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_client_packets'($*)) dnl corenet_send_pdps_client_packets($1) corenet_receive_pdps_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pdps_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl corenet_dontaudit_send_pdps_client_packets($1) corenet_dontaudit_receive_pdps_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pdps_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pdps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_client_packets'($*)) dnl gen_require(` type pdps_client_packet_t; ') allow $1 pdps_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_client_packets'($*)) dnl ') ######################################## ## ## Send pdps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pdps_server_packets'($*)) dnl gen_require(` type pdps_server_packet_t; ') allow $1 pdps_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pdps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pdps_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pdps_server_packets'($*)) dnl gen_require(` type pdps_server_packet_t; ') dontaudit $1 pdps_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pdps_server_packets'($*)) dnl ') ######################################## ## ## Receive pdps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pdps_server_packets'($*)) dnl gen_require(` type pdps_server_packet_t; ') allow $1 pdps_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pdps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pdps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl gen_require(` type pdps_server_packet_t; ') dontaudit $1 pdps_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pdps_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pdps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pdps_server_packets'($*)) dnl corenet_send_pdps_server_packets($1) corenet_receive_pdps_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pdps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pdps_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl corenet_dontaudit_send_pdps_server_packets($1) corenet_dontaudit_receive_pdps_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pdps_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pdps_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pdps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pdps_server_packets'($*)) dnl gen_require(` type pdps_server_packet_t; ') allow $1 pdps_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pdps_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_http_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pegasus_http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') dontaudit $1 pegasus_http_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_http_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pegasus_http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') dontaudit $1 pegasus_http_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_http_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl corenet_udp_send_pegasus_http_port($1) corenet_udp_receive_pegasus_http_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pegasus_http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl corenet_dontaudit_udp_send_pegasus_http_port($1) corenet_dontaudit_udp_receive_pegasus_http_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_http_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_http_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pegasus_http port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pegasus_http port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') dontaudit $1 pegasus_http_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pegasus_http_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pegasus_http port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') allow $1 pegasus_http_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_http_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pegasus_http port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pegasus_http_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pegasus_http_port'($*)) dnl gen_require(` type pegasus_http_port_t; ') dontaudit $1 pegasus_http_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pegasus_http_port'($*)) dnl ') ######################################## ## ## Send pegasus_http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_client_packets'($*)) dnl gen_require(` type pegasus_http_client_packet_t; ') allow $1 pegasus_http_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pegasus_http_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl gen_require(` type pegasus_http_client_packet_t; ') dontaudit $1 pegasus_http_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Receive pegasus_http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_client_packets'($*)) dnl gen_require(` type pegasus_http_client_packet_t; ') allow $1 pegasus_http_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pegasus_http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl gen_require(` type pegasus_http_client_packet_t; ') dontaudit $1 pegasus_http_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pegasus_http_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl corenet_send_pegasus_http_client_packets($1) corenet_receive_pegasus_http_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pegasus_http_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl corenet_dontaudit_send_pegasus_http_client_packets($1) corenet_dontaudit_receive_pegasus_http_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pegasus_http_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pegasus_http_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_client_packets'($*)) dnl gen_require(` type pegasus_http_client_packet_t; ') allow $1 pegasus_http_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_client_packets'($*)) dnl ') ######################################## ## ## Send pegasus_http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_http_server_packets'($*)) dnl gen_require(` type pegasus_http_server_packet_t; ') allow $1 pegasus_http_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pegasus_http_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl gen_require(` type pegasus_http_server_packet_t; ') dontaudit $1 pegasus_http_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Receive pegasus_http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_http_server_packets'($*)) dnl gen_require(` type pegasus_http_server_packet_t; ') allow $1 pegasus_http_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pegasus_http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl gen_require(` type pegasus_http_server_packet_t; ') dontaudit $1 pegasus_http_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pegasus_http_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl corenet_send_pegasus_http_server_packets($1) corenet_receive_pegasus_http_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pegasus_http_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl corenet_dontaudit_send_pegasus_http_server_packets($1) corenet_dontaudit_receive_pegasus_http_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pegasus_http_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pegasus_http_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_http_server_packets'($*)) dnl gen_require(` type pegasus_http_server_packet_t; ') allow $1 pegasus_http_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_http_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pegasus_https_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pegasus_https_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pegasus_https port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') dontaudit $1 pegasus_https_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pegasus_https_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pegasus_https_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pegasus_https port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') dontaudit $1 pegasus_https_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pegasus_https_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl corenet_udp_send_pegasus_https_port($1) corenet_udp_receive_pegasus_https_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pegasus_https_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pegasus_https port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl corenet_dontaudit_udp_send_pegasus_https_port($1) corenet_dontaudit_udp_receive_pegasus_https_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pegasus_https_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pegasus_https_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pegasus_https port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pegasus_https_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pegasus_https port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') dontaudit $1 pegasus_https_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pegasus_https_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pegasus_https port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') allow $1 pegasus_https_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pegasus_https_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pegasus_https port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pegasus_https_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pegasus_https_port'($*)) dnl gen_require(` type pegasus_https_port_t; ') dontaudit $1 pegasus_https_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pegasus_https_port'($*)) dnl ') ######################################## ## ## Send pegasus_https_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_client_packets'($*)) dnl gen_require(` type pegasus_https_client_packet_t; ') allow $1 pegasus_https_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pegasus_https_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl gen_require(` type pegasus_https_client_packet_t; ') dontaudit $1 pegasus_https_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Receive pegasus_https_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_client_packets'($*)) dnl gen_require(` type pegasus_https_client_packet_t; ') allow $1 pegasus_https_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pegasus_https_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl gen_require(` type pegasus_https_client_packet_t; ') dontaudit $1 pegasus_https_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pegasus_https_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl corenet_send_pegasus_https_client_packets($1) corenet_receive_pegasus_https_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pegasus_https_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl corenet_dontaudit_send_pegasus_https_client_packets($1) corenet_dontaudit_receive_pegasus_https_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pegasus_https_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pegasus_https_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_client_packets'($*)) dnl gen_require(` type pegasus_https_client_packet_t; ') allow $1 pegasus_https_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_client_packets'($*)) dnl ') ######################################## ## ## Send pegasus_https_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pegasus_https_server_packets'($*)) dnl gen_require(` type pegasus_https_server_packet_t; ') allow $1 pegasus_https_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pegasus_https_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl gen_require(` type pegasus_https_server_packet_t; ') dontaudit $1 pegasus_https_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Receive pegasus_https_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pegasus_https_server_packets'($*)) dnl gen_require(` type pegasus_https_server_packet_t; ') allow $1 pegasus_https_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pegasus_https_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl gen_require(` type pegasus_https_server_packet_t; ') dontaudit $1 pegasus_https_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pegasus_https_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl corenet_send_pegasus_https_server_packets($1) corenet_receive_pegasus_https_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pegasus_https_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl corenet_dontaudit_send_pegasus_https_server_packets($1) corenet_dontaudit_receive_pegasus_https_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pegasus_https_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pegasus_https_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pegasus_https_server_packets'($*)) dnl gen_require(` type pegasus_https_server_packet_t; ') allow $1 pegasus_https_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pegasus_https_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pgpkeyserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') dontaudit $1 pgpkeyserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pgpkeyserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') dontaudit $1 pgpkeyserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl corenet_udp_send_pgpkeyserver_port($1) corenet_udp_receive_pgpkeyserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pgpkeyserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl corenet_dontaudit_udp_send_pgpkeyserver_port($1) corenet_dontaudit_udp_receive_pgpkeyserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pgpkeyserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') dontaudit $1 pgpkeyserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') allow $1 pgpkeyserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pgpkeyserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pgpkeyserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pgpkeyserver_port'($*)) dnl gen_require(` type pgpkeyserver_port_t; ') dontaudit $1 pgpkeyserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pgpkeyserver_port'($*)) dnl ') ######################################## ## ## Send pgpkeyserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_client_packets'($*)) dnl gen_require(` type pgpkeyserver_client_packet_t; ') allow $1 pgpkeyserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pgpkeyserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl gen_require(` type pgpkeyserver_client_packet_t; ') dontaudit $1 pgpkeyserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Receive pgpkeyserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_client_packets'($*)) dnl gen_require(` type pgpkeyserver_client_packet_t; ') allow $1 pgpkeyserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pgpkeyserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl gen_require(` type pgpkeyserver_client_packet_t; ') dontaudit $1 pgpkeyserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pgpkeyserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl corenet_send_pgpkeyserver_client_packets($1) corenet_receive_pgpkeyserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pgpkeyserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl corenet_dontaudit_send_pgpkeyserver_client_packets($1) corenet_dontaudit_receive_pgpkeyserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pgpkeyserver_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pgpkeyserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl gen_require(` type pgpkeyserver_client_packet_t; ') allow $1 pgpkeyserver_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_client_packets'($*)) dnl ') ######################################## ## ## Send pgpkeyserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pgpkeyserver_server_packets'($*)) dnl gen_require(` type pgpkeyserver_server_packet_t; ') allow $1 pgpkeyserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pgpkeyserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl gen_require(` type pgpkeyserver_server_packet_t; ') dontaudit $1 pgpkeyserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Receive pgpkeyserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pgpkeyserver_server_packets'($*)) dnl gen_require(` type pgpkeyserver_server_packet_t; ') allow $1 pgpkeyserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pgpkeyserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl gen_require(` type pgpkeyserver_server_packet_t; ') dontaudit $1 pgpkeyserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pgpkeyserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl corenet_send_pgpkeyserver_server_packets($1) corenet_receive_pgpkeyserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pgpkeyserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl corenet_dontaudit_send_pgpkeyserver_server_packets($1) corenet_dontaudit_receive_pgpkeyserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pgpkeyserver_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pgpkeyserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl gen_require(` type pgpkeyserver_server_packet_t; ') allow $1 pgpkeyserver_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pgpkeyserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pingd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pingd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pingd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') dontaudit $1 pingd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pingd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pingd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pingd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') dontaudit $1 pingd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pingd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pingd_port'($*)) dnl corenet_udp_send_pingd_port($1) corenet_udp_receive_pingd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pingd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pingd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl corenet_dontaudit_udp_send_pingd_port($1) corenet_dontaudit_udp_receive_pingd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pingd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pingd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pingd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pingd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pingd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') dontaudit $1 pingd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pingd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pingd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') allow $1 pingd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pingd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pingd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pingd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pingd_port'($*)) dnl gen_require(` type pingd_port_t; ') dontaudit $1 pingd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pingd_port'($*)) dnl ') ######################################## ## ## Send pingd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_client_packets'($*)) dnl gen_require(` type pingd_client_packet_t; ') allow $1 pingd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pingd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pingd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_client_packets'($*)) dnl gen_require(` type pingd_client_packet_t; ') dontaudit $1 pingd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_client_packets'($*)) dnl ') ######################################## ## ## Receive pingd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_client_packets'($*)) dnl gen_require(` type pingd_client_packet_t; ') allow $1 pingd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pingd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl gen_require(` type pingd_client_packet_t; ') dontaudit $1 pingd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pingd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_client_packets'($*)) dnl corenet_send_pingd_client_packets($1) corenet_receive_pingd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pingd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl corenet_dontaudit_send_pingd_client_packets($1) corenet_dontaudit_receive_pingd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pingd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pingd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_client_packets'($*)) dnl gen_require(` type pingd_client_packet_t; ') allow $1 pingd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_client_packets'($*)) dnl ') ######################################## ## ## Send pingd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pingd_server_packets'($*)) dnl gen_require(` type pingd_server_packet_t; ') allow $1 pingd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pingd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pingd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pingd_server_packets'($*)) dnl gen_require(` type pingd_server_packet_t; ') dontaudit $1 pingd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pingd_server_packets'($*)) dnl ') ######################################## ## ## Receive pingd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pingd_server_packets'($*)) dnl gen_require(` type pingd_server_packet_t; ') allow $1 pingd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pingd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pingd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl gen_require(` type pingd_server_packet_t; ') dontaudit $1 pingd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pingd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pingd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pingd_server_packets'($*)) dnl corenet_send_pingd_server_packets($1) corenet_receive_pingd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pingd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pingd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl corenet_dontaudit_send_pingd_server_packets($1) corenet_dontaudit_receive_pingd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pingd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pingd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pingd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pingd_server_packets'($*)) dnl gen_require(` type pingd_server_packet_t; ') allow $1 pingd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pingd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ca_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_ca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') dontaudit $1 pki_ca_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ca_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_ca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') dontaudit $1 pki_ca_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ca_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ca_port'($*)) dnl corenet_udp_send_pki_ca_port($1) corenet_udp_receive_pki_ca_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_ca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl corenet_dontaudit_udp_send_pki_ca_port($1) corenet_dontaudit_udp_receive_pki_ca_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ca_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ca_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_ca port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_ca port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') dontaudit $1 pki_ca_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ca_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_ca port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') allow $1 pki_ca_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ca_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_ca port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_ca_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ca_port'($*)) dnl gen_require(` type pki_ca_port_t; ') dontaudit $1 pki_ca_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ca_port'($*)) dnl ') ######################################## ## ## Send pki_ca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_client_packets'($*)) dnl gen_require(` type pki_ca_client_packet_t; ') allow $1 pki_ca_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ca_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl gen_require(` type pki_ca_client_packet_t; ') dontaudit $1 pki_ca_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_ca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_client_packets'($*)) dnl gen_require(` type pki_ca_client_packet_t; ') allow $1 pki_ca_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl gen_require(` type pki_ca_client_packet_t; ') dontaudit $1 pki_ca_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ca_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_client_packets'($*)) dnl corenet_send_pki_ca_client_packets($1) corenet_receive_pki_ca_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ca_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl corenet_dontaudit_send_pki_ca_client_packets($1) corenet_dontaudit_receive_pki_ca_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ca_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ca_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_client_packets'($*)) dnl gen_require(` type pki_ca_client_packet_t; ') allow $1 pki_ca_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_client_packets'($*)) dnl ') ######################################## ## ## Send pki_ca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ca_server_packets'($*)) dnl gen_require(` type pki_ca_server_packet_t; ') allow $1 pki_ca_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ca_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl gen_require(` type pki_ca_server_packet_t; ') dontaudit $1 pki_ca_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_ca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ca_server_packets'($*)) dnl gen_require(` type pki_ca_server_packet_t; ') allow $1 pki_ca_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl gen_require(` type pki_ca_server_packet_t; ') dontaudit $1 pki_ca_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ca_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ca_server_packets'($*)) dnl corenet_send_pki_ca_server_packets($1) corenet_receive_pki_ca_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ca_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl corenet_dontaudit_send_pki_ca_server_packets($1) corenet_dontaudit_receive_pki_ca_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ca_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ca_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ca_server_packets'($*)) dnl gen_require(` type pki_ca_server_packet_t; ') allow $1 pki_ca_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ca_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_kra_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_kra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_kra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') dontaudit $1 pki_kra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_kra_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_kra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_kra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') dontaudit $1 pki_kra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_kra_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_kra_port'($*)) dnl corenet_udp_send_pki_kra_port($1) corenet_udp_receive_pki_kra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_kra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_kra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl corenet_dontaudit_udp_send_pki_kra_port($1) corenet_dontaudit_udp_receive_pki_kra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_kra_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_kra_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_kra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_kra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_kra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') dontaudit $1 pki_kra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_kra_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_kra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') allow $1 pki_kra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_kra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_kra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_kra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_kra_port'($*)) dnl gen_require(` type pki_kra_port_t; ') dontaudit $1 pki_kra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_kra_port'($*)) dnl ') ######################################## ## ## Send pki_kra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_client_packets'($*)) dnl gen_require(` type pki_kra_client_packet_t; ') allow $1 pki_kra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_kra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl gen_require(` type pki_kra_client_packet_t; ') dontaudit $1 pki_kra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_kra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_client_packets'($*)) dnl gen_require(` type pki_kra_client_packet_t; ') allow $1 pki_kra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_kra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl gen_require(` type pki_kra_client_packet_t; ') dontaudit $1 pki_kra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_kra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_client_packets'($*)) dnl corenet_send_pki_kra_client_packets($1) corenet_receive_pki_kra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_kra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl corenet_dontaudit_send_pki_kra_client_packets($1) corenet_dontaudit_receive_pki_kra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_kra_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_kra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_client_packets'($*)) dnl gen_require(` type pki_kra_client_packet_t; ') allow $1 pki_kra_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_client_packets'($*)) dnl ') ######################################## ## ## Send pki_kra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_kra_server_packets'($*)) dnl gen_require(` type pki_kra_server_packet_t; ') allow $1 pki_kra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_kra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl gen_require(` type pki_kra_server_packet_t; ') dontaudit $1 pki_kra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_kra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_kra_server_packets'($*)) dnl gen_require(` type pki_kra_server_packet_t; ') allow $1 pki_kra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_kra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl gen_require(` type pki_kra_server_packet_t; ') dontaudit $1 pki_kra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_kra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_kra_server_packets'($*)) dnl corenet_send_pki_kra_server_packets($1) corenet_receive_pki_kra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_kra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl corenet_dontaudit_send_pki_kra_server_packets($1) corenet_dontaudit_receive_pki_kra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_kra_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_kra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_kra_server_packets'($*)) dnl gen_require(` type pki_kra_server_packet_t; ') allow $1 pki_kra_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_kra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') dontaudit $1 pki_ocsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') dontaudit $1 pki_ocsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl corenet_udp_send_pki_ocsp_port($1) corenet_udp_receive_pki_ocsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl corenet_dontaudit_udp_send_pki_ocsp_port($1) corenet_dontaudit_udp_receive_pki_ocsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_ocsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') dontaudit $1 pki_ocsp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_ocsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') allow $1 pki_ocsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_ocsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_ocsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ocsp_port'($*)) dnl gen_require(` type pki_ocsp_port_t; ') dontaudit $1 pki_ocsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ocsp_port'($*)) dnl ') ######################################## ## ## Send pki_ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_client_packets'($*)) dnl gen_require(` type pki_ocsp_client_packet_t; ') allow $1 pki_ocsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ocsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl gen_require(` type pki_ocsp_client_packet_t; ') dontaudit $1 pki_ocsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_client_packets'($*)) dnl gen_require(` type pki_ocsp_client_packet_t; ') allow $1 pki_ocsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl gen_require(` type pki_ocsp_client_packet_t; ') dontaudit $1 pki_ocsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ocsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl corenet_send_pki_ocsp_client_packets($1) corenet_receive_pki_ocsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ocsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl corenet_dontaudit_send_pki_ocsp_client_packets($1) corenet_dontaudit_receive_pki_ocsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ocsp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ocsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl gen_require(` type pki_ocsp_client_packet_t; ') allow $1 pki_ocsp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_client_packets'($*)) dnl ') ######################################## ## ## Send pki_ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ocsp_server_packets'($*)) dnl gen_require(` type pki_ocsp_server_packet_t; ') allow $1 pki_ocsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ocsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl gen_require(` type pki_ocsp_server_packet_t; ') dontaudit $1 pki_ocsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ocsp_server_packets'($*)) dnl gen_require(` type pki_ocsp_server_packet_t; ') allow $1 pki_ocsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl gen_require(` type pki_ocsp_server_packet_t; ') dontaudit $1 pki_ocsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ocsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl corenet_send_pki_ocsp_server_packets($1) corenet_receive_pki_ocsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ocsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl corenet_dontaudit_send_pki_ocsp_server_packets($1) corenet_dontaudit_receive_pki_ocsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ocsp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ocsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl gen_require(` type pki_ocsp_server_packet_t; ') allow $1 pki_ocsp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ocsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tks_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_tks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') dontaudit $1 pki_tks_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tks_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_tks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') dontaudit $1 pki_tks_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tks_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tks_port'($*)) dnl corenet_udp_send_pki_tks_port($1) corenet_udp_receive_pki_tks_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_tks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl corenet_dontaudit_udp_send_pki_tks_port($1) corenet_dontaudit_udp_receive_pki_tks_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tks_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tks_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_tks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_tks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') dontaudit $1 pki_tks_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_tks_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_tks port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') allow $1 pki_tks_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_tks port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_tks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_tks_port'($*)) dnl gen_require(` type pki_tks_port_t; ') dontaudit $1 pki_tks_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_tks_port'($*)) dnl ') ######################################## ## ## Send pki_tks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_client_packets'($*)) dnl gen_require(` type pki_tks_client_packet_t; ') allow $1 pki_tks_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_tks_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl gen_require(` type pki_tks_client_packet_t; ') dontaudit $1 pki_tks_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_tks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_client_packets'($*)) dnl gen_require(` type pki_tks_client_packet_t; ') allow $1 pki_tks_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_tks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl gen_require(` type pki_tks_client_packet_t; ') dontaudit $1 pki_tks_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_tks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_client_packets'($*)) dnl corenet_send_pki_tks_client_packets($1) corenet_receive_pki_tks_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_tks_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl corenet_dontaudit_send_pki_tks_client_packets($1) corenet_dontaudit_receive_pki_tks_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_tks_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_tks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_client_packets'($*)) dnl gen_require(` type pki_tks_client_packet_t; ') allow $1 pki_tks_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_client_packets'($*)) dnl ') ######################################## ## ## Send pki_tks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tks_server_packets'($*)) dnl gen_require(` type pki_tks_server_packet_t; ') allow $1 pki_tks_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_tks_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl gen_require(` type pki_tks_server_packet_t; ') dontaudit $1 pki_tks_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_tks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tks_server_packets'($*)) dnl gen_require(` type pki_tks_server_packet_t; ') allow $1 pki_tks_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_tks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl gen_require(` type pki_tks_server_packet_t; ') dontaudit $1 pki_tks_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_tks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tks_server_packets'($*)) dnl corenet_send_pki_tks_server_packets($1) corenet_receive_pki_tks_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_tks_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl corenet_dontaudit_send_pki_tks_server_packets($1) corenet_dontaudit_receive_pki_tks_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_tks_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_tks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tks_server_packets'($*)) dnl gen_require(` type pki_tks_server_packet_t; ') allow $1 pki_tks_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tks_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_ra_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_ra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_ra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') dontaudit $1 pki_ra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_ra_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_ra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_ra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') dontaudit $1 pki_ra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_ra_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_ra_port'($*)) dnl corenet_udp_send_pki_ra_port($1) corenet_udp_receive_pki_ra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_ra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_ra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl corenet_dontaudit_udp_send_pki_ra_port($1) corenet_dontaudit_udp_receive_pki_ra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_ra_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_ra_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_ra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_ra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_ra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') dontaudit $1 pki_ra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_ra_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_ra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') allow $1 pki_ra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_ra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_ra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_ra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_ra_port'($*)) dnl gen_require(` type pki_ra_port_t; ') dontaudit $1 pki_ra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_ra_port'($*)) dnl ') ######################################## ## ## Send pki_ra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_client_packets'($*)) dnl gen_require(` type pki_ra_client_packet_t; ') allow $1 pki_ra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl gen_require(` type pki_ra_client_packet_t; ') dontaudit $1 pki_ra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_ra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_client_packets'($*)) dnl gen_require(` type pki_ra_client_packet_t; ') allow $1 pki_ra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl gen_require(` type pki_ra_client_packet_t; ') dontaudit $1 pki_ra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_client_packets'($*)) dnl corenet_send_pki_ra_client_packets($1) corenet_receive_pki_ra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl corenet_dontaudit_send_pki_ra_client_packets($1) corenet_dontaudit_receive_pki_ra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ra_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_client_packets'($*)) dnl gen_require(` type pki_ra_client_packet_t; ') allow $1 pki_ra_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_client_packets'($*)) dnl ') ######################################## ## ## Send pki_ra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_ra_server_packets'($*)) dnl gen_require(` type pki_ra_server_packet_t; ') allow $1 pki_ra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_ra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl gen_require(` type pki_ra_server_packet_t; ') dontaudit $1 pki_ra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_ra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_ra_server_packets'($*)) dnl gen_require(` type pki_ra_server_packet_t; ') allow $1 pki_ra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_ra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl gen_require(` type pki_ra_server_packet_t; ') dontaudit $1 pki_ra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_ra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_ra_server_packets'($*)) dnl corenet_send_pki_ra_server_packets($1) corenet_receive_pki_ra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_ra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl corenet_dontaudit_send_pki_ra_server_packets($1) corenet_dontaudit_receive_pki_ra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_ra_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_ra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_ra_server_packets'($*)) dnl gen_require(` type pki_ra_server_packet_t; ') allow $1 pki_ra_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_ra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pki_tps_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pki_tps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pki_tps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') dontaudit $1 pki_tps_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pki_tps_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pki_tps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pki_tps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') dontaudit $1 pki_tps_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pki_tps_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pki_tps_port'($*)) dnl corenet_udp_send_pki_tps_port($1) corenet_udp_receive_pki_tps_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pki_tps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pki_tps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl corenet_dontaudit_udp_send_pki_tps_port($1) corenet_dontaudit_udp_receive_pki_tps_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pki_tps_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pki_tps_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pki_tps port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pki_tps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pki_tps port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') dontaudit $1 pki_tps_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pki_tps_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pki_tps port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') allow $1 pki_tps_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pki_tps_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pki_tps port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pki_tps_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pki_tps_port'($*)) dnl gen_require(` type pki_tps_port_t; ') dontaudit $1 pki_tps_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pki_tps_port'($*)) dnl ') ######################################## ## ## Send pki_tps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_client_packets'($*)) dnl gen_require(` type pki_tps_client_packet_t; ') allow $1 pki_tps_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_tps_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl gen_require(` type pki_tps_client_packet_t; ') dontaudit $1 pki_tps_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Receive pki_tps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_client_packets'($*)) dnl gen_require(` type pki_tps_client_packet_t; ') allow $1 pki_tps_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_tps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl gen_require(` type pki_tps_client_packet_t; ') dontaudit $1 pki_tps_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_tps_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_client_packets'($*)) dnl corenet_send_pki_tps_client_packets($1) corenet_receive_pki_tps_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_tps_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl corenet_dontaudit_send_pki_tps_client_packets($1) corenet_dontaudit_receive_pki_tps_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_tps_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_tps_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_client_packets'($*)) dnl gen_require(` type pki_tps_client_packet_t; ') allow $1 pki_tps_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_client_packets'($*)) dnl ') ######################################## ## ## Send pki_tps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pki_tps_server_packets'($*)) dnl gen_require(` type pki_tps_server_packet_t; ') allow $1 pki_tps_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pki_tps_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl gen_require(` type pki_tps_server_packet_t; ') dontaudit $1 pki_tps_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Receive pki_tps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pki_tps_server_packets'($*)) dnl gen_require(` type pki_tps_server_packet_t; ') allow $1 pki_tps_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pki_tps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl gen_require(` type pki_tps_server_packet_t; ') dontaudit $1 pki_tps_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pki_tps_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pki_tps_server_packets'($*)) dnl corenet_send_pki_tps_server_packets($1) corenet_receive_pki_tps_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pki_tps_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl corenet_dontaudit_send_pki_tps_server_packets($1) corenet_dontaudit_receive_pki_tps_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pki_tps_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pki_tps_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pki_tps_server_packets'($*)) dnl gen_require(` type pki_tps_server_packet_t; ') allow $1 pki_tps_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pki_tps_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pktcable_cops port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') dontaudit $1 pktcable_cops_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pktcable_cops port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') dontaudit $1 pktcable_cops_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl corenet_udp_send_pktcable_cops_port($1) corenet_udp_receive_pktcable_cops_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pktcable_cops port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl corenet_dontaudit_udp_send_pktcable_cops_port($1) corenet_dontaudit_udp_receive_pktcable_cops_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pktcable_cops port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') dontaudit $1 pktcable_cops_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pktcable_cops port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') allow $1 pktcable_cops_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pktcable_cops port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pktcable_cops_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pktcable_cops_port'($*)) dnl gen_require(` type pktcable_cops_port_t; ') dontaudit $1 pktcable_cops_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pktcable_cops_port'($*)) dnl ') ######################################## ## ## Send pktcable_cops_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_client_packets'($*)) dnl gen_require(` type pktcable_cops_client_packet_t; ') allow $1 pktcable_cops_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pktcable_cops_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl gen_require(` type pktcable_cops_client_packet_t; ') dontaudit $1 pktcable_cops_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Receive pktcable_cops_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_client_packets'($*)) dnl gen_require(` type pktcable_cops_client_packet_t; ') allow $1 pktcable_cops_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pktcable_cops_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl gen_require(` type pktcable_cops_client_packet_t; ') dontaudit $1 pktcable_cops_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pktcable_cops_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl corenet_send_pktcable_cops_client_packets($1) corenet_receive_pktcable_cops_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pktcable_cops_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl corenet_dontaudit_send_pktcable_cops_client_packets($1) corenet_dontaudit_receive_pktcable_cops_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pktcable_cops_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pktcable_cops_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl gen_require(` type pktcable_cops_client_packet_t; ') allow $1 pktcable_cops_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_client_packets'($*)) dnl ') ######################################## ## ## Send pktcable_cops_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pktcable_cops_server_packets'($*)) dnl gen_require(` type pktcable_cops_server_packet_t; ') allow $1 pktcable_cops_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pktcable_cops_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl gen_require(` type pktcable_cops_server_packet_t; ') dontaudit $1 pktcable_cops_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Receive pktcable_cops_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pktcable_cops_server_packets'($*)) dnl gen_require(` type pktcable_cops_server_packet_t; ') allow $1 pktcable_cops_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pktcable_cops_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl gen_require(` type pktcable_cops_server_packet_t; ') dontaudit $1 pktcable_cops_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pktcable_cops_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl corenet_send_pktcable_cops_server_packets($1) corenet_receive_pktcable_cops_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pktcable_cops_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl corenet_dontaudit_send_pktcable_cops_server_packets($1) corenet_dontaudit_receive_pktcable_cops_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pktcable_cops_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pktcable_cops_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl gen_require(` type pktcable_cops_server_packet_t; ') allow $1 pktcable_cops_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pktcable_cops_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pop_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pop_port'($*)) dnl gen_require(` type pop_port_t; ') dontaudit $1 pop_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pop_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pop_port'($*)) dnl gen_require(` type pop_port_t; ') dontaudit $1 pop_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pop_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pop_port'($*)) dnl corenet_udp_send_pop_port($1) corenet_udp_receive_pop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl corenet_dontaudit_udp_send_pop_port($1) corenet_dontaudit_udp_receive_pop_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pop_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pop_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pop port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pop port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pop_port'($*)) dnl gen_require(` type pop_port_t; ') dontaudit $1 pop_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pop_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pop_port'($*)) dnl gen_require(` type pop_port_t; ') allow $1 pop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pop_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pop port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pop_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pop_port'($*)) dnl gen_require(` type pop_port_t; ') dontaudit $1 pop_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pop_port'($*)) dnl ') ######################################## ## ## Send pop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pop_client_packets'($*)) dnl gen_require(` type pop_client_packet_t; ') allow $1 pop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_client_packets'($*)) dnl gen_require(` type pop_client_packet_t; ') dontaudit $1 pop_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_client_packets'($*)) dnl ') ######################################## ## ## Receive pop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_client_packets'($*)) dnl gen_require(` type pop_client_packet_t; ') allow $1 pop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_client_packets'($*)) dnl gen_require(` type pop_client_packet_t; ') dontaudit $1 pop_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pop_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_client_packets'($*)) dnl corenet_send_pop_client_packets($1) corenet_receive_pop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pop_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl corenet_dontaudit_send_pop_client_packets($1) corenet_dontaudit_receive_pop_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pop_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pop_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_client_packets'($*)) dnl gen_require(` type pop_client_packet_t; ') allow $1 pop_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_client_packets'($*)) dnl ') ######################################## ## ## Send pop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pop_server_packets'($*)) dnl gen_require(` type pop_server_packet_t; ') allow $1 pop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pop_server_packets'($*)) dnl gen_require(` type pop_server_packet_t; ') dontaudit $1 pop_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pop_server_packets'($*)) dnl ') ######################################## ## ## Receive pop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pop_server_packets'($*)) dnl gen_require(` type pop_server_packet_t; ') allow $1 pop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pop_server_packets'($*)) dnl gen_require(` type pop_server_packet_t; ') dontaudit $1 pop_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pop_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pop_server_packets'($*)) dnl corenet_send_pop_server_packets($1) corenet_receive_pop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pop_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pop_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl corenet_dontaudit_send_pop_server_packets($1) corenet_dontaudit_receive_pop_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pop_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pop_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pop_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pop_server_packets'($*)) dnl gen_require(` type pop_server_packet_t; ') allow $1 pop_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pop_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_portmap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_portmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the portmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') dontaudit $1 portmap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_portmap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_portmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the portmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') dontaudit $1 portmap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_portmap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_portmap_port'($*)) dnl corenet_udp_send_portmap_port($1) corenet_udp_receive_portmap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_portmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the portmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl corenet_dontaudit_udp_send_portmap_port($1) corenet_dontaudit_udp_receive_portmap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_portmap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_portmap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the portmap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_portmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to portmap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') dontaudit $1 portmap_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_portmap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the portmap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') allow $1 portmap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_portmap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to portmap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_portmap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_portmap_port'($*)) dnl gen_require(` type portmap_port_t; ') dontaudit $1 portmap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_portmap_port'($*)) dnl ') ######################################## ## ## Send portmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_client_packets'($*)) dnl gen_require(` type portmap_client_packet_t; ') allow $1 portmap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_portmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send portmap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_client_packets'($*)) dnl gen_require(` type portmap_client_packet_t; ') dontaudit $1 portmap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_client_packets'($*)) dnl ') ######################################## ## ## Receive portmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_client_packets'($*)) dnl gen_require(` type portmap_client_packet_t; ') allow $1 portmap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive portmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl gen_require(` type portmap_client_packet_t; ') dontaudit $1 portmap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive portmap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_client_packets'($*)) dnl corenet_send_portmap_client_packets($1) corenet_receive_portmap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive portmap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl corenet_dontaudit_send_portmap_client_packets($1) corenet_dontaudit_receive_portmap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to portmap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_portmap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_client_packets'($*)) dnl gen_require(` type portmap_client_packet_t; ') allow $1 portmap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_client_packets'($*)) dnl ') ######################################## ## ## Send portmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_portmap_server_packets'($*)) dnl gen_require(` type portmap_server_packet_t; ') allow $1 portmap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_portmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send portmap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_portmap_server_packets'($*)) dnl gen_require(` type portmap_server_packet_t; ') dontaudit $1 portmap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_portmap_server_packets'($*)) dnl ') ######################################## ## ## Receive portmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_portmap_server_packets'($*)) dnl gen_require(` type portmap_server_packet_t; ') allow $1 portmap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_portmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive portmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl gen_require(` type portmap_server_packet_t; ') dontaudit $1 portmap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_portmap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive portmap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_portmap_server_packets'($*)) dnl corenet_send_portmap_server_packets($1) corenet_receive_portmap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_portmap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive portmap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl corenet_dontaudit_send_portmap_server_packets($1) corenet_dontaudit_receive_portmap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_portmap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to portmap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_portmap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_portmap_server_packets'($*)) dnl gen_require(` type portmap_server_packet_t; ') allow $1 portmap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_portmap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the postfix_policyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') dontaudit $1 postfix_policyd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the postfix_policyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') dontaudit $1 postfix_policyd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl corenet_udp_send_postfix_policyd_port($1) corenet_udp_receive_postfix_policyd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the postfix_policyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl corenet_dontaudit_udp_send_postfix_policyd_port($1) corenet_dontaudit_udp_receive_postfix_policyd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to postfix_policyd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') dontaudit $1 postfix_policyd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the postfix_policyd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') allow $1 postfix_policyd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to postfix_policyd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_postfix_policyd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postfix_policyd_port'($*)) dnl gen_require(` type postfix_policyd_port_t; ') dontaudit $1 postfix_policyd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postfix_policyd_port'($*)) dnl ') ######################################## ## ## Send postfix_policyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_client_packets'($*)) dnl gen_require(` type postfix_policyd_client_packet_t; ') allow $1 postfix_policyd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postfix_policyd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl gen_require(` type postfix_policyd_client_packet_t; ') dontaudit $1 postfix_policyd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Receive postfix_policyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_client_packets'($*)) dnl gen_require(` type postfix_policyd_client_packet_t; ') allow $1 postfix_policyd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postfix_policyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl gen_require(` type postfix_policyd_client_packet_t; ') dontaudit $1 postfix_policyd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive postfix_policyd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl corenet_send_postfix_policyd_client_packets($1) corenet_receive_postfix_policyd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postfix_policyd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl corenet_dontaudit_send_postfix_policyd_client_packets($1) corenet_dontaudit_receive_postfix_policyd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postfix_policyd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postfix_policyd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl gen_require(` type postfix_policyd_client_packet_t; ') allow $1 postfix_policyd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_client_packets'($*)) dnl ') ######################################## ## ## Send postfix_policyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postfix_policyd_server_packets'($*)) dnl gen_require(` type postfix_policyd_server_packet_t; ') allow $1 postfix_policyd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postfix_policyd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl gen_require(` type postfix_policyd_server_packet_t; ') dontaudit $1 postfix_policyd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Receive postfix_policyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postfix_policyd_server_packets'($*)) dnl gen_require(` type postfix_policyd_server_packet_t; ') allow $1 postfix_policyd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postfix_policyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl gen_require(` type postfix_policyd_server_packet_t; ') dontaudit $1 postfix_policyd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive postfix_policyd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl corenet_send_postfix_policyd_server_packets($1) corenet_receive_postfix_policyd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postfix_policyd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl corenet_dontaudit_send_postfix_policyd_server_packets($1) corenet_dontaudit_receive_postfix_policyd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postfix_policyd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postfix_policyd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl gen_require(` type postfix_policyd_server_packet_t; ') allow $1 postfix_policyd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postfix_policyd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgresql_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgresql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the postgresql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') dontaudit $1 postgresql_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgresql_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgresql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the postgresql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') dontaudit $1 postgresql_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgresql_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgresql_port'($*)) dnl corenet_udp_send_postgresql_port($1) corenet_udp_receive_postgresql_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgresql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the postgresql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl corenet_dontaudit_udp_send_postgresql_port($1) corenet_dontaudit_udp_receive_postgresql_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgresql_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgresql_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the postgresql port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgresql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to postgresql port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') dontaudit $1 postgresql_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postgresql_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the postgresql port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') allow $1 postgresql_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgresql_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to postgresql port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_postgresql_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postgresql_port'($*)) dnl gen_require(` type postgresql_port_t; ') dontaudit $1 postgresql_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postgresql_port'($*)) dnl ') ######################################## ## ## Send postgresql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_client_packets'($*)) dnl gen_require(` type postgresql_client_packet_t; ') allow $1 postgresql_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postgresql_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl gen_require(` type postgresql_client_packet_t; ') dontaudit $1 postgresql_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Receive postgresql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_client_packets'($*)) dnl gen_require(` type postgresql_client_packet_t; ') allow $1 postgresql_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postgresql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl gen_require(` type postgresql_client_packet_t; ') dontaudit $1 postgresql_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Send and receive postgresql_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_client_packets'($*)) dnl corenet_send_postgresql_client_packets($1) corenet_receive_postgresql_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postgresql_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl corenet_dontaudit_send_postgresql_client_packets($1) corenet_dontaudit_receive_postgresql_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postgresql_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postgresql_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_client_packets'($*)) dnl gen_require(` type postgresql_client_packet_t; ') allow $1 postgresql_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_client_packets'($*)) dnl ') ######################################## ## ## Send postgresql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postgresql_server_packets'($*)) dnl gen_require(` type postgresql_server_packet_t; ') allow $1 postgresql_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postgresql_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl gen_require(` type postgresql_server_packet_t; ') dontaudit $1 postgresql_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Receive postgresql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postgresql_server_packets'($*)) dnl gen_require(` type postgresql_server_packet_t; ') allow $1 postgresql_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postgresql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl gen_require(` type postgresql_server_packet_t; ') dontaudit $1 postgresql_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Send and receive postgresql_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgresql_server_packets'($*)) dnl corenet_send_postgresql_server_packets($1) corenet_receive_postgresql_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postgresql_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl corenet_dontaudit_send_postgresql_server_packets($1) corenet_dontaudit_receive_postgresql_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postgresql_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postgresql_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgresql_server_packets'($*)) dnl gen_require(` type postgresql_server_packet_t; ') allow $1 postgresql_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgresql_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_postgrey_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_postgrey_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the postgrey port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') dontaudit $1 postgrey_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_postgrey_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_postgrey_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the postgrey port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') dontaudit $1 postgrey_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_postgrey_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_postgrey_port'($*)) dnl corenet_udp_send_postgrey_port($1) corenet_udp_receive_postgrey_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_postgrey_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the postgrey port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl corenet_dontaudit_udp_send_postgrey_port($1) corenet_dontaudit_udp_receive_postgrey_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_postgrey_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_postgrey_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the postgrey port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_postgrey_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to postgrey port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') dontaudit $1 postgrey_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_postgrey_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the postgrey port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') allow $1 postgrey_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_postgrey_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to postgrey port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_postgrey_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_postgrey_port'($*)) dnl gen_require(` type postgrey_port_t; ') dontaudit $1 postgrey_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_postgrey_port'($*)) dnl ') ######################################## ## ## Send postgrey_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_client_packets'($*)) dnl gen_require(` type postgrey_client_packet_t; ') allow $1 postgrey_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postgrey_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl gen_require(` type postgrey_client_packet_t; ') dontaudit $1 postgrey_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Receive postgrey_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_client_packets'($*)) dnl gen_require(` type postgrey_client_packet_t; ') allow $1 postgrey_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postgrey_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl gen_require(` type postgrey_client_packet_t; ') dontaudit $1 postgrey_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Send and receive postgrey_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_client_packets'($*)) dnl corenet_send_postgrey_client_packets($1) corenet_receive_postgrey_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postgrey_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl corenet_dontaudit_send_postgrey_client_packets($1) corenet_dontaudit_receive_postgrey_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postgrey_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postgrey_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_client_packets'($*)) dnl gen_require(` type postgrey_client_packet_t; ') allow $1 postgrey_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_client_packets'($*)) dnl ') ######################################## ## ## Send postgrey_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_postgrey_server_packets'($*)) dnl gen_require(` type postgrey_server_packet_t; ') allow $1 postgrey_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send postgrey_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl gen_require(` type postgrey_server_packet_t; ') dontaudit $1 postgrey_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Receive postgrey_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_postgrey_server_packets'($*)) dnl gen_require(` type postgrey_server_packet_t; ') allow $1 postgrey_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive postgrey_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl gen_require(` type postgrey_server_packet_t; ') dontaudit $1 postgrey_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Send and receive postgrey_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_postgrey_server_packets'($*)) dnl corenet_send_postgrey_server_packets($1) corenet_receive_postgrey_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive postgrey_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl corenet_dontaudit_send_postgrey_server_packets($1) corenet_dontaudit_receive_postgrey_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to postgrey_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_postgrey_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_postgrey_server_packets'($*)) dnl gen_require(` type postgrey_server_packet_t; ') allow $1 postgrey_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_postgrey_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pptp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pptp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pptp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') dontaudit $1 pptp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pptp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pptp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pptp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') dontaudit $1 pptp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pptp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pptp_port'($*)) dnl corenet_udp_send_pptp_port($1) corenet_udp_receive_pptp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pptp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pptp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl corenet_dontaudit_udp_send_pptp_port($1) corenet_dontaudit_udp_receive_pptp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pptp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pptp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pptp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pptp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pptp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') dontaudit $1 pptp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pptp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pptp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') allow $1 pptp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pptp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pptp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pptp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pptp_port'($*)) dnl gen_require(` type pptp_port_t; ') dontaudit $1 pptp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pptp_port'($*)) dnl ') ######################################## ## ## Send pptp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_client_packets'($*)) dnl gen_require(` type pptp_client_packet_t; ') allow $1 pptp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pptp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pptp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_client_packets'($*)) dnl gen_require(` type pptp_client_packet_t; ') dontaudit $1 pptp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_client_packets'($*)) dnl ') ######################################## ## ## Receive pptp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_client_packets'($*)) dnl gen_require(` type pptp_client_packet_t; ') allow $1 pptp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pptp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl gen_require(` type pptp_client_packet_t; ') dontaudit $1 pptp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pptp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_client_packets'($*)) dnl corenet_send_pptp_client_packets($1) corenet_receive_pptp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pptp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl corenet_dontaudit_send_pptp_client_packets($1) corenet_dontaudit_receive_pptp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pptp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pptp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_client_packets'($*)) dnl gen_require(` type pptp_client_packet_t; ') allow $1 pptp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_client_packets'($*)) dnl ') ######################################## ## ## Send pptp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pptp_server_packets'($*)) dnl gen_require(` type pptp_server_packet_t; ') allow $1 pptp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pptp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pptp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pptp_server_packets'($*)) dnl gen_require(` type pptp_server_packet_t; ') dontaudit $1 pptp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pptp_server_packets'($*)) dnl ') ######################################## ## ## Receive pptp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pptp_server_packets'($*)) dnl gen_require(` type pptp_server_packet_t; ') allow $1 pptp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pptp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pptp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl gen_require(` type pptp_server_packet_t; ') dontaudit $1 pptp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pptp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pptp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pptp_server_packets'($*)) dnl corenet_send_pptp_server_packets($1) corenet_receive_pptp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pptp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pptp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl corenet_dontaudit_send_pptp_server_packets($1) corenet_dontaudit_receive_pptp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pptp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pptp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pptp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pptp_server_packets'($*)) dnl gen_require(` type pptp_server_packet_t; ') allow $1 pptp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pptp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prelude_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_prelude_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the prelude port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') dontaudit $1 prelude_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prelude_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prelude_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the prelude port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') dontaudit $1 prelude_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prelude_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prelude_port'($*)) dnl corenet_udp_send_prelude_port($1) corenet_udp_receive_prelude_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prelude_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the prelude port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl corenet_dontaudit_udp_send_prelude_port($1) corenet_dontaudit_udp_receive_prelude_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prelude_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prelude_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the prelude port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prelude_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to prelude port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') dontaudit $1 prelude_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_prelude_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the prelude port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') allow $1 prelude_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prelude_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to prelude port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_prelude_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_prelude_port'($*)) dnl gen_require(` type prelude_port_t; ') dontaudit $1 prelude_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_prelude_port'($*)) dnl ') ######################################## ## ## Send prelude_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_client_packets'($*)) dnl gen_require(` type prelude_client_packet_t; ') allow $1 prelude_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_prelude_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send prelude_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_client_packets'($*)) dnl gen_require(` type prelude_client_packet_t; ') dontaudit $1 prelude_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_client_packets'($*)) dnl ') ######################################## ## ## Receive prelude_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_client_packets'($*)) dnl gen_require(` type prelude_client_packet_t; ') allow $1 prelude_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive prelude_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl gen_require(` type prelude_client_packet_t; ') dontaudit $1 prelude_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_client_packets'($*)) dnl ') ######################################## ## ## Send and receive prelude_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_client_packets'($*)) dnl corenet_send_prelude_client_packets($1) corenet_receive_prelude_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive prelude_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl corenet_dontaudit_send_prelude_client_packets($1) corenet_dontaudit_receive_prelude_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to prelude_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_prelude_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_client_packets'($*)) dnl gen_require(` type prelude_client_packet_t; ') allow $1 prelude_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_client_packets'($*)) dnl ') ######################################## ## ## Send prelude_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_prelude_server_packets'($*)) dnl gen_require(` type prelude_server_packet_t; ') allow $1 prelude_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_prelude_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send prelude_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prelude_server_packets'($*)) dnl gen_require(` type prelude_server_packet_t; ') dontaudit $1 prelude_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prelude_server_packets'($*)) dnl ') ######################################## ## ## Receive prelude_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_prelude_server_packets'($*)) dnl gen_require(` type prelude_server_packet_t; ') allow $1 prelude_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_prelude_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive prelude_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl gen_require(` type prelude_server_packet_t; ') dontaudit $1 prelude_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prelude_server_packets'($*)) dnl ') ######################################## ## ## Send and receive prelude_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prelude_server_packets'($*)) dnl corenet_send_prelude_server_packets($1) corenet_receive_prelude_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prelude_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive prelude_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl corenet_dontaudit_send_prelude_server_packets($1) corenet_dontaudit_receive_prelude_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prelude_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to prelude_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_prelude_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prelude_server_packets'($*)) dnl gen_require(` type prelude_server_packet_t; ') allow $1 prelude_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_prelude_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_presence_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_presence_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the presence port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_presence_port'($*)) dnl gen_require(` type presence_port_t; ') dontaudit $1 presence_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_presence_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_presence_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the presence port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_presence_port'($*)) dnl gen_require(` type presence_port_t; ') dontaudit $1 presence_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_presence_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_presence_port'($*)) dnl corenet_udp_send_presence_port($1) corenet_udp_receive_presence_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_presence_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the presence port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl corenet_dontaudit_udp_send_presence_port($1) corenet_dontaudit_udp_receive_presence_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_presence_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_presence_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the presence port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_presence_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to presence port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_presence_port'($*)) dnl gen_require(` type presence_port_t; ') dontaudit $1 presence_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_presence_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the presence port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_presence_port'($*)) dnl gen_require(` type presence_port_t; ') allow $1 presence_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_presence_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to presence port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_presence_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_presence_port'($*)) dnl gen_require(` type presence_port_t; ') dontaudit $1 presence_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_presence_port'($*)) dnl ') ######################################## ## ## Send presence_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_presence_client_packets'($*)) dnl gen_require(` type presence_client_packet_t; ') allow $1 presence_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_presence_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send presence_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_client_packets'($*)) dnl gen_require(` type presence_client_packet_t; ') dontaudit $1 presence_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_client_packets'($*)) dnl ') ######################################## ## ## Receive presence_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_client_packets'($*)) dnl gen_require(` type presence_client_packet_t; ') allow $1 presence_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_presence_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive presence_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_client_packets'($*)) dnl gen_require(` type presence_client_packet_t; ') dontaudit $1 presence_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_client_packets'($*)) dnl ') ######################################## ## ## Send and receive presence_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_client_packets'($*)) dnl corenet_send_presence_client_packets($1) corenet_receive_presence_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive presence_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl corenet_dontaudit_send_presence_client_packets($1) corenet_dontaudit_receive_presence_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to presence_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_presence_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_client_packets'($*)) dnl gen_require(` type presence_client_packet_t; ') allow $1 presence_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_client_packets'($*)) dnl ') ######################################## ## ## Send presence_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_presence_server_packets'($*)) dnl gen_require(` type presence_server_packet_t; ') allow $1 presence_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_presence_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send presence_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_presence_server_packets'($*)) dnl gen_require(` type presence_server_packet_t; ') dontaudit $1 presence_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_presence_server_packets'($*)) dnl ') ######################################## ## ## Receive presence_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_presence_server_packets'($*)) dnl gen_require(` type presence_server_packet_t; ') allow $1 presence_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_presence_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive presence_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_presence_server_packets'($*)) dnl gen_require(` type presence_server_packet_t; ') dontaudit $1 presence_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_presence_server_packets'($*)) dnl ') ######################################## ## ## Send and receive presence_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_presence_server_packets'($*)) dnl corenet_send_presence_server_packets($1) corenet_receive_presence_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_presence_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive presence_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl corenet_dontaudit_send_presence_server_packets($1) corenet_dontaudit_receive_presence_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_presence_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to presence_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_presence_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_presence_server_packets'($*)) dnl gen_require(` type presence_server_packet_t; ') allow $1 presence_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_presence_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_preupgrade_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_preupgrade_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the preupgrade port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') dontaudit $1 preupgrade_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_preupgrade_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_preupgrade_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the preupgrade port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') dontaudit $1 preupgrade_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_preupgrade_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_preupgrade_port'($*)) dnl corenet_udp_send_preupgrade_port($1) corenet_udp_receive_preupgrade_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_preupgrade_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the preupgrade port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_preupgrade_port'($*)) dnl corenet_dontaudit_udp_send_preupgrade_port($1) corenet_dontaudit_udp_receive_preupgrade_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_preupgrade_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_preupgrade_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the preupgrade port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_preupgrade_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to preupgrade port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') dontaudit $1 preupgrade_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_preupgrade_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the preupgrade port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') allow $1 preupgrade_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_preupgrade_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to preupgrade port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_preupgrade_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_preupgrade_port'($*)) dnl gen_require(` type preupgrade_port_t; ') dontaudit $1 preupgrade_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_preupgrade_port'($*)) dnl ') ######################################## ## ## Send preupgrade_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_preupgrade_client_packets'($*)) dnl gen_require(` type preupgrade_client_packet_t; ') allow $1 preupgrade_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send preupgrade_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_preupgrade_client_packets'($*)) dnl gen_require(` type preupgrade_client_packet_t; ') dontaudit $1 preupgrade_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Receive preupgrade_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_preupgrade_client_packets'($*)) dnl gen_require(` type preupgrade_client_packet_t; ') allow $1 preupgrade_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive preupgrade_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_preupgrade_client_packets'($*)) dnl gen_require(` type preupgrade_client_packet_t; ') dontaudit $1 preupgrade_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Send and receive preupgrade_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_preupgrade_client_packets'($*)) dnl corenet_send_preupgrade_client_packets($1) corenet_receive_preupgrade_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive preupgrade_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_preupgrade_client_packets'($*)) dnl corenet_dontaudit_send_preupgrade_client_packets($1) corenet_dontaudit_receive_preupgrade_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to preupgrade_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_preupgrade_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_preupgrade_client_packets'($*)) dnl gen_require(` type preupgrade_client_packet_t; ') allow $1 preupgrade_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_preupgrade_client_packets'($*)) dnl ') ######################################## ## ## Send preupgrade_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_preupgrade_server_packets'($*)) dnl gen_require(` type preupgrade_server_packet_t; ') allow $1 preupgrade_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send preupgrade_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_preupgrade_server_packets'($*)) dnl gen_require(` type preupgrade_server_packet_t; ') dontaudit $1 preupgrade_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Receive preupgrade_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_preupgrade_server_packets'($*)) dnl gen_require(` type preupgrade_server_packet_t; ') allow $1 preupgrade_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive preupgrade_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_preupgrade_server_packets'($*)) dnl gen_require(` type preupgrade_server_packet_t; ') dontaudit $1 preupgrade_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Send and receive preupgrade_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_preupgrade_server_packets'($*)) dnl corenet_send_preupgrade_server_packets($1) corenet_receive_preupgrade_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive preupgrade_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_preupgrade_server_packets'($*)) dnl corenet_dontaudit_send_preupgrade_server_packets($1) corenet_dontaudit_receive_preupgrade_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to preupgrade_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_preupgrade_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_preupgrade_server_packets'($*)) dnl gen_require(` type preupgrade_server_packet_t; ') allow $1 preupgrade_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_preupgrade_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_printer_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_printer_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the printer port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_printer_port'($*)) dnl gen_require(` type printer_port_t; ') dontaudit $1 printer_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_printer_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_printer_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the printer port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_printer_port'($*)) dnl gen_require(` type printer_port_t; ') dontaudit $1 printer_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_printer_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_printer_port'($*)) dnl corenet_udp_send_printer_port($1) corenet_udp_receive_printer_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_printer_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the printer port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl corenet_dontaudit_udp_send_printer_port($1) corenet_dontaudit_udp_receive_printer_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_printer_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_printer_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the printer port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_printer_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to printer port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_printer_port'($*)) dnl gen_require(` type printer_port_t; ') dontaudit $1 printer_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_printer_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the printer port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_printer_port'($*)) dnl gen_require(` type printer_port_t; ') allow $1 printer_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_printer_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to printer port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_printer_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_printer_port'($*)) dnl gen_require(` type printer_port_t; ') dontaudit $1 printer_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_printer_port'($*)) dnl ') ######################################## ## ## Send printer_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_printer_client_packets'($*)) dnl gen_require(` type printer_client_packet_t; ') allow $1 printer_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_printer_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send printer_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_client_packets'($*)) dnl gen_require(` type printer_client_packet_t; ') dontaudit $1 printer_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_client_packets'($*)) dnl ') ######################################## ## ## Receive printer_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_client_packets'($*)) dnl gen_require(` type printer_client_packet_t; ') allow $1 printer_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_printer_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive printer_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_client_packets'($*)) dnl gen_require(` type printer_client_packet_t; ') dontaudit $1 printer_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_client_packets'($*)) dnl ') ######################################## ## ## Send and receive printer_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_client_packets'($*)) dnl corenet_send_printer_client_packets($1) corenet_receive_printer_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive printer_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl corenet_dontaudit_send_printer_client_packets($1) corenet_dontaudit_receive_printer_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to printer_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_printer_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_client_packets'($*)) dnl gen_require(` type printer_client_packet_t; ') allow $1 printer_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_client_packets'($*)) dnl ') ######################################## ## ## Send printer_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_printer_server_packets'($*)) dnl gen_require(` type printer_server_packet_t; ') allow $1 printer_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_printer_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send printer_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_printer_server_packets'($*)) dnl gen_require(` type printer_server_packet_t; ') dontaudit $1 printer_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_printer_server_packets'($*)) dnl ') ######################################## ## ## Receive printer_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_printer_server_packets'($*)) dnl gen_require(` type printer_server_packet_t; ') allow $1 printer_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_printer_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive printer_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_printer_server_packets'($*)) dnl gen_require(` type printer_server_packet_t; ') dontaudit $1 printer_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_printer_server_packets'($*)) dnl ') ######################################## ## ## Send and receive printer_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_printer_server_packets'($*)) dnl corenet_send_printer_server_packets($1) corenet_receive_printer_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_printer_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive printer_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl corenet_dontaudit_send_printer_server_packets($1) corenet_dontaudit_receive_printer_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_printer_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to printer_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_printer_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_printer_server_packets'($*)) dnl gen_require(` type printer_server_packet_t; ') allow $1 printer_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_printer_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_priority_e_com_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_priority_e_com_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the priority_e_com port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') dontaudit $1 priority_e_com_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_priority_e_com_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_priority_e_com_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the priority_e_com port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') dontaudit $1 priority_e_com_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_priority_e_com_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_priority_e_com_port'($*)) dnl corenet_udp_send_priority_e_com_port($1) corenet_udp_receive_priority_e_com_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_priority_e_com_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the priority_e_com port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_priority_e_com_port'($*)) dnl corenet_dontaudit_udp_send_priority_e_com_port($1) corenet_dontaudit_udp_receive_priority_e_com_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_priority_e_com_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_priority_e_com_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the priority_e_com port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_priority_e_com_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to priority_e_com port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') dontaudit $1 priority_e_com_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_priority_e_com_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the priority_e_com port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') allow $1 priority_e_com_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_priority_e_com_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to priority_e_com port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_priority_e_com_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_priority_e_com_port'($*)) dnl gen_require(` type priority_e_com_port_t; ') dontaudit $1 priority_e_com_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_priority_e_com_port'($*)) dnl ') ######################################## ## ## Send priority_e_com_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_priority_e_com_client_packets'($*)) dnl gen_require(` type priority_e_com_client_packet_t; ') allow $1 priority_e_com_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send priority_e_com_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_priority_e_com_client_packets'($*)) dnl gen_require(` type priority_e_com_client_packet_t; ') dontaudit $1 priority_e_com_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Receive priority_e_com_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_priority_e_com_client_packets'($*)) dnl gen_require(` type priority_e_com_client_packet_t; ') allow $1 priority_e_com_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive priority_e_com_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_priority_e_com_client_packets'($*)) dnl gen_require(` type priority_e_com_client_packet_t; ') dontaudit $1 priority_e_com_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Send and receive priority_e_com_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_priority_e_com_client_packets'($*)) dnl corenet_send_priority_e_com_client_packets($1) corenet_receive_priority_e_com_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive priority_e_com_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_priority_e_com_client_packets'($*)) dnl corenet_dontaudit_send_priority_e_com_client_packets($1) corenet_dontaudit_receive_priority_e_com_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to priority_e_com_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_priority_e_com_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_priority_e_com_client_packets'($*)) dnl gen_require(` type priority_e_com_client_packet_t; ') allow $1 priority_e_com_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_priority_e_com_client_packets'($*)) dnl ') ######################################## ## ## Send priority_e_com_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_priority_e_com_server_packets'($*)) dnl gen_require(` type priority_e_com_server_packet_t; ') allow $1 priority_e_com_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send priority_e_com_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_priority_e_com_server_packets'($*)) dnl gen_require(` type priority_e_com_server_packet_t; ') dontaudit $1 priority_e_com_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Receive priority_e_com_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_priority_e_com_server_packets'($*)) dnl gen_require(` type priority_e_com_server_packet_t; ') allow $1 priority_e_com_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive priority_e_com_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_priority_e_com_server_packets'($*)) dnl gen_require(` type priority_e_com_server_packet_t; ') dontaudit $1 priority_e_com_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Send and receive priority_e_com_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_priority_e_com_server_packets'($*)) dnl corenet_send_priority_e_com_server_packets($1) corenet_receive_priority_e_com_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive priority_e_com_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_priority_e_com_server_packets'($*)) dnl corenet_dontaudit_send_priority_e_com_server_packets($1) corenet_dontaudit_receive_priority_e_com_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to priority_e_com_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_priority_e_com_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_priority_e_com_server_packets'($*)) dnl gen_require(` type priority_e_com_server_packet_t; ') allow $1 priority_e_com_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_priority_e_com_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_prosody_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_prosody_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the prosody port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') dontaudit $1 prosody_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_prosody_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_prosody_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the prosody port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') dontaudit $1 prosody_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_prosody_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_prosody_port'($*)) dnl corenet_udp_send_prosody_port($1) corenet_udp_receive_prosody_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_prosody_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the prosody port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_prosody_port'($*)) dnl corenet_dontaudit_udp_send_prosody_port($1) corenet_dontaudit_udp_receive_prosody_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_prosody_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_prosody_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the prosody port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_prosody_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to prosody port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') dontaudit $1 prosody_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_prosody_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the prosody port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') allow $1 prosody_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_prosody_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to prosody port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_prosody_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_prosody_port'($*)) dnl gen_require(` type prosody_port_t; ') dontaudit $1 prosody_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_prosody_port'($*)) dnl ') ######################################## ## ## Send prosody_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_prosody_client_packets'($*)) dnl gen_require(` type prosody_client_packet_t; ') allow $1 prosody_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_prosody_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send prosody_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prosody_client_packets'($*)) dnl gen_require(` type prosody_client_packet_t; ') dontaudit $1 prosody_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prosody_client_packets'($*)) dnl ') ######################################## ## ## Receive prosody_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_prosody_client_packets'($*)) dnl gen_require(` type prosody_client_packet_t; ') allow $1 prosody_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_prosody_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive prosody_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prosody_client_packets'($*)) dnl gen_require(` type prosody_client_packet_t; ') dontaudit $1 prosody_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prosody_client_packets'($*)) dnl ') ######################################## ## ## Send and receive prosody_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prosody_client_packets'($*)) dnl corenet_send_prosody_client_packets($1) corenet_receive_prosody_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prosody_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive prosody_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prosody_client_packets'($*)) dnl corenet_dontaudit_send_prosody_client_packets($1) corenet_dontaudit_receive_prosody_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prosody_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to prosody_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_prosody_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prosody_client_packets'($*)) dnl gen_require(` type prosody_client_packet_t; ') allow $1 prosody_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_prosody_client_packets'($*)) dnl ') ######################################## ## ## Send prosody_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_prosody_server_packets'($*)) dnl gen_require(` type prosody_server_packet_t; ') allow $1 prosody_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_prosody_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send prosody_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_prosody_server_packets'($*)) dnl gen_require(` type prosody_server_packet_t; ') dontaudit $1 prosody_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_prosody_server_packets'($*)) dnl ') ######################################## ## ## Receive prosody_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_prosody_server_packets'($*)) dnl gen_require(` type prosody_server_packet_t; ') allow $1 prosody_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_prosody_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive prosody_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_prosody_server_packets'($*)) dnl gen_require(` type prosody_server_packet_t; ') dontaudit $1 prosody_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_prosody_server_packets'($*)) dnl ') ######################################## ## ## Send and receive prosody_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_prosody_server_packets'($*)) dnl corenet_send_prosody_server_packets($1) corenet_receive_prosody_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_prosody_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive prosody_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_prosody_server_packets'($*)) dnl corenet_dontaudit_send_prosody_server_packets($1) corenet_dontaudit_receive_prosody_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_prosody_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to prosody_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_prosody_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_prosody_server_packets'($*)) dnl gen_require(` type prosody_server_packet_t; ') allow $1 prosody_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_prosody_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ptal_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ptal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ptal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') dontaudit $1 ptal_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ptal_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ptal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ptal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') dontaudit $1 ptal_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ptal_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ptal_port'($*)) dnl corenet_udp_send_ptal_port($1) corenet_udp_receive_ptal_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ptal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ptal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl corenet_dontaudit_udp_send_ptal_port($1) corenet_dontaudit_udp_receive_ptal_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ptal_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ptal_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ptal port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ptal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ptal port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') dontaudit $1 ptal_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ptal_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ptal port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') allow $1 ptal_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ptal_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ptal port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ptal_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ptal_port'($*)) dnl gen_require(` type ptal_port_t; ') dontaudit $1 ptal_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ptal_port'($*)) dnl ') ######################################## ## ## Send ptal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_client_packets'($*)) dnl gen_require(` type ptal_client_packet_t; ') allow $1 ptal_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ptal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ptal_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_client_packets'($*)) dnl gen_require(` type ptal_client_packet_t; ') dontaudit $1 ptal_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_client_packets'($*)) dnl ') ######################################## ## ## Receive ptal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_client_packets'($*)) dnl gen_require(` type ptal_client_packet_t; ') allow $1 ptal_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ptal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl gen_require(` type ptal_client_packet_t; ') dontaudit $1 ptal_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ptal_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_client_packets'($*)) dnl corenet_send_ptal_client_packets($1) corenet_receive_ptal_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ptal_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl corenet_dontaudit_send_ptal_client_packets($1) corenet_dontaudit_receive_ptal_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ptal_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ptal_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_client_packets'($*)) dnl gen_require(` type ptal_client_packet_t; ') allow $1 ptal_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_client_packets'($*)) dnl ') ######################################## ## ## Send ptal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ptal_server_packets'($*)) dnl gen_require(` type ptal_server_packet_t; ') allow $1 ptal_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ptal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ptal_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ptal_server_packets'($*)) dnl gen_require(` type ptal_server_packet_t; ') dontaudit $1 ptal_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ptal_server_packets'($*)) dnl ') ######################################## ## ## Receive ptal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ptal_server_packets'($*)) dnl gen_require(` type ptal_server_packet_t; ') allow $1 ptal_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ptal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ptal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl gen_require(` type ptal_server_packet_t; ') dontaudit $1 ptal_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ptal_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ptal_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ptal_server_packets'($*)) dnl corenet_send_ptal_server_packets($1) corenet_receive_ptal_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ptal_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ptal_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl corenet_dontaudit_send_ptal_server_packets($1) corenet_dontaudit_receive_ptal_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ptal_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ptal_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ptal_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ptal_server_packets'($*)) dnl gen_require(` type ptal_server_packet_t; ') allow $1 ptal_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ptal_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pulseaudio_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pulseaudio_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pulseaudio port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') dontaudit $1 pulseaudio_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pulseaudio_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pulseaudio_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pulseaudio port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') dontaudit $1 pulseaudio_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pulseaudio_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl corenet_udp_send_pulseaudio_port($1) corenet_udp_receive_pulseaudio_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pulseaudio_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pulseaudio port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl corenet_dontaudit_udp_send_pulseaudio_port($1) corenet_dontaudit_udp_receive_pulseaudio_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pulseaudio_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pulseaudio_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pulseaudio port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pulseaudio_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pulseaudio port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') dontaudit $1 pulseaudio_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pulseaudio_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pulseaudio port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') allow $1 pulseaudio_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pulseaudio_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pulseaudio port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pulseaudio_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pulseaudio_port'($*)) dnl gen_require(` type pulseaudio_port_t; ') dontaudit $1 pulseaudio_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pulseaudio_port'($*)) dnl ') ######################################## ## ## Send pulseaudio_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_client_packets'($*)) dnl gen_require(` type pulseaudio_client_packet_t; ') allow $1 pulseaudio_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pulseaudio_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl gen_require(` type pulseaudio_client_packet_t; ') dontaudit $1 pulseaudio_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Receive pulseaudio_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_client_packets'($*)) dnl gen_require(` type pulseaudio_client_packet_t; ') allow $1 pulseaudio_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pulseaudio_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl gen_require(` type pulseaudio_client_packet_t; ') dontaudit $1 pulseaudio_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pulseaudio_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl corenet_send_pulseaudio_client_packets($1) corenet_receive_pulseaudio_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pulseaudio_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl corenet_dontaudit_send_pulseaudio_client_packets($1) corenet_dontaudit_receive_pulseaudio_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pulseaudio_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pulseaudio_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_client_packets'($*)) dnl gen_require(` type pulseaudio_client_packet_t; ') allow $1 pulseaudio_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_client_packets'($*)) dnl ') ######################################## ## ## Send pulseaudio_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pulseaudio_server_packets'($*)) dnl gen_require(` type pulseaudio_server_packet_t; ') allow $1 pulseaudio_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pulseaudio_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl gen_require(` type pulseaudio_server_packet_t; ') dontaudit $1 pulseaudio_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Receive pulseaudio_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pulseaudio_server_packets'($*)) dnl gen_require(` type pulseaudio_server_packet_t; ') allow $1 pulseaudio_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pulseaudio_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl gen_require(` type pulseaudio_server_packet_t; ') dontaudit $1 pulseaudio_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pulseaudio_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl corenet_send_pulseaudio_server_packets($1) corenet_receive_pulseaudio_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pulseaudio_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl corenet_dontaudit_send_pulseaudio_server_packets($1) corenet_dontaudit_receive_pulseaudio_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pulseaudio_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pulseaudio_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulseaudio_server_packets'($*)) dnl gen_require(` type pulseaudio_server_packet_t; ') allow $1 pulseaudio_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulseaudio_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pulp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pulp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pulp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') dontaudit $1 pulp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pulp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pulp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pulp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') dontaudit $1 pulp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pulp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pulp_port'($*)) dnl corenet_udp_send_pulp_port($1) corenet_udp_receive_pulp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pulp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pulp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pulp_port'($*)) dnl corenet_dontaudit_udp_send_pulp_port($1) corenet_dontaudit_udp_receive_pulp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pulp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pulp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pulp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pulp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pulp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') dontaudit $1 pulp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pulp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pulp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') allow $1 pulp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pulp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pulp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pulp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pulp_port'($*)) dnl gen_require(` type pulp_port_t; ') dontaudit $1 pulp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pulp_port'($*)) dnl ') ######################################## ## ## Send pulp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pulp_client_packets'($*)) dnl gen_require(` type pulp_client_packet_t; ') allow $1 pulp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pulp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pulp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulp_client_packets'($*)) dnl gen_require(` type pulp_client_packet_t; ') dontaudit $1 pulp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulp_client_packets'($*)) dnl ') ######################################## ## ## Receive pulp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pulp_client_packets'($*)) dnl gen_require(` type pulp_client_packet_t; ') allow $1 pulp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pulp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pulp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulp_client_packets'($*)) dnl gen_require(` type pulp_client_packet_t; ') dontaudit $1 pulp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pulp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulp_client_packets'($*)) dnl corenet_send_pulp_client_packets($1) corenet_receive_pulp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pulp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulp_client_packets'($*)) dnl corenet_dontaudit_send_pulp_client_packets($1) corenet_dontaudit_receive_pulp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pulp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pulp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulp_client_packets'($*)) dnl gen_require(` type pulp_client_packet_t; ') allow $1 pulp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulp_client_packets'($*)) dnl ') ######################################## ## ## Send pulp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pulp_server_packets'($*)) dnl gen_require(` type pulp_server_packet_t; ') allow $1 pulp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pulp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pulp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pulp_server_packets'($*)) dnl gen_require(` type pulp_server_packet_t; ') dontaudit $1 pulp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pulp_server_packets'($*)) dnl ') ######################################## ## ## Receive pulp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pulp_server_packets'($*)) dnl gen_require(` type pulp_server_packet_t; ') allow $1 pulp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pulp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pulp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pulp_server_packets'($*)) dnl gen_require(` type pulp_server_packet_t; ') dontaudit $1 pulp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pulp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pulp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pulp_server_packets'($*)) dnl corenet_send_pulp_server_packets($1) corenet_receive_pulp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pulp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pulp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pulp_server_packets'($*)) dnl corenet_dontaudit_send_pulp_server_packets($1) corenet_dontaudit_receive_pulp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pulp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pulp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pulp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pulp_server_packets'($*)) dnl gen_require(` type pulp_server_packet_t; ') allow $1 pulp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pulp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_puppet_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_puppet_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the puppet port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') dontaudit $1 puppet_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_puppet_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_puppet_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the puppet port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') dontaudit $1 puppet_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_puppet_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_puppet_port'($*)) dnl corenet_udp_send_puppet_port($1) corenet_udp_receive_puppet_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_puppet_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the puppet port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl corenet_dontaudit_udp_send_puppet_port($1) corenet_dontaudit_udp_receive_puppet_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_puppet_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_puppet_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the puppet port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_puppet_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to puppet port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') dontaudit $1 puppet_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_puppet_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the puppet port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') allow $1 puppet_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_puppet_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to puppet port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_puppet_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_puppet_port'($*)) dnl gen_require(` type puppet_port_t; ') dontaudit $1 puppet_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_puppet_port'($*)) dnl ') ######################################## ## ## Send puppet_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_client_packets'($*)) dnl gen_require(` type puppet_client_packet_t; ') allow $1 puppet_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_puppet_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send puppet_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_client_packets'($*)) dnl gen_require(` type puppet_client_packet_t; ') dontaudit $1 puppet_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_client_packets'($*)) dnl ') ######################################## ## ## Receive puppet_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_client_packets'($*)) dnl gen_require(` type puppet_client_packet_t; ') allow $1 puppet_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive puppet_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl gen_require(` type puppet_client_packet_t; ') dontaudit $1 puppet_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_client_packets'($*)) dnl ') ######################################## ## ## Send and receive puppet_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_client_packets'($*)) dnl corenet_send_puppet_client_packets($1) corenet_receive_puppet_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive puppet_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl corenet_dontaudit_send_puppet_client_packets($1) corenet_dontaudit_receive_puppet_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to puppet_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_puppet_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_client_packets'($*)) dnl gen_require(` type puppet_client_packet_t; ') allow $1 puppet_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_client_packets'($*)) dnl ') ######################################## ## ## Send puppet_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_puppet_server_packets'($*)) dnl gen_require(` type puppet_server_packet_t; ') allow $1 puppet_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_puppet_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send puppet_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_puppet_server_packets'($*)) dnl gen_require(` type puppet_server_packet_t; ') dontaudit $1 puppet_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_puppet_server_packets'($*)) dnl ') ######################################## ## ## Receive puppet_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_puppet_server_packets'($*)) dnl gen_require(` type puppet_server_packet_t; ') allow $1 puppet_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_puppet_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive puppet_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl gen_require(` type puppet_server_packet_t; ') dontaudit $1 puppet_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_puppet_server_packets'($*)) dnl ') ######################################## ## ## Send and receive puppet_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_puppet_server_packets'($*)) dnl corenet_send_puppet_server_packets($1) corenet_receive_puppet_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_puppet_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive puppet_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl corenet_dontaudit_send_puppet_server_packets($1) corenet_dontaudit_receive_puppet_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_puppet_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to puppet_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_puppet_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_puppet_server_packets'($*)) dnl gen_require(` type puppet_server_packet_t; ') allow $1 puppet_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_puppet_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pxe_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pxe_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pxe port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') dontaudit $1 pxe_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pxe_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pxe_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pxe port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') dontaudit $1 pxe_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pxe_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pxe_port'($*)) dnl corenet_udp_send_pxe_port($1) corenet_udp_receive_pxe_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pxe_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pxe port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl corenet_dontaudit_udp_send_pxe_port($1) corenet_dontaudit_udp_receive_pxe_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pxe_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pxe_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pxe port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pxe_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pxe port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') dontaudit $1 pxe_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pxe_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pxe port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') allow $1 pxe_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pxe_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pxe port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pxe_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pxe_port'($*)) dnl gen_require(` type pxe_port_t; ') dontaudit $1 pxe_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pxe_port'($*)) dnl ') ######################################## ## ## Send pxe_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_client_packets'($*)) dnl gen_require(` type pxe_client_packet_t; ') allow $1 pxe_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pxe_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pxe_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_client_packets'($*)) dnl gen_require(` type pxe_client_packet_t; ') dontaudit $1 pxe_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_client_packets'($*)) dnl ') ######################################## ## ## Receive pxe_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_client_packets'($*)) dnl gen_require(` type pxe_client_packet_t; ') allow $1 pxe_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pxe_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl gen_require(` type pxe_client_packet_t; ') dontaudit $1 pxe_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pxe_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_client_packets'($*)) dnl corenet_send_pxe_client_packets($1) corenet_receive_pxe_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pxe_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl corenet_dontaudit_send_pxe_client_packets($1) corenet_dontaudit_receive_pxe_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pxe_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pxe_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_client_packets'($*)) dnl gen_require(` type pxe_client_packet_t; ') allow $1 pxe_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_client_packets'($*)) dnl ') ######################################## ## ## Send pxe_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pxe_server_packets'($*)) dnl gen_require(` type pxe_server_packet_t; ') allow $1 pxe_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pxe_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pxe_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pxe_server_packets'($*)) dnl gen_require(` type pxe_server_packet_t; ') dontaudit $1 pxe_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pxe_server_packets'($*)) dnl ') ######################################## ## ## Receive pxe_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pxe_server_packets'($*)) dnl gen_require(` type pxe_server_packet_t; ') allow $1 pxe_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pxe_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pxe_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl gen_require(` type pxe_server_packet_t; ') dontaudit $1 pxe_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pxe_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pxe_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pxe_server_packets'($*)) dnl corenet_send_pxe_server_packets($1) corenet_receive_pxe_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pxe_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pxe_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl corenet_dontaudit_send_pxe_server_packets($1) corenet_dontaudit_receive_pxe_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pxe_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pxe_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pxe_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pxe_server_packets'($*)) dnl gen_require(` type pxe_server_packet_t; ') allow $1 pxe_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pxe_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_pyzor_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_pyzor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the pyzor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') dontaudit $1 pyzor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_pyzor_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_pyzor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the pyzor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') dontaudit $1 pyzor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_pyzor_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_pyzor_port'($*)) dnl corenet_udp_send_pyzor_port($1) corenet_udp_receive_pyzor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_pyzor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the pyzor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl corenet_dontaudit_udp_send_pyzor_port($1) corenet_dontaudit_udp_receive_pyzor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_pyzor_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_pyzor_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the pyzor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_pyzor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to pyzor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') dontaudit $1 pyzor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_pyzor_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the pyzor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') allow $1 pyzor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_pyzor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to pyzor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_pyzor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_pyzor_port'($*)) dnl gen_require(` type pyzor_port_t; ') dontaudit $1 pyzor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_pyzor_port'($*)) dnl ') ######################################## ## ## Send pyzor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_client_packets'($*)) dnl gen_require(` type pyzor_client_packet_t; ') allow $1 pyzor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pyzor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl gen_require(` type pyzor_client_packet_t; ') dontaudit $1 pyzor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Receive pyzor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_client_packets'($*)) dnl gen_require(` type pyzor_client_packet_t; ') allow $1 pyzor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pyzor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl gen_require(` type pyzor_client_packet_t; ') dontaudit $1 pyzor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Send and receive pyzor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_client_packets'($*)) dnl corenet_send_pyzor_client_packets($1) corenet_receive_pyzor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pyzor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl corenet_dontaudit_send_pyzor_client_packets($1) corenet_dontaudit_receive_pyzor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pyzor_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pyzor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_client_packets'($*)) dnl gen_require(` type pyzor_client_packet_t; ') allow $1 pyzor_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_client_packets'($*)) dnl ') ######################################## ## ## Send pyzor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_pyzor_server_packets'($*)) dnl gen_require(` type pyzor_server_packet_t; ') allow $1 pyzor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send pyzor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl gen_require(` type pyzor_server_packet_t; ') dontaudit $1 pyzor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Receive pyzor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_pyzor_server_packets'($*)) dnl gen_require(` type pyzor_server_packet_t; ') allow $1 pyzor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive pyzor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl gen_require(` type pyzor_server_packet_t; ') dontaudit $1 pyzor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive pyzor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_pyzor_server_packets'($*)) dnl corenet_send_pyzor_server_packets($1) corenet_receive_pyzor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive pyzor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl corenet_dontaudit_send_pyzor_server_packets($1) corenet_dontaudit_receive_pyzor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to pyzor_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_pyzor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_pyzor_server_packets'($*)) dnl gen_require(` type pyzor_server_packet_t; ') allow $1 pyzor_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_pyzor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_neutron_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_neutron_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the neutron port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') dontaudit $1 neutron_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_neutron_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_neutron_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the neutron port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') dontaudit $1 neutron_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_neutron_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_neutron_port'($*)) dnl corenet_udp_send_neutron_port($1) corenet_udp_receive_neutron_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_neutron_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the neutron port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_neutron_port'($*)) dnl corenet_dontaudit_udp_send_neutron_port($1) corenet_dontaudit_udp_receive_neutron_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_neutron_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_neutron_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the neutron port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_neutron_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to neutron port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') dontaudit $1 neutron_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_neutron_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the neutron port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') allow $1 neutron_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_neutron_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to neutron port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_neutron_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_neutron_port'($*)) dnl gen_require(` type neutron_port_t; ') dontaudit $1 neutron_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_neutron_port'($*)) dnl ') ######################################## ## ## Send neutron_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_neutron_client_packets'($*)) dnl gen_require(` type neutron_client_packet_t; ') allow $1 neutron_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_neutron_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send neutron_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_neutron_client_packets'($*)) dnl gen_require(` type neutron_client_packet_t; ') dontaudit $1 neutron_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_neutron_client_packets'($*)) dnl ') ######################################## ## ## Receive neutron_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_neutron_client_packets'($*)) dnl gen_require(` type neutron_client_packet_t; ') allow $1 neutron_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_neutron_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive neutron_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_neutron_client_packets'($*)) dnl gen_require(` type neutron_client_packet_t; ') dontaudit $1 neutron_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_neutron_client_packets'($*)) dnl ') ######################################## ## ## Send and receive neutron_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_neutron_client_packets'($*)) dnl corenet_send_neutron_client_packets($1) corenet_receive_neutron_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_neutron_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive neutron_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_neutron_client_packets'($*)) dnl corenet_dontaudit_send_neutron_client_packets($1) corenet_dontaudit_receive_neutron_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_neutron_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to neutron_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_neutron_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_neutron_client_packets'($*)) dnl gen_require(` type neutron_client_packet_t; ') allow $1 neutron_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_neutron_client_packets'($*)) dnl ') ######################################## ## ## Send neutron_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_neutron_server_packets'($*)) dnl gen_require(` type neutron_server_packet_t; ') allow $1 neutron_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_neutron_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send neutron_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_neutron_server_packets'($*)) dnl gen_require(` type neutron_server_packet_t; ') dontaudit $1 neutron_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_neutron_server_packets'($*)) dnl ') ######################################## ## ## Receive neutron_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_neutron_server_packets'($*)) dnl gen_require(` type neutron_server_packet_t; ') allow $1 neutron_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_neutron_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive neutron_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_neutron_server_packets'($*)) dnl gen_require(` type neutron_server_packet_t; ') dontaudit $1 neutron_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_neutron_server_packets'($*)) dnl ') ######################################## ## ## Send and receive neutron_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_neutron_server_packets'($*)) dnl corenet_send_neutron_server_packets($1) corenet_receive_neutron_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_neutron_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive neutron_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_neutron_server_packets'($*)) dnl corenet_dontaudit_send_neutron_server_packets($1) corenet_dontaudit_receive_neutron_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_neutron_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to neutron_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_neutron_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_neutron_server_packets'($*)) dnl gen_require(` type neutron_server_packet_t; ') allow $1 neutron_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_neutron_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_nsd_control_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_nsd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the nsd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') dontaudit $1 nsd_control_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_nsd_control_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_nsd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the nsd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') dontaudit $1 nsd_control_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_nsd_control_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_nsd_control_port'($*)) dnl corenet_udp_send_nsd_control_port($1) corenet_udp_receive_nsd_control_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_nsd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the nsd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_nsd_control_port'($*)) dnl corenet_dontaudit_udp_send_nsd_control_port($1) corenet_dontaudit_udp_receive_nsd_control_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_nsd_control_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_nsd_control_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the nsd_control port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_nsd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to nsd_control port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') dontaudit $1 nsd_control_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_nsd_control_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the nsd_control port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') allow $1 nsd_control_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_nsd_control_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to nsd_control port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_nsd_control_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_nsd_control_port'($*)) dnl gen_require(` type nsd_control_port_t; ') dontaudit $1 nsd_control_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_nsd_control_port'($*)) dnl ') ######################################## ## ## Send nsd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nsd_control_client_packets'($*)) dnl gen_require(` type nsd_control_client_packet_t; ') allow $1 nsd_control_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nsd_control_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsd_control_client_packets'($*)) dnl gen_require(` type nsd_control_client_packet_t; ') dontaudit $1 nsd_control_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Receive nsd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nsd_control_client_packets'($*)) dnl gen_require(` type nsd_control_client_packet_t; ') allow $1 nsd_control_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nsd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsd_control_client_packets'($*)) dnl gen_require(` type nsd_control_client_packet_t; ') dontaudit $1 nsd_control_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Send and receive nsd_control_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsd_control_client_packets'($*)) dnl corenet_send_nsd_control_client_packets($1) corenet_receive_nsd_control_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nsd_control_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsd_control_client_packets'($*)) dnl corenet_dontaudit_send_nsd_control_client_packets($1) corenet_dontaudit_receive_nsd_control_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nsd_control_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nsd_control_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsd_control_client_packets'($*)) dnl gen_require(` type nsd_control_client_packet_t; ') allow $1 nsd_control_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsd_control_client_packets'($*)) dnl ') ######################################## ## ## Send nsd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_nsd_control_server_packets'($*)) dnl gen_require(` type nsd_control_server_packet_t; ') allow $1 nsd_control_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send nsd_control_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_nsd_control_server_packets'($*)) dnl gen_require(` type nsd_control_server_packet_t; ') dontaudit $1 nsd_control_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Receive nsd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_nsd_control_server_packets'($*)) dnl gen_require(` type nsd_control_server_packet_t; ') allow $1 nsd_control_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive nsd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_nsd_control_server_packets'($*)) dnl gen_require(` type nsd_control_server_packet_t; ') dontaudit $1 nsd_control_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Send and receive nsd_control_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_nsd_control_server_packets'($*)) dnl corenet_send_nsd_control_server_packets($1) corenet_receive_nsd_control_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive nsd_control_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_nsd_control_server_packets'($*)) dnl corenet_dontaudit_send_nsd_control_server_packets($1) corenet_dontaudit_receive_nsd_control_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to nsd_control_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_nsd_control_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_nsd_control_server_packets'($*)) dnl gen_require(` type nsd_control_server_packet_t; ') allow $1 nsd_control_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_nsd_control_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radacct_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_radacct_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the radacct port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') dontaudit $1 radacct_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radacct_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radacct_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the radacct port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') dontaudit $1 radacct_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radacct_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radacct_port'($*)) dnl corenet_udp_send_radacct_port($1) corenet_udp_receive_radacct_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radacct_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the radacct port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl corenet_dontaudit_udp_send_radacct_port($1) corenet_dontaudit_udp_receive_radacct_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radacct_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radacct_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the radacct port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radacct_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to radacct port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') dontaudit $1 radacct_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radacct_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the radacct port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') allow $1 radacct_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radacct_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to radacct port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_radacct_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radacct_port'($*)) dnl gen_require(` type radacct_port_t; ') dontaudit $1 radacct_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radacct_port'($*)) dnl ') ######################################## ## ## Send radacct_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_client_packets'($*)) dnl gen_require(` type radacct_client_packet_t; ') allow $1 radacct_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radacct_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radacct_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_client_packets'($*)) dnl gen_require(` type radacct_client_packet_t; ') dontaudit $1 radacct_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_client_packets'($*)) dnl ') ######################################## ## ## Receive radacct_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_client_packets'($*)) dnl gen_require(` type radacct_client_packet_t; ') allow $1 radacct_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radacct_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl gen_require(` type radacct_client_packet_t; ') dontaudit $1 radacct_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_client_packets'($*)) dnl ') ######################################## ## ## Send and receive radacct_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_client_packets'($*)) dnl corenet_send_radacct_client_packets($1) corenet_receive_radacct_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radacct_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl corenet_dontaudit_send_radacct_client_packets($1) corenet_dontaudit_receive_radacct_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radacct_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radacct_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_client_packets'($*)) dnl gen_require(` type radacct_client_packet_t; ') allow $1 radacct_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_client_packets'($*)) dnl ') ######################################## ## ## Send radacct_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radacct_server_packets'($*)) dnl gen_require(` type radacct_server_packet_t; ') allow $1 radacct_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radacct_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radacct_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radacct_server_packets'($*)) dnl gen_require(` type radacct_server_packet_t; ') dontaudit $1 radacct_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radacct_server_packets'($*)) dnl ') ######################################## ## ## Receive radacct_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radacct_server_packets'($*)) dnl gen_require(` type radacct_server_packet_t; ') allow $1 radacct_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radacct_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radacct_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl gen_require(` type radacct_server_packet_t; ') dontaudit $1 radacct_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radacct_server_packets'($*)) dnl ') ######################################## ## ## Send and receive radacct_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radacct_server_packets'($*)) dnl corenet_send_radacct_server_packets($1) corenet_receive_radacct_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radacct_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radacct_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl corenet_dontaudit_send_radacct_server_packets($1) corenet_dontaudit_receive_radacct_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radacct_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radacct_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radacct_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radacct_server_packets'($*)) dnl gen_require(` type radacct_server_packet_t; ') allow $1 radacct_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radacct_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radius_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_radius_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the radius port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radius_port'($*)) dnl gen_require(` type radius_port_t; ') dontaudit $1 radius_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radius_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radius_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the radius port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radius_port'($*)) dnl gen_require(` type radius_port_t; ') dontaudit $1 radius_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radius_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radius_port'($*)) dnl corenet_udp_send_radius_port($1) corenet_udp_receive_radius_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radius_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the radius port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl corenet_dontaudit_udp_send_radius_port($1) corenet_dontaudit_udp_receive_radius_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radius_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radius_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the radius port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radius_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to radius port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radius_port'($*)) dnl gen_require(` type radius_port_t; ') dontaudit $1 radius_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radius_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the radius port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radius_port'($*)) dnl gen_require(` type radius_port_t; ') allow $1 radius_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radius_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to radius port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_radius_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radius_port'($*)) dnl gen_require(` type radius_port_t; ') dontaudit $1 radius_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radius_port'($*)) dnl ') ######################################## ## ## Send radius_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radius_client_packets'($*)) dnl gen_require(` type radius_client_packet_t; ') allow $1 radius_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radius_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radius_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_client_packets'($*)) dnl gen_require(` type radius_client_packet_t; ') dontaudit $1 radius_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_client_packets'($*)) dnl ') ######################################## ## ## Receive radius_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_client_packets'($*)) dnl gen_require(` type radius_client_packet_t; ') allow $1 radius_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radius_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radius_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_client_packets'($*)) dnl gen_require(` type radius_client_packet_t; ') dontaudit $1 radius_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_client_packets'($*)) dnl ') ######################################## ## ## Send and receive radius_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_client_packets'($*)) dnl corenet_send_radius_client_packets($1) corenet_receive_radius_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radius_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl corenet_dontaudit_send_radius_client_packets($1) corenet_dontaudit_receive_radius_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radius_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radius_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_client_packets'($*)) dnl gen_require(` type radius_client_packet_t; ') allow $1 radius_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_client_packets'($*)) dnl ') ######################################## ## ## Send radius_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radius_server_packets'($*)) dnl gen_require(` type radius_server_packet_t; ') allow $1 radius_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radius_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radius_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radius_server_packets'($*)) dnl gen_require(` type radius_server_packet_t; ') dontaudit $1 radius_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radius_server_packets'($*)) dnl ') ######################################## ## ## Receive radius_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radius_server_packets'($*)) dnl gen_require(` type radius_server_packet_t; ') allow $1 radius_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radius_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radius_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radius_server_packets'($*)) dnl gen_require(` type radius_server_packet_t; ') dontaudit $1 radius_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radius_server_packets'($*)) dnl ') ######################################## ## ## Send and receive radius_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radius_server_packets'($*)) dnl corenet_send_radius_server_packets($1) corenet_receive_radius_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radius_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radius_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl corenet_dontaudit_send_radius_server_packets($1) corenet_dontaudit_receive_radius_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radius_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radius_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radius_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radius_server_packets'($*)) dnl gen_require(` type radius_server_packet_t; ') allow $1 radius_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radius_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_radsec_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_radsec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the radsec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') dontaudit $1 radsec_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_radsec_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_radsec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the radsec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') dontaudit $1 radsec_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_radsec_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_radsec_port'($*)) dnl corenet_udp_send_radsec_port($1) corenet_udp_receive_radsec_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_radsec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the radsec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl corenet_dontaudit_udp_send_radsec_port($1) corenet_dontaudit_udp_receive_radsec_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_radsec_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_radsec_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the radsec port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_radsec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to radsec port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') dontaudit $1 radsec_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_radsec_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the radsec port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') allow $1 radsec_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_radsec_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to radsec port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_radsec_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_radsec_port'($*)) dnl gen_require(` type radsec_port_t; ') dontaudit $1 radsec_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_radsec_port'($*)) dnl ') ######################################## ## ## Send radsec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_client_packets'($*)) dnl gen_require(` type radsec_client_packet_t; ') allow $1 radsec_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radsec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radsec_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_client_packets'($*)) dnl gen_require(` type radsec_client_packet_t; ') dontaudit $1 radsec_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_client_packets'($*)) dnl ') ######################################## ## ## Receive radsec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_client_packets'($*)) dnl gen_require(` type radsec_client_packet_t; ') allow $1 radsec_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radsec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl gen_require(` type radsec_client_packet_t; ') dontaudit $1 radsec_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_client_packets'($*)) dnl ') ######################################## ## ## Send and receive radsec_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_client_packets'($*)) dnl corenet_send_radsec_client_packets($1) corenet_receive_radsec_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radsec_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl corenet_dontaudit_send_radsec_client_packets($1) corenet_dontaudit_receive_radsec_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radsec_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radsec_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_client_packets'($*)) dnl gen_require(` type radsec_client_packet_t; ') allow $1 radsec_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_client_packets'($*)) dnl ') ######################################## ## ## Send radsec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_radsec_server_packets'($*)) dnl gen_require(` type radsec_server_packet_t; ') allow $1 radsec_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_radsec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send radsec_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_radsec_server_packets'($*)) dnl gen_require(` type radsec_server_packet_t; ') dontaudit $1 radsec_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_radsec_server_packets'($*)) dnl ') ######################################## ## ## Receive radsec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_radsec_server_packets'($*)) dnl gen_require(` type radsec_server_packet_t; ') allow $1 radsec_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_radsec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive radsec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl gen_require(` type radsec_server_packet_t; ') dontaudit $1 radsec_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_radsec_server_packets'($*)) dnl ') ######################################## ## ## Send and receive radsec_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_radsec_server_packets'($*)) dnl corenet_send_radsec_server_packets($1) corenet_receive_radsec_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_radsec_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive radsec_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl corenet_dontaudit_send_radsec_server_packets($1) corenet_dontaudit_receive_radsec_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_radsec_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to radsec_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_radsec_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_radsec_server_packets'($*)) dnl gen_require(` type radsec_server_packet_t; ') allow $1 radsec_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_radsec_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_razor_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_razor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the razor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_razor_port'($*)) dnl gen_require(` type razor_port_t; ') dontaudit $1 razor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_razor_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_razor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the razor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_razor_port'($*)) dnl gen_require(` type razor_port_t; ') dontaudit $1 razor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_razor_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_razor_port'($*)) dnl corenet_udp_send_razor_port($1) corenet_udp_receive_razor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_razor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the razor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl corenet_dontaudit_udp_send_razor_port($1) corenet_dontaudit_udp_receive_razor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_razor_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_razor_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the razor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_razor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to razor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_razor_port'($*)) dnl gen_require(` type razor_port_t; ') dontaudit $1 razor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_razor_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the razor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_razor_port'($*)) dnl gen_require(` type razor_port_t; ') allow $1 razor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_razor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to razor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_razor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_razor_port'($*)) dnl gen_require(` type razor_port_t; ') dontaudit $1 razor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_razor_port'($*)) dnl ') ######################################## ## ## Send razor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_razor_client_packets'($*)) dnl gen_require(` type razor_client_packet_t; ') allow $1 razor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_razor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send razor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_client_packets'($*)) dnl gen_require(` type razor_client_packet_t; ') dontaudit $1 razor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_client_packets'($*)) dnl ') ######################################## ## ## Receive razor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_client_packets'($*)) dnl gen_require(` type razor_client_packet_t; ') allow $1 razor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_razor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive razor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_client_packets'($*)) dnl gen_require(` type razor_client_packet_t; ') dontaudit $1 razor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_client_packets'($*)) dnl ') ######################################## ## ## Send and receive razor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_client_packets'($*)) dnl corenet_send_razor_client_packets($1) corenet_receive_razor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive razor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl corenet_dontaudit_send_razor_client_packets($1) corenet_dontaudit_receive_razor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to razor_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_razor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_client_packets'($*)) dnl gen_require(` type razor_client_packet_t; ') allow $1 razor_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_client_packets'($*)) dnl ') ######################################## ## ## Send razor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_razor_server_packets'($*)) dnl gen_require(` type razor_server_packet_t; ') allow $1 razor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_razor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send razor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_razor_server_packets'($*)) dnl gen_require(` type razor_server_packet_t; ') dontaudit $1 razor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_razor_server_packets'($*)) dnl ') ######################################## ## ## Receive razor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_razor_server_packets'($*)) dnl gen_require(` type razor_server_packet_t; ') allow $1 razor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_razor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive razor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_razor_server_packets'($*)) dnl gen_require(` type razor_server_packet_t; ') dontaudit $1 razor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_razor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive razor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_razor_server_packets'($*)) dnl corenet_send_razor_server_packets($1) corenet_receive_razor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_razor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive razor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl corenet_dontaudit_send_razor_server_packets($1) corenet_dontaudit_receive_razor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_razor_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to razor_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_razor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_razor_server_packets'($*)) dnl gen_require(` type razor_server_packet_t; ') allow $1 razor_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_razor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_time_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_time_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the time port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_time_port'($*)) dnl gen_require(` type time_port_t; ') dontaudit $1 time_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_time_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_time_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the time port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_time_port'($*)) dnl gen_require(` type time_port_t; ') dontaudit $1 time_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_time_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_time_port'($*)) dnl corenet_udp_send_time_port($1) corenet_udp_receive_time_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_time_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the time port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_time_port'($*)) dnl corenet_dontaudit_udp_send_time_port($1) corenet_dontaudit_udp_receive_time_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_time_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_time_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the time port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_time_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to time port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_time_port'($*)) dnl gen_require(` type time_port_t; ') dontaudit $1 time_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_time_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the time port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_time_port'($*)) dnl gen_require(` type time_port_t; ') allow $1 time_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_time_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to time port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_time_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_time_port'($*)) dnl gen_require(` type time_port_t; ') dontaudit $1 time_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_time_port'($*)) dnl ') ######################################## ## ## Send time_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_time_client_packets'($*)) dnl gen_require(` type time_client_packet_t; ') allow $1 time_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_time_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send time_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_time_client_packets'($*)) dnl gen_require(` type time_client_packet_t; ') dontaudit $1 time_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_time_client_packets'($*)) dnl ') ######################################## ## ## Receive time_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_time_client_packets'($*)) dnl gen_require(` type time_client_packet_t; ') allow $1 time_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_time_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive time_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_time_client_packets'($*)) dnl gen_require(` type time_client_packet_t; ') dontaudit $1 time_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_time_client_packets'($*)) dnl ') ######################################## ## ## Send and receive time_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_time_client_packets'($*)) dnl corenet_send_time_client_packets($1) corenet_receive_time_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_time_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive time_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_time_client_packets'($*)) dnl corenet_dontaudit_send_time_client_packets($1) corenet_dontaudit_receive_time_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_time_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to time_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_time_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_time_client_packets'($*)) dnl gen_require(` type time_client_packet_t; ') allow $1 time_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_time_client_packets'($*)) dnl ') ######################################## ## ## Send time_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_time_server_packets'($*)) dnl gen_require(` type time_server_packet_t; ') allow $1 time_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_time_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send time_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_time_server_packets'($*)) dnl gen_require(` type time_server_packet_t; ') dontaudit $1 time_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_time_server_packets'($*)) dnl ') ######################################## ## ## Receive time_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_time_server_packets'($*)) dnl gen_require(` type time_server_packet_t; ') allow $1 time_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_time_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive time_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_time_server_packets'($*)) dnl gen_require(` type time_server_packet_t; ') dontaudit $1 time_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_time_server_packets'($*)) dnl ') ######################################## ## ## Send and receive time_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_time_server_packets'($*)) dnl corenet_send_time_server_packets($1) corenet_receive_time_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_time_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive time_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_time_server_packets'($*)) dnl corenet_dontaudit_send_time_server_packets($1) corenet_dontaudit_receive_time_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_time_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to time_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_time_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_time_server_packets'($*)) dnl gen_require(` type time_server_packet_t; ') allow $1 time_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_time_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_redis_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_redis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the redis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_redis_port'($*)) dnl gen_require(` type redis_port_t; ') dontaudit $1 redis_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_redis_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_redis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the redis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_redis_port'($*)) dnl gen_require(` type redis_port_t; ') dontaudit $1 redis_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_redis_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_redis_port'($*)) dnl corenet_udp_send_redis_port($1) corenet_udp_receive_redis_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_redis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the redis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl corenet_dontaudit_udp_send_redis_port($1) corenet_dontaudit_udp_receive_redis_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_redis_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_redis_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the redis port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_redis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to redis port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_redis_port'($*)) dnl gen_require(` type redis_port_t; ') dontaudit $1 redis_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_redis_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the redis port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_redis_port'($*)) dnl gen_require(` type redis_port_t; ') allow $1 redis_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_redis_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to redis port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_redis_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_redis_port'($*)) dnl gen_require(` type redis_port_t; ') dontaudit $1 redis_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_redis_port'($*)) dnl ') ######################################## ## ## Send redis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_redis_client_packets'($*)) dnl gen_require(` type redis_client_packet_t; ') allow $1 redis_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_redis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send redis_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_client_packets'($*)) dnl gen_require(` type redis_client_packet_t; ') dontaudit $1 redis_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_client_packets'($*)) dnl ') ######################################## ## ## Receive redis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_client_packets'($*)) dnl gen_require(` type redis_client_packet_t; ') allow $1 redis_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_redis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive redis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_client_packets'($*)) dnl gen_require(` type redis_client_packet_t; ') dontaudit $1 redis_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_client_packets'($*)) dnl ') ######################################## ## ## Send and receive redis_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_client_packets'($*)) dnl corenet_send_redis_client_packets($1) corenet_receive_redis_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive redis_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl corenet_dontaudit_send_redis_client_packets($1) corenet_dontaudit_receive_redis_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to redis_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_redis_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_client_packets'($*)) dnl gen_require(` type redis_client_packet_t; ') allow $1 redis_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_client_packets'($*)) dnl ') ######################################## ## ## Send redis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_redis_server_packets'($*)) dnl gen_require(` type redis_server_packet_t; ') allow $1 redis_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_redis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send redis_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_redis_server_packets'($*)) dnl gen_require(` type redis_server_packet_t; ') dontaudit $1 redis_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_redis_server_packets'($*)) dnl ') ######################################## ## ## Receive redis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_redis_server_packets'($*)) dnl gen_require(` type redis_server_packet_t; ') allow $1 redis_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_redis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive redis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_redis_server_packets'($*)) dnl gen_require(` type redis_server_packet_t; ') dontaudit $1 redis_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_redis_server_packets'($*)) dnl ') ######################################## ## ## Send and receive redis_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_redis_server_packets'($*)) dnl corenet_send_redis_server_packets($1) corenet_receive_redis_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_redis_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive redis_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl corenet_dontaudit_send_redis_server_packets($1) corenet_dontaudit_receive_redis_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_redis_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to redis_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_redis_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_redis_server_packets'($*)) dnl gen_require(` type redis_server_packet_t; ') allow $1 redis_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_redis_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_repository_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_repository_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the repository port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_repository_port'($*)) dnl gen_require(` type repository_port_t; ') dontaudit $1 repository_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_repository_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_repository_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the repository port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_repository_port'($*)) dnl gen_require(` type repository_port_t; ') dontaudit $1 repository_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_repository_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_repository_port'($*)) dnl corenet_udp_send_repository_port($1) corenet_udp_receive_repository_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_repository_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the repository port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl corenet_dontaudit_udp_send_repository_port($1) corenet_dontaudit_udp_receive_repository_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_repository_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_repository_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the repository port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_repository_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to repository port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_repository_port'($*)) dnl gen_require(` type repository_port_t; ') dontaudit $1 repository_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_repository_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the repository port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_repository_port'($*)) dnl gen_require(` type repository_port_t; ') allow $1 repository_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_repository_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to repository port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_repository_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_repository_port'($*)) dnl gen_require(` type repository_port_t; ') dontaudit $1 repository_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_repository_port'($*)) dnl ') ######################################## ## ## Send repository_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_repository_client_packets'($*)) dnl gen_require(` type repository_client_packet_t; ') allow $1 repository_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_repository_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send repository_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_client_packets'($*)) dnl gen_require(` type repository_client_packet_t; ') dontaudit $1 repository_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_client_packets'($*)) dnl ') ######################################## ## ## Receive repository_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_client_packets'($*)) dnl gen_require(` type repository_client_packet_t; ') allow $1 repository_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_repository_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive repository_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_client_packets'($*)) dnl gen_require(` type repository_client_packet_t; ') dontaudit $1 repository_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_client_packets'($*)) dnl ') ######################################## ## ## Send and receive repository_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_client_packets'($*)) dnl corenet_send_repository_client_packets($1) corenet_receive_repository_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive repository_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl corenet_dontaudit_send_repository_client_packets($1) corenet_dontaudit_receive_repository_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to repository_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_repository_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_client_packets'($*)) dnl gen_require(` type repository_client_packet_t; ') allow $1 repository_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_client_packets'($*)) dnl ') ######################################## ## ## Send repository_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_repository_server_packets'($*)) dnl gen_require(` type repository_server_packet_t; ') allow $1 repository_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_repository_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send repository_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_repository_server_packets'($*)) dnl gen_require(` type repository_server_packet_t; ') dontaudit $1 repository_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_repository_server_packets'($*)) dnl ') ######################################## ## ## Receive repository_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_repository_server_packets'($*)) dnl gen_require(` type repository_server_packet_t; ') allow $1 repository_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_repository_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive repository_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_repository_server_packets'($*)) dnl gen_require(` type repository_server_packet_t; ') dontaudit $1 repository_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_repository_server_packets'($*)) dnl ') ######################################## ## ## Send and receive repository_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_repository_server_packets'($*)) dnl corenet_send_repository_server_packets($1) corenet_receive_repository_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_repository_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive repository_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl corenet_dontaudit_send_repository_server_packets($1) corenet_dontaudit_receive_repository_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_repository_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to repository_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_repository_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_repository_server_packets'($*)) dnl gen_require(` type repository_server_packet_t; ') allow $1 repository_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_repository_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ricci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') dontaudit $1 ricci_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ricci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') dontaudit $1 ricci_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_port'($*)) dnl corenet_udp_send_ricci_port($1) corenet_udp_receive_ricci_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ricci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl corenet_dontaudit_udp_send_ricci_port($1) corenet_dontaudit_udp_receive_ricci_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ricci port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ricci port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') dontaudit $1 ricci_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ricci_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ricci port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') allow $1 ricci_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ricci port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ricci_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ricci_port'($*)) dnl gen_require(` type ricci_port_t; ') dontaudit $1 ricci_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ricci_port'($*)) dnl ') ######################################## ## ## Send ricci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_client_packets'($*)) dnl gen_require(` type ricci_client_packet_t; ') allow $1 ricci_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ricci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ricci_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_client_packets'($*)) dnl gen_require(` type ricci_client_packet_t; ') dontaudit $1 ricci_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_client_packets'($*)) dnl ') ######################################## ## ## Receive ricci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_client_packets'($*)) dnl gen_require(` type ricci_client_packet_t; ') allow $1 ricci_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ricci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl gen_require(` type ricci_client_packet_t; ') dontaudit $1 ricci_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ricci_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_client_packets'($*)) dnl corenet_send_ricci_client_packets($1) corenet_receive_ricci_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ricci_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl corenet_dontaudit_send_ricci_client_packets($1) corenet_dontaudit_receive_ricci_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ricci_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ricci_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_client_packets'($*)) dnl gen_require(` type ricci_client_packet_t; ') allow $1 ricci_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_client_packets'($*)) dnl ') ######################################## ## ## Send ricci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_server_packets'($*)) dnl gen_require(` type ricci_server_packet_t; ') allow $1 ricci_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ricci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ricci_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_server_packets'($*)) dnl gen_require(` type ricci_server_packet_t; ') dontaudit $1 ricci_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_server_packets'($*)) dnl ') ######################################## ## ## Receive ricci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_server_packets'($*)) dnl gen_require(` type ricci_server_packet_t; ') allow $1 ricci_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ricci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl gen_require(` type ricci_server_packet_t; ') dontaudit $1 ricci_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ricci_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_server_packets'($*)) dnl corenet_send_ricci_server_packets($1) corenet_receive_ricci_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ricci_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl corenet_dontaudit_send_ricci_server_packets($1) corenet_dontaudit_receive_ricci_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ricci_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ricci_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_server_packets'($*)) dnl gen_require(` type ricci_server_packet_t; ') allow $1 ricci_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ricci_modcluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') dontaudit $1 ricci_modcluster_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ricci_modcluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') dontaudit $1 ricci_modcluster_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl corenet_udp_send_ricci_modcluster_port($1) corenet_udp_receive_ricci_modcluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ricci_modcluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl corenet_dontaudit_udp_send_ricci_modcluster_port($1) corenet_dontaudit_udp_receive_ricci_modcluster_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ricci_modcluster port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') dontaudit $1 ricci_modcluster_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') allow $1 ricci_modcluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ricci_modcluster port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ricci_modcluster_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ricci_modcluster_port'($*)) dnl gen_require(` type ricci_modcluster_port_t; ') dontaudit $1 ricci_modcluster_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ricci_modcluster_port'($*)) dnl ') ######################################## ## ## Send ricci_modcluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_client_packets'($*)) dnl gen_require(` type ricci_modcluster_client_packet_t; ') allow $1 ricci_modcluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ricci_modcluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl gen_require(` type ricci_modcluster_client_packet_t; ') dontaudit $1 ricci_modcluster_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Receive ricci_modcluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_client_packets'($*)) dnl gen_require(` type ricci_modcluster_client_packet_t; ') allow $1 ricci_modcluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ricci_modcluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl gen_require(` type ricci_modcluster_client_packet_t; ') dontaudit $1 ricci_modcluster_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ricci_modcluster_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl corenet_send_ricci_modcluster_client_packets($1) corenet_receive_ricci_modcluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ricci_modcluster_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl corenet_dontaudit_send_ricci_modcluster_client_packets($1) corenet_dontaudit_receive_ricci_modcluster_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ricci_modcluster_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ricci_modcluster_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl gen_require(` type ricci_modcluster_client_packet_t; ') allow $1 ricci_modcluster_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_client_packets'($*)) dnl ') ######################################## ## ## Send ricci_modcluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ricci_modcluster_server_packets'($*)) dnl gen_require(` type ricci_modcluster_server_packet_t; ') allow $1 ricci_modcluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ricci_modcluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl gen_require(` type ricci_modcluster_server_packet_t; ') dontaudit $1 ricci_modcluster_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Receive ricci_modcluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ricci_modcluster_server_packets'($*)) dnl gen_require(` type ricci_modcluster_server_packet_t; ') allow $1 ricci_modcluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ricci_modcluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl gen_require(` type ricci_modcluster_server_packet_t; ') dontaudit $1 ricci_modcluster_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ricci_modcluster_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl corenet_send_ricci_modcluster_server_packets($1) corenet_receive_ricci_modcluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ricci_modcluster_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl corenet_dontaudit_send_ricci_modcluster_server_packets($1) corenet_dontaudit_receive_ricci_modcluster_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ricci_modcluster_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ricci_modcluster_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl gen_require(` type ricci_modcluster_server_packet_t; ') allow $1 ricci_modcluster_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ricci_modcluster_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rlogind_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rlogind_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rlogind port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') dontaudit $1 rlogind_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rlogind_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rlogind_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rlogind port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') dontaudit $1 rlogind_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rlogind_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rlogind_port'($*)) dnl corenet_udp_send_rlogind_port($1) corenet_udp_receive_rlogind_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rlogind_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rlogind port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl corenet_dontaudit_udp_send_rlogind_port($1) corenet_dontaudit_udp_receive_rlogind_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rlogind_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rlogind_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rlogind port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rlogind_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rlogind port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') dontaudit $1 rlogind_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rlogind_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rlogind port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') allow $1 rlogind_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rlogind_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rlogind port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rlogind_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rlogind_port'($*)) dnl gen_require(` type rlogind_port_t; ') dontaudit $1 rlogind_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rlogind_port'($*)) dnl ') ######################################## ## ## Send rlogind_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_client_packets'($*)) dnl gen_require(` type rlogind_client_packet_t; ') allow $1 rlogind_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rlogind_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl gen_require(` type rlogind_client_packet_t; ') dontaudit $1 rlogind_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Receive rlogind_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_client_packets'($*)) dnl gen_require(` type rlogind_client_packet_t; ') allow $1 rlogind_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rlogind_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl gen_require(` type rlogind_client_packet_t; ') dontaudit $1 rlogind_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rlogind_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_client_packets'($*)) dnl corenet_send_rlogind_client_packets($1) corenet_receive_rlogind_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rlogind_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl corenet_dontaudit_send_rlogind_client_packets($1) corenet_dontaudit_receive_rlogind_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rlogind_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rlogind_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_client_packets'($*)) dnl gen_require(` type rlogind_client_packet_t; ') allow $1 rlogind_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_client_packets'($*)) dnl ') ######################################## ## ## Send rlogind_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rlogind_server_packets'($*)) dnl gen_require(` type rlogind_server_packet_t; ') allow $1 rlogind_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rlogind_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl gen_require(` type rlogind_server_packet_t; ') dontaudit $1 rlogind_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Receive rlogind_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rlogind_server_packets'($*)) dnl gen_require(` type rlogind_server_packet_t; ') allow $1 rlogind_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rlogind_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl gen_require(` type rlogind_server_packet_t; ') dontaudit $1 rlogind_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rlogind_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rlogind_server_packets'($*)) dnl corenet_send_rlogind_server_packets($1) corenet_receive_rlogind_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rlogind_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl corenet_dontaudit_send_rlogind_server_packets($1) corenet_dontaudit_receive_rlogind_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rlogind_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rlogind_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rlogind_server_packets'($*)) dnl gen_require(` type rlogind_server_packet_t; ') allow $1 rlogind_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rlogind_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rndc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rndc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rndc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') dontaudit $1 rndc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rndc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rndc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rndc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') dontaudit $1 rndc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rndc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rndc_port'($*)) dnl corenet_udp_send_rndc_port($1) corenet_udp_receive_rndc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rndc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rndc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl corenet_dontaudit_udp_send_rndc_port($1) corenet_dontaudit_udp_receive_rndc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rndc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rndc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rndc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rndc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rndc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') dontaudit $1 rndc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rndc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rndc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') allow $1 rndc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rndc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rndc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rndc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rndc_port'($*)) dnl gen_require(` type rndc_port_t; ') dontaudit $1 rndc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rndc_port'($*)) dnl ') ######################################## ## ## Send rndc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_client_packets'($*)) dnl gen_require(` type rndc_client_packet_t; ') allow $1 rndc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rndc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rndc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_client_packets'($*)) dnl gen_require(` type rndc_client_packet_t; ') dontaudit $1 rndc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_client_packets'($*)) dnl ') ######################################## ## ## Receive rndc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_client_packets'($*)) dnl gen_require(` type rndc_client_packet_t; ') allow $1 rndc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rndc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl gen_require(` type rndc_client_packet_t; ') dontaudit $1 rndc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rndc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_client_packets'($*)) dnl corenet_send_rndc_client_packets($1) corenet_receive_rndc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rndc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl corenet_dontaudit_send_rndc_client_packets($1) corenet_dontaudit_receive_rndc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rndc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rndc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_client_packets'($*)) dnl gen_require(` type rndc_client_packet_t; ') allow $1 rndc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_client_packets'($*)) dnl ') ######################################## ## ## Send rndc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rndc_server_packets'($*)) dnl gen_require(` type rndc_server_packet_t; ') allow $1 rndc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rndc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rndc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rndc_server_packets'($*)) dnl gen_require(` type rndc_server_packet_t; ') dontaudit $1 rndc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rndc_server_packets'($*)) dnl ') ######################################## ## ## Receive rndc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rndc_server_packets'($*)) dnl gen_require(` type rndc_server_packet_t; ') allow $1 rndc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rndc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rndc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl gen_require(` type rndc_server_packet_t; ') dontaudit $1 rndc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rndc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rndc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rndc_server_packets'($*)) dnl corenet_send_rndc_server_packets($1) corenet_receive_rndc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rndc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rndc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl corenet_dontaudit_send_rndc_server_packets($1) corenet_dontaudit_receive_rndc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rndc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rndc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rndc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rndc_server_packets'($*)) dnl gen_require(` type rndc_server_packet_t; ') allow $1 rndc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rndc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_router_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_router_port'($*)) dnl gen_require(` type router_port_t; ') dontaudit $1 router_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_router_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_router_port'($*)) dnl gen_require(` type router_port_t; ') dontaudit $1 router_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_router_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_router_port'($*)) dnl corenet_udp_send_router_port($1) corenet_udp_receive_router_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl corenet_dontaudit_udp_send_router_port($1) corenet_dontaudit_udp_receive_router_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_router_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_router_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the router port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to router port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_router_port'($*)) dnl gen_require(` type router_port_t; ') dontaudit $1 router_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_router_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the router port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_router_port'($*)) dnl gen_require(` type router_port_t; ') allow $1 router_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_router_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to router port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_router_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_router_port'($*)) dnl gen_require(` type router_port_t; ') dontaudit $1 router_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_router_port'($*)) dnl ') ######################################## ## ## Send router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_router_client_packets'($*)) dnl gen_require(` type router_client_packet_t; ') allow $1 router_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send router_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_client_packets'($*)) dnl gen_require(` type router_client_packet_t; ') dontaudit $1 router_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_client_packets'($*)) dnl ') ######################################## ## ## Receive router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_router_client_packets'($*)) dnl gen_require(` type router_client_packet_t; ') allow $1 router_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_client_packets'($*)) dnl gen_require(` type router_client_packet_t; ') dontaudit $1 router_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_client_packets'($*)) dnl ') ######################################## ## ## Send and receive router_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_client_packets'($*)) dnl corenet_send_router_client_packets($1) corenet_receive_router_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive router_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl corenet_dontaudit_send_router_client_packets($1) corenet_dontaudit_receive_router_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to router_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_router_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_client_packets'($*)) dnl gen_require(` type router_client_packet_t; ') allow $1 router_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_client_packets'($*)) dnl ') ######################################## ## ## Send router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_router_server_packets'($*)) dnl gen_require(` type router_server_packet_t; ') allow $1 router_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send router_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_router_server_packets'($*)) dnl gen_require(` type router_server_packet_t; ') dontaudit $1 router_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_router_server_packets'($*)) dnl ') ######################################## ## ## Receive router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_router_server_packets'($*)) dnl gen_require(` type router_server_packet_t; ') allow $1 router_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_router_server_packets'($*)) dnl gen_require(` type router_server_packet_t; ') dontaudit $1 router_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_router_server_packets'($*)) dnl ') ######################################## ## ## Send and receive router_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_router_server_packets'($*)) dnl corenet_send_router_server_packets($1) corenet_receive_router_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_router_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive router_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl corenet_dontaudit_send_router_server_packets($1) corenet_dontaudit_receive_router_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_router_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to router_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_router_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_router_server_packets'($*)) dnl gen_require(` type router_server_packet_t; ') allow $1 router_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_router_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsh_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rsh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') dontaudit $1 rsh_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsh_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rsh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') dontaudit $1 rsh_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsh_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsh_port'($*)) dnl corenet_udp_send_rsh_port($1) corenet_udp_receive_rsh_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rsh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl corenet_dontaudit_udp_send_rsh_port($1) corenet_dontaudit_udp_receive_rsh_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsh_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsh_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rsh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rsh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') dontaudit $1 rsh_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rsh_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rsh port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') allow $1 rsh_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rsh port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rsh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rsh_port'($*)) dnl gen_require(` type rsh_port_t; ') dontaudit $1 rsh_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rsh_port'($*)) dnl ') ######################################## ## ## Send rsh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_client_packets'($*)) dnl gen_require(` type rsh_client_packet_t; ') allow $1 rsh_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rsh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rsh_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_client_packets'($*)) dnl gen_require(` type rsh_client_packet_t; ') dontaudit $1 rsh_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_client_packets'($*)) dnl ') ######################################## ## ## Receive rsh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_client_packets'($*)) dnl gen_require(` type rsh_client_packet_t; ') allow $1 rsh_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rsh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl gen_require(` type rsh_client_packet_t; ') dontaudit $1 rsh_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rsh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_client_packets'($*)) dnl corenet_send_rsh_client_packets($1) corenet_receive_rsh_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rsh_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl corenet_dontaudit_send_rsh_client_packets($1) corenet_dontaudit_receive_rsh_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rsh_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rsh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_client_packets'($*)) dnl gen_require(` type rsh_client_packet_t; ') allow $1 rsh_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_client_packets'($*)) dnl ') ######################################## ## ## Send rsh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rsh_server_packets'($*)) dnl gen_require(` type rsh_server_packet_t; ') allow $1 rsh_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rsh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rsh_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsh_server_packets'($*)) dnl gen_require(` type rsh_server_packet_t; ') dontaudit $1 rsh_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsh_server_packets'($*)) dnl ') ######################################## ## ## Receive rsh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rsh_server_packets'($*)) dnl gen_require(` type rsh_server_packet_t; ') allow $1 rsh_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rsh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rsh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl gen_require(` type rsh_server_packet_t; ') dontaudit $1 rsh_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsh_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rsh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsh_server_packets'($*)) dnl corenet_send_rsh_server_packets($1) corenet_receive_rsh_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rsh_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl corenet_dontaudit_send_rsh_server_packets($1) corenet_dontaudit_receive_rsh_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsh_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rsh_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rsh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsh_server_packets'($*)) dnl gen_require(` type rsh_server_packet_t; ') allow $1 rsh_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsh_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rsync_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rsync_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rsync port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') dontaudit $1 rsync_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rsync_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rsync_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rsync port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') dontaudit $1 rsync_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rsync_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rsync_port'($*)) dnl corenet_udp_send_rsync_port($1) corenet_udp_receive_rsync_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rsync_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rsync port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl corenet_dontaudit_udp_send_rsync_port($1) corenet_dontaudit_udp_receive_rsync_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rsync_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rsync_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rsync port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rsync_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rsync port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') dontaudit $1 rsync_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rsync_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rsync port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') allow $1 rsync_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rsync_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rsync port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rsync_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rsync_port'($*)) dnl gen_require(` type rsync_port_t; ') dontaudit $1 rsync_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rsync_port'($*)) dnl ') ######################################## ## ## Send rsync_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_client_packets'($*)) dnl gen_require(` type rsync_client_packet_t; ') allow $1 rsync_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rsync_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rsync_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_client_packets'($*)) dnl gen_require(` type rsync_client_packet_t; ') dontaudit $1 rsync_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_client_packets'($*)) dnl ') ######################################## ## ## Receive rsync_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_client_packets'($*)) dnl gen_require(` type rsync_client_packet_t; ') allow $1 rsync_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rsync_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl gen_require(` type rsync_client_packet_t; ') dontaudit $1 rsync_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rsync_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_client_packets'($*)) dnl corenet_send_rsync_client_packets($1) corenet_receive_rsync_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rsync_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl corenet_dontaudit_send_rsync_client_packets($1) corenet_dontaudit_receive_rsync_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rsync_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rsync_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_client_packets'($*)) dnl gen_require(` type rsync_client_packet_t; ') allow $1 rsync_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_client_packets'($*)) dnl ') ######################################## ## ## Send rsync_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rsync_server_packets'($*)) dnl gen_require(` type rsync_server_packet_t; ') allow $1 rsync_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rsync_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rsync_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rsync_server_packets'($*)) dnl gen_require(` type rsync_server_packet_t; ') dontaudit $1 rsync_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rsync_server_packets'($*)) dnl ') ######################################## ## ## Receive rsync_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rsync_server_packets'($*)) dnl gen_require(` type rsync_server_packet_t; ') allow $1 rsync_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rsync_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rsync_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl gen_require(` type rsync_server_packet_t; ') dontaudit $1 rsync_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rsync_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rsync_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rsync_server_packets'($*)) dnl corenet_send_rsync_server_packets($1) corenet_receive_rsync_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rsync_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rsync_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl corenet_dontaudit_send_rsync_server_packets($1) corenet_dontaudit_receive_rsync_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rsync_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rsync_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rsync_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rsync_server_packets'($*)) dnl gen_require(` type rsync_server_packet_t; ') allow $1 rsync_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rsync_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtp_media_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtp_media_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rtp_media port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') dontaudit $1 rtp_media_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtp_media_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtp_media_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rtp_media port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') dontaudit $1 rtp_media_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtp_media_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtp_media_port'($*)) dnl corenet_udp_send_rtp_media_port($1) corenet_udp_receive_rtp_media_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtp_media_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rtp_media port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtp_media_port'($*)) dnl corenet_dontaudit_udp_send_rtp_media_port($1) corenet_dontaudit_udp_receive_rtp_media_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtp_media_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtp_media_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rtp_media port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtp_media_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rtp_media port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') dontaudit $1 rtp_media_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtp_media_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rtp_media port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') allow $1 rtp_media_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtp_media_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rtp_media port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rtp_media_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtp_media_port'($*)) dnl gen_require(` type rtp_media_port_t; ') dontaudit $1 rtp_media_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtp_media_port'($*)) dnl ') ######################################## ## ## Send rtp_media_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtp_media_client_packets'($*)) dnl gen_require(` type rtp_media_client_packet_t; ') allow $1 rtp_media_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtp_media_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtp_media_client_packets'($*)) dnl gen_require(` type rtp_media_client_packet_t; ') dontaudit $1 rtp_media_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Receive rtp_media_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtp_media_client_packets'($*)) dnl gen_require(` type rtp_media_client_packet_t; ') allow $1 rtp_media_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtp_media_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtp_media_client_packets'($*)) dnl gen_require(` type rtp_media_client_packet_t; ') dontaudit $1 rtp_media_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rtp_media_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtp_media_client_packets'($*)) dnl corenet_send_rtp_media_client_packets($1) corenet_receive_rtp_media_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtp_media_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtp_media_client_packets'($*)) dnl corenet_dontaudit_send_rtp_media_client_packets($1) corenet_dontaudit_receive_rtp_media_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtp_media_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtp_media_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtp_media_client_packets'($*)) dnl gen_require(` type rtp_media_client_packet_t; ') allow $1 rtp_media_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtp_media_client_packets'($*)) dnl ') ######################################## ## ## Send rtp_media_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtp_media_server_packets'($*)) dnl gen_require(` type rtp_media_server_packet_t; ') allow $1 rtp_media_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtp_media_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtp_media_server_packets'($*)) dnl gen_require(` type rtp_media_server_packet_t; ') dontaudit $1 rtp_media_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Receive rtp_media_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtp_media_server_packets'($*)) dnl gen_require(` type rtp_media_server_packet_t; ') allow $1 rtp_media_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtp_media_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtp_media_server_packets'($*)) dnl gen_require(` type rtp_media_server_packet_t; ') dontaudit $1 rtp_media_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rtp_media_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtp_media_server_packets'($*)) dnl corenet_send_rtp_media_server_packets($1) corenet_receive_rtp_media_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtp_media_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtp_media_server_packets'($*)) dnl corenet_dontaudit_send_rtp_media_server_packets($1) corenet_dontaudit_receive_rtp_media_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtp_media_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtp_media_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtp_media_server_packets'($*)) dnl gen_require(` type rtp_media_server_packet_t; ') allow $1 rtp_media_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtp_media_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rtsp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rtsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rtsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') dontaudit $1 rtsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rtsp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rtsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rtsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') dontaudit $1 rtsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rtsp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rtsp_port'($*)) dnl corenet_udp_send_rtsp_port($1) corenet_udp_receive_rtsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rtsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rtsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl corenet_dontaudit_udp_send_rtsp_port($1) corenet_dontaudit_udp_receive_rtsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rtsp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rtsp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rtsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rtsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rtsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') dontaudit $1 rtsp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rtsp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rtsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') allow $1 rtsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rtsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rtsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rtsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rtsp_port'($*)) dnl gen_require(` type rtsp_port_t; ') dontaudit $1 rtsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rtsp_port'($*)) dnl ') ######################################## ## ## Send rtsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_client_packets'($*)) dnl gen_require(` type rtsp_client_packet_t; ') allow $1 rtsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl gen_require(` type rtsp_client_packet_t; ') dontaudit $1 rtsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Receive rtsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_client_packets'($*)) dnl gen_require(` type rtsp_client_packet_t; ') allow $1 rtsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl gen_require(` type rtsp_client_packet_t; ') dontaudit $1 rtsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rtsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_client_packets'($*)) dnl corenet_send_rtsp_client_packets($1) corenet_receive_rtsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl corenet_dontaudit_send_rtsp_client_packets($1) corenet_dontaudit_receive_rtsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtsp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_client_packets'($*)) dnl gen_require(` type rtsp_client_packet_t; ') allow $1 rtsp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_client_packets'($*)) dnl ') ######################################## ## ## Send rtsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rtsp_server_packets'($*)) dnl gen_require(` type rtsp_server_packet_t; ') allow $1 rtsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rtsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl gen_require(` type rtsp_server_packet_t; ') dontaudit $1 rtsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Receive rtsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rtsp_server_packets'($*)) dnl gen_require(` type rtsp_server_packet_t; ') allow $1 rtsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rtsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl gen_require(` type rtsp_server_packet_t; ') dontaudit $1 rtsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rtsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rtsp_server_packets'($*)) dnl corenet_send_rtsp_server_packets($1) corenet_receive_rtsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rtsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl corenet_dontaudit_send_rtsp_server_packets($1) corenet_dontaudit_receive_rtsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rtsp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rtsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rtsp_server_packets'($*)) dnl gen_require(` type rtsp_server_packet_t; ') allow $1 rtsp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rtsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_rwho_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_rwho_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the rwho port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') dontaudit $1 rwho_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_rwho_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_rwho_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the rwho port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') dontaudit $1 rwho_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_rwho_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_rwho_port'($*)) dnl corenet_udp_send_rwho_port($1) corenet_udp_receive_rwho_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_rwho_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the rwho port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl corenet_dontaudit_udp_send_rwho_port($1) corenet_dontaudit_udp_receive_rwho_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_rwho_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_rwho_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the rwho port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_rwho_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to rwho port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') dontaudit $1 rwho_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_rwho_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the rwho port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') allow $1 rwho_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_rwho_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to rwho port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_rwho_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_rwho_port'($*)) dnl gen_require(` type rwho_port_t; ') dontaudit $1 rwho_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_rwho_port'($*)) dnl ') ######################################## ## ## Send rwho_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_client_packets'($*)) dnl gen_require(` type rwho_client_packet_t; ') allow $1 rwho_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rwho_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rwho_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_client_packets'($*)) dnl gen_require(` type rwho_client_packet_t; ') dontaudit $1 rwho_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_client_packets'($*)) dnl ') ######################################## ## ## Receive rwho_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_client_packets'($*)) dnl gen_require(` type rwho_client_packet_t; ') allow $1 rwho_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rwho_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl gen_require(` type rwho_client_packet_t; ') dontaudit $1 rwho_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_client_packets'($*)) dnl ') ######################################## ## ## Send and receive rwho_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_client_packets'($*)) dnl corenet_send_rwho_client_packets($1) corenet_receive_rwho_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rwho_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl corenet_dontaudit_send_rwho_client_packets($1) corenet_dontaudit_receive_rwho_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rwho_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rwho_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_client_packets'($*)) dnl gen_require(` type rwho_client_packet_t; ') allow $1 rwho_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_client_packets'($*)) dnl ') ######################################## ## ## Send rwho_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_rwho_server_packets'($*)) dnl gen_require(` type rwho_server_packet_t; ') allow $1 rwho_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_rwho_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send rwho_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_rwho_server_packets'($*)) dnl gen_require(` type rwho_server_packet_t; ') dontaudit $1 rwho_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_rwho_server_packets'($*)) dnl ') ######################################## ## ## Receive rwho_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_rwho_server_packets'($*)) dnl gen_require(` type rwho_server_packet_t; ') allow $1 rwho_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_rwho_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive rwho_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl gen_require(` type rwho_server_packet_t; ') dontaudit $1 rwho_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_rwho_server_packets'($*)) dnl ') ######################################## ## ## Send and receive rwho_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_rwho_server_packets'($*)) dnl corenet_send_rwho_server_packets($1) corenet_receive_rwho_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_rwho_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive rwho_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl corenet_dontaudit_send_rwho_server_packets($1) corenet_dontaudit_receive_rwho_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_rwho_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to rwho_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_rwho_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_rwho_server_packets'($*)) dnl gen_require(` type rwho_server_packet_t; ') allow $1 rwho_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_rwho_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_salt_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_salt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the salt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_salt_port'($*)) dnl gen_require(` type salt_port_t; ') dontaudit $1 salt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_salt_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_salt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the salt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_salt_port'($*)) dnl gen_require(` type salt_port_t; ') dontaudit $1 salt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_salt_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_salt_port'($*)) dnl corenet_udp_send_salt_port($1) corenet_udp_receive_salt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_salt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the salt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl corenet_dontaudit_udp_send_salt_port($1) corenet_dontaudit_udp_receive_salt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_salt_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_salt_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the salt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_salt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to salt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_salt_port'($*)) dnl gen_require(` type salt_port_t; ') dontaudit $1 salt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_salt_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the salt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_salt_port'($*)) dnl gen_require(` type salt_port_t; ') allow $1 salt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_salt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to salt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_salt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_salt_port'($*)) dnl gen_require(` type salt_port_t; ') dontaudit $1 salt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_salt_port'($*)) dnl ') ######################################## ## ## Send salt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_salt_client_packets'($*)) dnl gen_require(` type salt_client_packet_t; ') allow $1 salt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_salt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send salt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_client_packets'($*)) dnl gen_require(` type salt_client_packet_t; ') dontaudit $1 salt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_client_packets'($*)) dnl ') ######################################## ## ## Receive salt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_client_packets'($*)) dnl gen_require(` type salt_client_packet_t; ') allow $1 salt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_salt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive salt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_client_packets'($*)) dnl gen_require(` type salt_client_packet_t; ') dontaudit $1 salt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_client_packets'($*)) dnl ') ######################################## ## ## Send and receive salt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_client_packets'($*)) dnl corenet_send_salt_client_packets($1) corenet_receive_salt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive salt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl corenet_dontaudit_send_salt_client_packets($1) corenet_dontaudit_receive_salt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to salt_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_salt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_client_packets'($*)) dnl gen_require(` type salt_client_packet_t; ') allow $1 salt_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_client_packets'($*)) dnl ') ######################################## ## ## Send salt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_salt_server_packets'($*)) dnl gen_require(` type salt_server_packet_t; ') allow $1 salt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_salt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send salt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_salt_server_packets'($*)) dnl gen_require(` type salt_server_packet_t; ') dontaudit $1 salt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_salt_server_packets'($*)) dnl ') ######################################## ## ## Receive salt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_salt_server_packets'($*)) dnl gen_require(` type salt_server_packet_t; ') allow $1 salt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_salt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive salt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_salt_server_packets'($*)) dnl gen_require(` type salt_server_packet_t; ') dontaudit $1 salt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_salt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive salt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_salt_server_packets'($*)) dnl corenet_send_salt_server_packets($1) corenet_receive_salt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_salt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive salt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl corenet_dontaudit_send_salt_server_packets($1) corenet_dontaudit_receive_salt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_salt_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to salt_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_salt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_salt_server_packets'($*)) dnl gen_require(` type salt_server_packet_t; ') allow $1 salt_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_salt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sap_port'($*)) dnl gen_require(` type sap_port_t; ') dontaudit $1 sap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sap_port'($*)) dnl gen_require(` type sap_port_t; ') dontaudit $1 sap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sap_port'($*)) dnl corenet_udp_send_sap_port($1) corenet_udp_receive_sap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl corenet_dontaudit_udp_send_sap_port($1) corenet_dontaudit_udp_receive_sap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sap_port'($*)) dnl gen_require(` type sap_port_t; ') dontaudit $1 sap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sap_port'($*)) dnl gen_require(` type sap_port_t; ') allow $1 sap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sap_port'($*)) dnl gen_require(` type sap_port_t; ') dontaudit $1 sap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sap_port'($*)) dnl ') ######################################## ## ## Send sap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sap_client_packets'($*)) dnl gen_require(` type sap_client_packet_t; ') allow $1 sap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_client_packets'($*)) dnl gen_require(` type sap_client_packet_t; ') dontaudit $1 sap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_client_packets'($*)) dnl ') ######################################## ## ## Receive sap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_client_packets'($*)) dnl gen_require(` type sap_client_packet_t; ') allow $1 sap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_client_packets'($*)) dnl gen_require(` type sap_client_packet_t; ') dontaudit $1 sap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_client_packets'($*)) dnl corenet_send_sap_client_packets($1) corenet_receive_sap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl corenet_dontaudit_send_sap_client_packets($1) corenet_dontaudit_receive_sap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_client_packets'($*)) dnl gen_require(` type sap_client_packet_t; ') allow $1 sap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_client_packets'($*)) dnl ') ######################################## ## ## Send sap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sap_server_packets'($*)) dnl gen_require(` type sap_server_packet_t; ') allow $1 sap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sap_server_packets'($*)) dnl gen_require(` type sap_server_packet_t; ') dontaudit $1 sap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sap_server_packets'($*)) dnl ') ######################################## ## ## Receive sap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sap_server_packets'($*)) dnl gen_require(` type sap_server_packet_t; ') allow $1 sap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sap_server_packets'($*)) dnl gen_require(` type sap_server_packet_t; ') dontaudit $1 sap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sap_server_packets'($*)) dnl corenet_send_sap_server_packets($1) corenet_receive_sap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl corenet_dontaudit_send_sap_server_packets($1) corenet_dontaudit_receive_sap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sap_server_packets'($*)) dnl gen_require(` type sap_server_packet_t; ') allow $1 sap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_saphostctrl_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_saphostctrl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the saphostctrl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') dontaudit $1 saphostctrl_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_saphostctrl_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_saphostctrl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the saphostctrl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') dontaudit $1 saphostctrl_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_saphostctrl_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_saphostctrl_port'($*)) dnl corenet_udp_send_saphostctrl_port($1) corenet_udp_receive_saphostctrl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_saphostctrl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the saphostctrl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_saphostctrl_port'($*)) dnl corenet_dontaudit_udp_send_saphostctrl_port($1) corenet_dontaudit_udp_receive_saphostctrl_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_saphostctrl_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_saphostctrl_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the saphostctrl port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_saphostctrl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to saphostctrl port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') dontaudit $1 saphostctrl_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_saphostctrl_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the saphostctrl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') allow $1 saphostctrl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_saphostctrl_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to saphostctrl port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_saphostctrl_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_saphostctrl_port'($*)) dnl gen_require(` type saphostctrl_port_t; ') dontaudit $1 saphostctrl_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_saphostctrl_port'($*)) dnl ') ######################################## ## ## Send saphostctrl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_saphostctrl_client_packets'($*)) dnl gen_require(` type saphostctrl_client_packet_t; ') allow $1 saphostctrl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send saphostctrl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_saphostctrl_client_packets'($*)) dnl gen_require(` type saphostctrl_client_packet_t; ') dontaudit $1 saphostctrl_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Receive saphostctrl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_saphostctrl_client_packets'($*)) dnl gen_require(` type saphostctrl_client_packet_t; ') allow $1 saphostctrl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive saphostctrl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_saphostctrl_client_packets'($*)) dnl gen_require(` type saphostctrl_client_packet_t; ') dontaudit $1 saphostctrl_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Send and receive saphostctrl_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_saphostctrl_client_packets'($*)) dnl corenet_send_saphostctrl_client_packets($1) corenet_receive_saphostctrl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive saphostctrl_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_saphostctrl_client_packets'($*)) dnl corenet_dontaudit_send_saphostctrl_client_packets($1) corenet_dontaudit_receive_saphostctrl_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to saphostctrl_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_saphostctrl_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_saphostctrl_client_packets'($*)) dnl gen_require(` type saphostctrl_client_packet_t; ') allow $1 saphostctrl_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_saphostctrl_client_packets'($*)) dnl ') ######################################## ## ## Send saphostctrl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_saphostctrl_server_packets'($*)) dnl gen_require(` type saphostctrl_server_packet_t; ') allow $1 saphostctrl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send saphostctrl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_saphostctrl_server_packets'($*)) dnl gen_require(` type saphostctrl_server_packet_t; ') dontaudit $1 saphostctrl_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Receive saphostctrl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_saphostctrl_server_packets'($*)) dnl gen_require(` type saphostctrl_server_packet_t; ') allow $1 saphostctrl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive saphostctrl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_saphostctrl_server_packets'($*)) dnl gen_require(` type saphostctrl_server_packet_t; ') dontaudit $1 saphostctrl_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive saphostctrl_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_saphostctrl_server_packets'($*)) dnl corenet_send_saphostctrl_server_packets($1) corenet_receive_saphostctrl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive saphostctrl_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_saphostctrl_server_packets'($*)) dnl corenet_dontaudit_send_saphostctrl_server_packets($1) corenet_dontaudit_receive_saphostctrl_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to saphostctrl_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_saphostctrl_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_saphostctrl_server_packets'($*)) dnl gen_require(` type saphostctrl_server_packet_t; ') allow $1 saphostctrl_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_saphostctrl_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_servistaitsm_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_servistaitsm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the servistaitsm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') dontaudit $1 servistaitsm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_servistaitsm_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_servistaitsm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the servistaitsm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') dontaudit $1 servistaitsm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_servistaitsm_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl corenet_udp_send_servistaitsm_port($1) corenet_udp_receive_servistaitsm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_servistaitsm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the servistaitsm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl corenet_dontaudit_udp_send_servistaitsm_port($1) corenet_dontaudit_udp_receive_servistaitsm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_servistaitsm_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_servistaitsm_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the servistaitsm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_servistaitsm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to servistaitsm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') dontaudit $1 servistaitsm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_servistaitsm_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the servistaitsm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') allow $1 servistaitsm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_servistaitsm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to servistaitsm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_servistaitsm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_servistaitsm_port'($*)) dnl gen_require(` type servistaitsm_port_t; ') dontaudit $1 servistaitsm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_servistaitsm_port'($*)) dnl ') ######################################## ## ## Send servistaitsm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_client_packets'($*)) dnl gen_require(` type servistaitsm_client_packet_t; ') allow $1 servistaitsm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send servistaitsm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl gen_require(` type servistaitsm_client_packet_t; ') dontaudit $1 servistaitsm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Receive servistaitsm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_client_packets'($*)) dnl gen_require(` type servistaitsm_client_packet_t; ') allow $1 servistaitsm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive servistaitsm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl gen_require(` type servistaitsm_client_packet_t; ') dontaudit $1 servistaitsm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Send and receive servistaitsm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl corenet_send_servistaitsm_client_packets($1) corenet_receive_servistaitsm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive servistaitsm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl corenet_dontaudit_send_servistaitsm_client_packets($1) corenet_dontaudit_receive_servistaitsm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to servistaitsm_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_servistaitsm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_client_packets'($*)) dnl gen_require(` type servistaitsm_client_packet_t; ') allow $1 servistaitsm_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_client_packets'($*)) dnl ') ######################################## ## ## Send servistaitsm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_servistaitsm_server_packets'($*)) dnl gen_require(` type servistaitsm_server_packet_t; ') allow $1 servistaitsm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send servistaitsm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl gen_require(` type servistaitsm_server_packet_t; ') dontaudit $1 servistaitsm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Receive servistaitsm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_servistaitsm_server_packets'($*)) dnl gen_require(` type servistaitsm_server_packet_t; ') allow $1 servistaitsm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive servistaitsm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl gen_require(` type servistaitsm_server_packet_t; ') dontaudit $1 servistaitsm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive servistaitsm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl corenet_send_servistaitsm_server_packets($1) corenet_receive_servistaitsm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive servistaitsm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl corenet_dontaudit_send_servistaitsm_server_packets($1) corenet_dontaudit_receive_servistaitsm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to servistaitsm_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_servistaitsm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_servistaitsm_server_packets'($*)) dnl gen_require(` type servistaitsm_server_packet_t; ') allow $1 servistaitsm_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_servistaitsm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sge_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sge_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sge port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sge_port'($*)) dnl gen_require(` type sge_port_t; ') dontaudit $1 sge_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sge_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sge_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sge port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sge_port'($*)) dnl gen_require(` type sge_port_t; ') dontaudit $1 sge_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sge_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sge_port'($*)) dnl corenet_udp_send_sge_port($1) corenet_udp_receive_sge_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sge_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sge port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sge_port'($*)) dnl corenet_dontaudit_udp_send_sge_port($1) corenet_dontaudit_udp_receive_sge_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sge_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sge_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sge port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sge_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sge port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sge_port'($*)) dnl gen_require(` type sge_port_t; ') dontaudit $1 sge_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sge_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sge port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sge_port'($*)) dnl gen_require(` type sge_port_t; ') allow $1 sge_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sge_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sge port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sge_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sge_port'($*)) dnl gen_require(` type sge_port_t; ') dontaudit $1 sge_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sge_port'($*)) dnl ') ######################################## ## ## Send sge_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sge_client_packets'($*)) dnl gen_require(` type sge_client_packet_t; ') allow $1 sge_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sge_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sge_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sge_client_packets'($*)) dnl gen_require(` type sge_client_packet_t; ') dontaudit $1 sge_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sge_client_packets'($*)) dnl ') ######################################## ## ## Receive sge_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sge_client_packets'($*)) dnl gen_require(` type sge_client_packet_t; ') allow $1 sge_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sge_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sge_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sge_client_packets'($*)) dnl gen_require(` type sge_client_packet_t; ') dontaudit $1 sge_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sge_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sge_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sge_client_packets'($*)) dnl corenet_send_sge_client_packets($1) corenet_receive_sge_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sge_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sge_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sge_client_packets'($*)) dnl corenet_dontaudit_send_sge_client_packets($1) corenet_dontaudit_receive_sge_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sge_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sge_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sge_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sge_client_packets'($*)) dnl gen_require(` type sge_client_packet_t; ') allow $1 sge_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sge_client_packets'($*)) dnl ') ######################################## ## ## Send sge_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sge_server_packets'($*)) dnl gen_require(` type sge_server_packet_t; ') allow $1 sge_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sge_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sge_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sge_server_packets'($*)) dnl gen_require(` type sge_server_packet_t; ') dontaudit $1 sge_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sge_server_packets'($*)) dnl ') ######################################## ## ## Receive sge_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sge_server_packets'($*)) dnl gen_require(` type sge_server_packet_t; ') allow $1 sge_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sge_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sge_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sge_server_packets'($*)) dnl gen_require(` type sge_server_packet_t; ') dontaudit $1 sge_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sge_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sge_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sge_server_packets'($*)) dnl corenet_send_sge_server_packets($1) corenet_receive_sge_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sge_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sge_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sge_server_packets'($*)) dnl corenet_dontaudit_send_sge_server_packets($1) corenet_dontaudit_receive_sge_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sge_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sge_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sge_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sge_server_packets'($*)) dnl gen_require(` type sge_server_packet_t; ') allow $1 sge_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sge_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the shellinaboxd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') dontaudit $1 shellinaboxd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the shellinaboxd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') dontaudit $1 shellinaboxd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_shellinaboxd_port'($*)) dnl corenet_udp_send_shellinaboxd_port($1) corenet_udp_receive_shellinaboxd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the shellinaboxd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_shellinaboxd_port'($*)) dnl corenet_dontaudit_udp_send_shellinaboxd_port($1) corenet_dontaudit_udp_receive_shellinaboxd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to shellinaboxd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') dontaudit $1 shellinaboxd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the shellinaboxd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') allow $1 shellinaboxd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to shellinaboxd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_shellinaboxd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_shellinaboxd_port'($*)) dnl gen_require(` type shellinaboxd_port_t; ') dontaudit $1 shellinaboxd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_shellinaboxd_port'($*)) dnl ') ######################################## ## ## Send shellinaboxd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_shellinaboxd_client_packets'($*)) dnl gen_require(` type shellinaboxd_client_packet_t; ') allow $1 shellinaboxd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send shellinaboxd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_shellinaboxd_client_packets'($*)) dnl gen_require(` type shellinaboxd_client_packet_t; ') dontaudit $1 shellinaboxd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Receive shellinaboxd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_shellinaboxd_client_packets'($*)) dnl gen_require(` type shellinaboxd_client_packet_t; ') allow $1 shellinaboxd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive shellinaboxd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_shellinaboxd_client_packets'($*)) dnl gen_require(` type shellinaboxd_client_packet_t; ') dontaudit $1 shellinaboxd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive shellinaboxd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_shellinaboxd_client_packets'($*)) dnl corenet_send_shellinaboxd_client_packets($1) corenet_receive_shellinaboxd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive shellinaboxd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_shellinaboxd_client_packets'($*)) dnl corenet_dontaudit_send_shellinaboxd_client_packets($1) corenet_dontaudit_receive_shellinaboxd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to shellinaboxd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_shellinaboxd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_shellinaboxd_client_packets'($*)) dnl gen_require(` type shellinaboxd_client_packet_t; ') allow $1 shellinaboxd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_shellinaboxd_client_packets'($*)) dnl ') ######################################## ## ## Send shellinaboxd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_shellinaboxd_server_packets'($*)) dnl gen_require(` type shellinaboxd_server_packet_t; ') allow $1 shellinaboxd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send shellinaboxd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_shellinaboxd_server_packets'($*)) dnl gen_require(` type shellinaboxd_server_packet_t; ') dontaudit $1 shellinaboxd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Receive shellinaboxd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_shellinaboxd_server_packets'($*)) dnl gen_require(` type shellinaboxd_server_packet_t; ') allow $1 shellinaboxd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive shellinaboxd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_shellinaboxd_server_packets'($*)) dnl gen_require(` type shellinaboxd_server_packet_t; ') dontaudit $1 shellinaboxd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive shellinaboxd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_shellinaboxd_server_packets'($*)) dnl corenet_send_shellinaboxd_server_packets($1) corenet_receive_shellinaboxd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive shellinaboxd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_shellinaboxd_server_packets'($*)) dnl corenet_dontaudit_send_shellinaboxd_server_packets($1) corenet_dontaudit_receive_shellinaboxd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to shellinaboxd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_shellinaboxd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_shellinaboxd_server_packets'($*)) dnl gen_require(` type shellinaboxd_server_packet_t; ') allow $1 shellinaboxd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_shellinaboxd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sieve_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sieve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sieve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') dontaudit $1 sieve_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sieve_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sieve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sieve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') dontaudit $1 sieve_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sieve_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sieve_port'($*)) dnl corenet_udp_send_sieve_port($1) corenet_udp_receive_sieve_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sieve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sieve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl corenet_dontaudit_udp_send_sieve_port($1) corenet_dontaudit_udp_receive_sieve_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sieve_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sieve_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sieve port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sieve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sieve port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') dontaudit $1 sieve_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sieve_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sieve port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') allow $1 sieve_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sieve_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sieve port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sieve_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sieve_port'($*)) dnl gen_require(` type sieve_port_t; ') dontaudit $1 sieve_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sieve_port'($*)) dnl ') ######################################## ## ## Send sieve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_client_packets'($*)) dnl gen_require(` type sieve_client_packet_t; ') allow $1 sieve_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sieve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sieve_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_client_packets'($*)) dnl gen_require(` type sieve_client_packet_t; ') dontaudit $1 sieve_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_client_packets'($*)) dnl ') ######################################## ## ## Receive sieve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_client_packets'($*)) dnl gen_require(` type sieve_client_packet_t; ') allow $1 sieve_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sieve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl gen_require(` type sieve_client_packet_t; ') dontaudit $1 sieve_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sieve_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_client_packets'($*)) dnl corenet_send_sieve_client_packets($1) corenet_receive_sieve_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sieve_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl corenet_dontaudit_send_sieve_client_packets($1) corenet_dontaudit_receive_sieve_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sieve_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sieve_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_client_packets'($*)) dnl gen_require(` type sieve_client_packet_t; ') allow $1 sieve_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_client_packets'($*)) dnl ') ######################################## ## ## Send sieve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sieve_server_packets'($*)) dnl gen_require(` type sieve_server_packet_t; ') allow $1 sieve_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sieve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sieve_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sieve_server_packets'($*)) dnl gen_require(` type sieve_server_packet_t; ') dontaudit $1 sieve_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sieve_server_packets'($*)) dnl ') ######################################## ## ## Receive sieve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sieve_server_packets'($*)) dnl gen_require(` type sieve_server_packet_t; ') allow $1 sieve_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sieve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sieve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl gen_require(` type sieve_server_packet_t; ') dontaudit $1 sieve_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sieve_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sieve_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sieve_server_packets'($*)) dnl corenet_send_sieve_server_packets($1) corenet_receive_sieve_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sieve_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sieve_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl corenet_dontaudit_send_sieve_server_packets($1) corenet_dontaudit_receive_sieve_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sieve_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sieve_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sieve_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sieve_server_packets'($*)) dnl gen_require(` type sieve_server_packet_t; ') allow $1 sieve_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sieve_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sip_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sip_port'($*)) dnl gen_require(` type sip_port_t; ') dontaudit $1 sip_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sip_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sip_port'($*)) dnl gen_require(` type sip_port_t; ') dontaudit $1 sip_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sip_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sip_port'($*)) dnl corenet_udp_send_sip_port($1) corenet_udp_receive_sip_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl corenet_dontaudit_udp_send_sip_port($1) corenet_dontaudit_udp_receive_sip_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sip_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sip_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sip port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sip port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sip_port'($*)) dnl gen_require(` type sip_port_t; ') dontaudit $1 sip_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sip_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sip port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sip_port'($*)) dnl gen_require(` type sip_port_t; ') allow $1 sip_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sip_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sip port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sip_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sip_port'($*)) dnl gen_require(` type sip_port_t; ') dontaudit $1 sip_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sip_port'($*)) dnl ') ######################################## ## ## Send sip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sip_client_packets'($*)) dnl gen_require(` type sip_client_packet_t; ') allow $1 sip_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sip_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_client_packets'($*)) dnl gen_require(` type sip_client_packet_t; ') dontaudit $1 sip_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_client_packets'($*)) dnl ') ######################################## ## ## Receive sip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_client_packets'($*)) dnl gen_require(` type sip_client_packet_t; ') allow $1 sip_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_client_packets'($*)) dnl gen_require(` type sip_client_packet_t; ') dontaudit $1 sip_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sip_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_client_packets'($*)) dnl corenet_send_sip_client_packets($1) corenet_receive_sip_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sip_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl corenet_dontaudit_send_sip_client_packets($1) corenet_dontaudit_receive_sip_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sip_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sip_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_client_packets'($*)) dnl gen_require(` type sip_client_packet_t; ') allow $1 sip_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_client_packets'($*)) dnl ') ######################################## ## ## Send sip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sip_server_packets'($*)) dnl gen_require(` type sip_server_packet_t; ') allow $1 sip_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sip_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sip_server_packets'($*)) dnl gen_require(` type sip_server_packet_t; ') dontaudit $1 sip_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sip_server_packets'($*)) dnl ') ######################################## ## ## Receive sip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sip_server_packets'($*)) dnl gen_require(` type sip_server_packet_t; ') allow $1 sip_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sip_server_packets'($*)) dnl gen_require(` type sip_server_packet_t; ') dontaudit $1 sip_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sip_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sip_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sip_server_packets'($*)) dnl corenet_send_sip_server_packets($1) corenet_receive_sip_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sip_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sip_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl corenet_dontaudit_send_sip_server_packets($1) corenet_dontaudit_receive_sip_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sip_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sip_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sip_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sip_server_packets'($*)) dnl gen_require(` type sip_server_packet_t; ') allow $1 sip_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sip_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sixxsconfig port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') dontaudit $1 sixxsconfig_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sixxsconfig port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') dontaudit $1 sixxsconfig_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl corenet_udp_send_sixxsconfig_port($1) corenet_udp_receive_sixxsconfig_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sixxsconfig port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl corenet_dontaudit_udp_send_sixxsconfig_port($1) corenet_dontaudit_udp_receive_sixxsconfig_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sixxsconfig port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') dontaudit $1 sixxsconfig_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sixxsconfig port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') allow $1 sixxsconfig_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sixxsconfig port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sixxsconfig_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sixxsconfig_port'($*)) dnl gen_require(` type sixxsconfig_port_t; ') dontaudit $1 sixxsconfig_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sixxsconfig_port'($*)) dnl ') ######################################## ## ## Send sixxsconfig_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_client_packets'($*)) dnl gen_require(` type sixxsconfig_client_packet_t; ') allow $1 sixxsconfig_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sixxsconfig_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl gen_require(` type sixxsconfig_client_packet_t; ') dontaudit $1 sixxsconfig_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Receive sixxsconfig_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_client_packets'($*)) dnl gen_require(` type sixxsconfig_client_packet_t; ') allow $1 sixxsconfig_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sixxsconfig_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl gen_require(` type sixxsconfig_client_packet_t; ') dontaudit $1 sixxsconfig_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sixxsconfig_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl corenet_send_sixxsconfig_client_packets($1) corenet_receive_sixxsconfig_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sixxsconfig_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl corenet_dontaudit_send_sixxsconfig_client_packets($1) corenet_dontaudit_receive_sixxsconfig_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sixxsconfig_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sixxsconfig_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl gen_require(` type sixxsconfig_client_packet_t; ') allow $1 sixxsconfig_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_client_packets'($*)) dnl ') ######################################## ## ## Send sixxsconfig_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sixxsconfig_server_packets'($*)) dnl gen_require(` type sixxsconfig_server_packet_t; ') allow $1 sixxsconfig_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sixxsconfig_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl gen_require(` type sixxsconfig_server_packet_t; ') dontaudit $1 sixxsconfig_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Receive sixxsconfig_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sixxsconfig_server_packets'($*)) dnl gen_require(` type sixxsconfig_server_packet_t; ') allow $1 sixxsconfig_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sixxsconfig_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl gen_require(` type sixxsconfig_server_packet_t; ') dontaudit $1 sixxsconfig_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sixxsconfig_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl corenet_send_sixxsconfig_server_packets($1) corenet_receive_sixxsconfig_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sixxsconfig_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl corenet_dontaudit_send_sixxsconfig_server_packets($1) corenet_dontaudit_receive_sixxsconfig_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sixxsconfig_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sixxsconfig_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl gen_require(` type sixxsconfig_server_packet_t; ') allow $1 sixxsconfig_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sixxsconfig_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smbd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_smbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the smbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') dontaudit $1 smbd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smbd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the smbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') dontaudit $1 smbd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smbd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smbd_port'($*)) dnl corenet_udp_send_smbd_port($1) corenet_udp_receive_smbd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the smbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl corenet_dontaudit_udp_send_smbd_port($1) corenet_dontaudit_udp_receive_smbd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smbd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smbd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the smbd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to smbd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') dontaudit $1 smbd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smbd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the smbd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') allow $1 smbd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smbd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to smbd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_smbd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smbd_port'($*)) dnl gen_require(` type smbd_port_t; ') dontaudit $1 smbd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smbd_port'($*)) dnl ') ######################################## ## ## Send smbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_client_packets'($*)) dnl gen_require(` type smbd_client_packet_t; ') allow $1 smbd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smbd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_client_packets'($*)) dnl gen_require(` type smbd_client_packet_t; ') dontaudit $1 smbd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_client_packets'($*)) dnl ') ######################################## ## ## Receive smbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_client_packets'($*)) dnl gen_require(` type smbd_client_packet_t; ') allow $1 smbd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl gen_require(` type smbd_client_packet_t; ') dontaudit $1 smbd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive smbd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_client_packets'($*)) dnl corenet_send_smbd_client_packets($1) corenet_receive_smbd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smbd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl corenet_dontaudit_send_smbd_client_packets($1) corenet_dontaudit_receive_smbd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smbd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smbd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_client_packets'($*)) dnl gen_require(` type smbd_client_packet_t; ') allow $1 smbd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_client_packets'($*)) dnl ') ######################################## ## ## Send smbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smbd_server_packets'($*)) dnl gen_require(` type smbd_server_packet_t; ') allow $1 smbd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smbd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smbd_server_packets'($*)) dnl gen_require(` type smbd_server_packet_t; ') dontaudit $1 smbd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smbd_server_packets'($*)) dnl ') ######################################## ## ## Receive smbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smbd_server_packets'($*)) dnl gen_require(` type smbd_server_packet_t; ') allow $1 smbd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl gen_require(` type smbd_server_packet_t; ') dontaudit $1 smbd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smbd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive smbd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smbd_server_packets'($*)) dnl corenet_send_smbd_server_packets($1) corenet_receive_smbd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smbd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smbd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl corenet_dontaudit_send_smbd_server_packets($1) corenet_dontaudit_receive_smbd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smbd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smbd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smbd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smbd_server_packets'($*)) dnl gen_require(` type smbd_server_packet_t; ') allow $1 smbd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smbd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smtp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_smtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the smtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') dontaudit $1 smtp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smtp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the smtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') dontaudit $1 smtp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smtp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smtp_port'($*)) dnl corenet_udp_send_smtp_port($1) corenet_udp_receive_smtp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the smtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl corenet_dontaudit_udp_send_smtp_port($1) corenet_dontaudit_udp_receive_smtp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smtp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smtp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the smtp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to smtp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') dontaudit $1 smtp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smtp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the smtp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') allow $1 smtp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smtp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to smtp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_smtp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smtp_port'($*)) dnl gen_require(` type smtp_port_t; ') dontaudit $1 smtp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smtp_port'($*)) dnl ') ######################################## ## ## Send smtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_client_packets'($*)) dnl gen_require(` type smtp_client_packet_t; ') allow $1 smtp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smtp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_client_packets'($*)) dnl gen_require(` type smtp_client_packet_t; ') dontaudit $1 smtp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_client_packets'($*)) dnl ') ######################################## ## ## Receive smtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_client_packets'($*)) dnl gen_require(` type smtp_client_packet_t; ') allow $1 smtp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl gen_require(` type smtp_client_packet_t; ') dontaudit $1 smtp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive smtp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_client_packets'($*)) dnl corenet_send_smtp_client_packets($1) corenet_receive_smtp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smtp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl corenet_dontaudit_send_smtp_client_packets($1) corenet_dontaudit_receive_smtp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smtp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smtp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_client_packets'($*)) dnl gen_require(` type smtp_client_packet_t; ') allow $1 smtp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_client_packets'($*)) dnl ') ######################################## ## ## Send smtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smtp_server_packets'($*)) dnl gen_require(` type smtp_server_packet_t; ') allow $1 smtp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smtp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smtp_server_packets'($*)) dnl gen_require(` type smtp_server_packet_t; ') dontaudit $1 smtp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smtp_server_packets'($*)) dnl ') ######################################## ## ## Receive smtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smtp_server_packets'($*)) dnl gen_require(` type smtp_server_packet_t; ') allow $1 smtp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl gen_require(` type smtp_server_packet_t; ') dontaudit $1 smtp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smtp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive smtp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smtp_server_packets'($*)) dnl corenet_send_smtp_server_packets($1) corenet_receive_smtp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smtp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smtp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl corenet_dontaudit_send_smtp_server_packets($1) corenet_dontaudit_receive_smtp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smtp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smtp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smtp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smtp_server_packets'($*)) dnl gen_require(` type smtp_server_packet_t; ') allow $1 smtp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smtp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_snmp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_snmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the snmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') dontaudit $1 snmp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_snmp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_snmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the snmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') dontaudit $1 snmp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_snmp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_snmp_port'($*)) dnl corenet_udp_send_snmp_port($1) corenet_udp_receive_snmp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_snmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the snmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl corenet_dontaudit_udp_send_snmp_port($1) corenet_dontaudit_udp_receive_snmp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_snmp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_snmp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the snmp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_snmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to snmp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') dontaudit $1 snmp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_snmp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the snmp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') allow $1 snmp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_snmp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to snmp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_snmp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_snmp_port'($*)) dnl gen_require(` type snmp_port_t; ') dontaudit $1 snmp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_snmp_port'($*)) dnl ') ######################################## ## ## Send snmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_client_packets'($*)) dnl gen_require(` type snmp_client_packet_t; ') allow $1 snmp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_snmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send snmp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_client_packets'($*)) dnl gen_require(` type snmp_client_packet_t; ') dontaudit $1 snmp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_client_packets'($*)) dnl ') ######################################## ## ## Receive snmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_client_packets'($*)) dnl gen_require(` type snmp_client_packet_t; ') allow $1 snmp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive snmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl gen_require(` type snmp_client_packet_t; ') dontaudit $1 snmp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive snmp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_client_packets'($*)) dnl corenet_send_snmp_client_packets($1) corenet_receive_snmp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive snmp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl corenet_dontaudit_send_snmp_client_packets($1) corenet_dontaudit_receive_snmp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to snmp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_snmp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_client_packets'($*)) dnl gen_require(` type snmp_client_packet_t; ') allow $1 snmp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_client_packets'($*)) dnl ') ######################################## ## ## Send snmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_snmp_server_packets'($*)) dnl gen_require(` type snmp_server_packet_t; ') allow $1 snmp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_snmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send snmp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_snmp_server_packets'($*)) dnl gen_require(` type snmp_server_packet_t; ') dontaudit $1 snmp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_snmp_server_packets'($*)) dnl ') ######################################## ## ## Receive snmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_snmp_server_packets'($*)) dnl gen_require(` type snmp_server_packet_t; ') allow $1 snmp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_snmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive snmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl gen_require(` type snmp_server_packet_t; ') dontaudit $1 snmp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_snmp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive snmp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_snmp_server_packets'($*)) dnl corenet_send_snmp_server_packets($1) corenet_receive_snmp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_snmp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive snmp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl corenet_dontaudit_send_snmp_server_packets($1) corenet_dontaudit_receive_snmp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_snmp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to snmp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_snmp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_snmp_server_packets'($*)) dnl gen_require(` type snmp_server_packet_t; ') allow $1 snmp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_snmp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the smntubootstrap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') dontaudit $1 smntubootstrap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the smntubootstrap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') dontaudit $1 smntubootstrap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_smntubootstrap_port'($*)) dnl corenet_udp_send_smntubootstrap_port($1) corenet_udp_receive_smntubootstrap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the smntubootstrap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_smntubootstrap_port'($*)) dnl corenet_dontaudit_udp_send_smntubootstrap_port($1) corenet_dontaudit_udp_receive_smntubootstrap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to smntubootstrap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') dontaudit $1 smntubootstrap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the smntubootstrap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') allow $1 smntubootstrap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to smntubootstrap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_smntubootstrap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_smntubootstrap_port'($*)) dnl gen_require(` type smntubootstrap_port_t; ') dontaudit $1 smntubootstrap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_smntubootstrap_port'($*)) dnl ') ######################################## ## ## Send smntubootstrap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smntubootstrap_client_packets'($*)) dnl gen_require(` type smntubootstrap_client_packet_t; ') allow $1 smntubootstrap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smntubootstrap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smntubootstrap_client_packets'($*)) dnl gen_require(` type smntubootstrap_client_packet_t; ') dontaudit $1 smntubootstrap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Receive smntubootstrap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smntubootstrap_client_packets'($*)) dnl gen_require(` type smntubootstrap_client_packet_t; ') allow $1 smntubootstrap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smntubootstrap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smntubootstrap_client_packets'($*)) dnl gen_require(` type smntubootstrap_client_packet_t; ') dontaudit $1 smntubootstrap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive smntubootstrap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smntubootstrap_client_packets'($*)) dnl corenet_send_smntubootstrap_client_packets($1) corenet_receive_smntubootstrap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smntubootstrap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smntubootstrap_client_packets'($*)) dnl corenet_dontaudit_send_smntubootstrap_client_packets($1) corenet_dontaudit_receive_smntubootstrap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smntubootstrap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smntubootstrap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smntubootstrap_client_packets'($*)) dnl gen_require(` type smntubootstrap_client_packet_t; ') allow $1 smntubootstrap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smntubootstrap_client_packets'($*)) dnl ') ######################################## ## ## Send smntubootstrap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_smntubootstrap_server_packets'($*)) dnl gen_require(` type smntubootstrap_server_packet_t; ') allow $1 smntubootstrap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send smntubootstrap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_smntubootstrap_server_packets'($*)) dnl gen_require(` type smntubootstrap_server_packet_t; ') dontaudit $1 smntubootstrap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Receive smntubootstrap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_smntubootstrap_server_packets'($*)) dnl gen_require(` type smntubootstrap_server_packet_t; ') allow $1 smntubootstrap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive smntubootstrap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_smntubootstrap_server_packets'($*)) dnl gen_require(` type smntubootstrap_server_packet_t; ') dontaudit $1 smntubootstrap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive smntubootstrap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_smntubootstrap_server_packets'($*)) dnl corenet_send_smntubootstrap_server_packets($1) corenet_receive_smntubootstrap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive smntubootstrap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_smntubootstrap_server_packets'($*)) dnl corenet_dontaudit_send_smntubootstrap_server_packets($1) corenet_dontaudit_receive_smntubootstrap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to smntubootstrap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_smntubootstrap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_smntubootstrap_server_packets'($*)) dnl gen_require(` type smntubootstrap_server_packet_t; ') allow $1 smntubootstrap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_smntubootstrap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_socks_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_socks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the socks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_socks_port'($*)) dnl gen_require(` type socks_port_t; ') dontaudit $1 socks_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_socks_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_socks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the socks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_socks_port'($*)) dnl gen_require(` type socks_port_t; ') dontaudit $1 socks_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_socks_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_socks_port'($*)) dnl corenet_udp_send_socks_port($1) corenet_udp_receive_socks_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_socks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the socks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl corenet_dontaudit_udp_send_socks_port($1) corenet_dontaudit_udp_receive_socks_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_socks_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_socks_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the socks port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_socks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to socks port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_socks_port'($*)) dnl gen_require(` type socks_port_t; ') dontaudit $1 socks_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_socks_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the socks port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_socks_port'($*)) dnl gen_require(` type socks_port_t; ') allow $1 socks_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_socks_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to socks port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_socks_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_socks_port'($*)) dnl gen_require(` type socks_port_t; ') dontaudit $1 socks_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_socks_port'($*)) dnl ') ######################################## ## ## Send socks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_socks_client_packets'($*)) dnl gen_require(` type socks_client_packet_t; ') allow $1 socks_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_socks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send socks_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_client_packets'($*)) dnl gen_require(` type socks_client_packet_t; ') dontaudit $1 socks_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_client_packets'($*)) dnl ') ######################################## ## ## Receive socks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_client_packets'($*)) dnl gen_require(` type socks_client_packet_t; ') allow $1 socks_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_socks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive socks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_client_packets'($*)) dnl gen_require(` type socks_client_packet_t; ') dontaudit $1 socks_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_client_packets'($*)) dnl ') ######################################## ## ## Send and receive socks_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_client_packets'($*)) dnl corenet_send_socks_client_packets($1) corenet_receive_socks_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive socks_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl corenet_dontaudit_send_socks_client_packets($1) corenet_dontaudit_receive_socks_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to socks_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_socks_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_client_packets'($*)) dnl gen_require(` type socks_client_packet_t; ') allow $1 socks_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_client_packets'($*)) dnl ') ######################################## ## ## Send socks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_socks_server_packets'($*)) dnl gen_require(` type socks_server_packet_t; ') allow $1 socks_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_socks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send socks_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_socks_server_packets'($*)) dnl gen_require(` type socks_server_packet_t; ') dontaudit $1 socks_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_socks_server_packets'($*)) dnl ') ######################################## ## ## Receive socks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_socks_server_packets'($*)) dnl gen_require(` type socks_server_packet_t; ') allow $1 socks_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_socks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive socks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_socks_server_packets'($*)) dnl gen_require(` type socks_server_packet_t; ') dontaudit $1 socks_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_socks_server_packets'($*)) dnl ') ######################################## ## ## Send and receive socks_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_socks_server_packets'($*)) dnl corenet_send_socks_server_packets($1) corenet_receive_socks_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_socks_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive socks_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl corenet_dontaudit_send_socks_server_packets($1) corenet_dontaudit_receive_socks_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_socks_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to socks_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_socks_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_socks_server_packets'($*)) dnl gen_require(` type socks_server_packet_t; ') allow $1 socks_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_socks_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_soundd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_soundd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the soundd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') dontaudit $1 soundd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_soundd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_soundd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the soundd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') dontaudit $1 soundd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_soundd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_soundd_port'($*)) dnl corenet_udp_send_soundd_port($1) corenet_udp_receive_soundd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_soundd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the soundd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl corenet_dontaudit_udp_send_soundd_port($1) corenet_dontaudit_udp_receive_soundd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_soundd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_soundd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the soundd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_soundd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to soundd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') dontaudit $1 soundd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_soundd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the soundd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') allow $1 soundd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_soundd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to soundd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_soundd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_soundd_port'($*)) dnl gen_require(` type soundd_port_t; ') dontaudit $1 soundd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_soundd_port'($*)) dnl ') ######################################## ## ## Send soundd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_client_packets'($*)) dnl gen_require(` type soundd_client_packet_t; ') allow $1 soundd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_soundd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send soundd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_client_packets'($*)) dnl gen_require(` type soundd_client_packet_t; ') dontaudit $1 soundd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_client_packets'($*)) dnl ') ######################################## ## ## Receive soundd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_client_packets'($*)) dnl gen_require(` type soundd_client_packet_t; ') allow $1 soundd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive soundd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl gen_require(` type soundd_client_packet_t; ') dontaudit $1 soundd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive soundd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_client_packets'($*)) dnl corenet_send_soundd_client_packets($1) corenet_receive_soundd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive soundd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl corenet_dontaudit_send_soundd_client_packets($1) corenet_dontaudit_receive_soundd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to soundd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_soundd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_client_packets'($*)) dnl gen_require(` type soundd_client_packet_t; ') allow $1 soundd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_client_packets'($*)) dnl ') ######################################## ## ## Send soundd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_soundd_server_packets'($*)) dnl gen_require(` type soundd_server_packet_t; ') allow $1 soundd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_soundd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send soundd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_soundd_server_packets'($*)) dnl gen_require(` type soundd_server_packet_t; ') dontaudit $1 soundd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_soundd_server_packets'($*)) dnl ') ######################################## ## ## Receive soundd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_soundd_server_packets'($*)) dnl gen_require(` type soundd_server_packet_t; ') allow $1 soundd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_soundd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive soundd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl gen_require(` type soundd_server_packet_t; ') dontaudit $1 soundd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_soundd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive soundd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_soundd_server_packets'($*)) dnl corenet_send_soundd_server_packets($1) corenet_receive_soundd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_soundd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive soundd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl corenet_dontaudit_send_soundd_server_packets($1) corenet_dontaudit_receive_soundd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_soundd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to soundd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_soundd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_soundd_server_packets'($*)) dnl gen_require(` type soundd_server_packet_t; ') allow $1 soundd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_soundd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_spamd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_spamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the spamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') dontaudit $1 spamd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_spamd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_spamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the spamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') dontaudit $1 spamd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_spamd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_spamd_port'($*)) dnl corenet_udp_send_spamd_port($1) corenet_udp_receive_spamd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_spamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the spamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl corenet_dontaudit_udp_send_spamd_port($1) corenet_dontaudit_udp_receive_spamd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_spamd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_spamd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the spamd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_spamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to spamd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') dontaudit $1 spamd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_spamd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the spamd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') allow $1 spamd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_spamd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to spamd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_spamd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_spamd_port'($*)) dnl gen_require(` type spamd_port_t; ') dontaudit $1 spamd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_spamd_port'($*)) dnl ') ######################################## ## ## Send spamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_client_packets'($*)) dnl gen_require(` type spamd_client_packet_t; ') allow $1 spamd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_spamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send spamd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_client_packets'($*)) dnl gen_require(` type spamd_client_packet_t; ') dontaudit $1 spamd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_client_packets'($*)) dnl ') ######################################## ## ## Receive spamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_client_packets'($*)) dnl gen_require(` type spamd_client_packet_t; ') allow $1 spamd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive spamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl gen_require(` type spamd_client_packet_t; ') dontaudit $1 spamd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive spamd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_client_packets'($*)) dnl corenet_send_spamd_client_packets($1) corenet_receive_spamd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive spamd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl corenet_dontaudit_send_spamd_client_packets($1) corenet_dontaudit_receive_spamd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to spamd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_spamd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_client_packets'($*)) dnl gen_require(` type spamd_client_packet_t; ') allow $1 spamd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_client_packets'($*)) dnl ') ######################################## ## ## Send spamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_spamd_server_packets'($*)) dnl gen_require(` type spamd_server_packet_t; ') allow $1 spamd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_spamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send spamd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_spamd_server_packets'($*)) dnl gen_require(` type spamd_server_packet_t; ') dontaudit $1 spamd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_spamd_server_packets'($*)) dnl ') ######################################## ## ## Receive spamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_spamd_server_packets'($*)) dnl gen_require(` type spamd_server_packet_t; ') allow $1 spamd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_spamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive spamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl gen_require(` type spamd_server_packet_t; ') dontaudit $1 spamd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_spamd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive spamd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_spamd_server_packets'($*)) dnl corenet_send_spamd_server_packets($1) corenet_receive_spamd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_spamd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive spamd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl corenet_dontaudit_send_spamd_server_packets($1) corenet_dontaudit_receive_spamd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_spamd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to spamd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_spamd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_spamd_server_packets'($*)) dnl gen_require(` type spamd_server_packet_t; ') allow $1 spamd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_spamd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_speech_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_speech_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the speech port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_speech_port'($*)) dnl gen_require(` type speech_port_t; ') dontaudit $1 speech_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_speech_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_speech_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the speech port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_speech_port'($*)) dnl gen_require(` type speech_port_t; ') dontaudit $1 speech_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_speech_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_speech_port'($*)) dnl corenet_udp_send_speech_port($1) corenet_udp_receive_speech_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_speech_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the speech port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl corenet_dontaudit_udp_send_speech_port($1) corenet_dontaudit_udp_receive_speech_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_speech_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_speech_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the speech port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_speech_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to speech port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_speech_port'($*)) dnl gen_require(` type speech_port_t; ') dontaudit $1 speech_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_speech_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the speech port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_speech_port'($*)) dnl gen_require(` type speech_port_t; ') allow $1 speech_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_speech_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to speech port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_speech_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_speech_port'($*)) dnl gen_require(` type speech_port_t; ') dontaudit $1 speech_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_speech_port'($*)) dnl ') ######################################## ## ## Send speech_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_speech_client_packets'($*)) dnl gen_require(` type speech_client_packet_t; ') allow $1 speech_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_speech_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send speech_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_client_packets'($*)) dnl gen_require(` type speech_client_packet_t; ') dontaudit $1 speech_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_client_packets'($*)) dnl ') ######################################## ## ## Receive speech_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_client_packets'($*)) dnl gen_require(` type speech_client_packet_t; ') allow $1 speech_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_speech_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive speech_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_client_packets'($*)) dnl gen_require(` type speech_client_packet_t; ') dontaudit $1 speech_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_client_packets'($*)) dnl ') ######################################## ## ## Send and receive speech_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_client_packets'($*)) dnl corenet_send_speech_client_packets($1) corenet_receive_speech_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive speech_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl corenet_dontaudit_send_speech_client_packets($1) corenet_dontaudit_receive_speech_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to speech_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_speech_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_client_packets'($*)) dnl gen_require(` type speech_client_packet_t; ') allow $1 speech_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_client_packets'($*)) dnl ') ######################################## ## ## Send speech_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_speech_server_packets'($*)) dnl gen_require(` type speech_server_packet_t; ') allow $1 speech_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_speech_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send speech_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_speech_server_packets'($*)) dnl gen_require(` type speech_server_packet_t; ') dontaudit $1 speech_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_speech_server_packets'($*)) dnl ') ######################################## ## ## Receive speech_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_speech_server_packets'($*)) dnl gen_require(` type speech_server_packet_t; ') allow $1 speech_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_speech_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive speech_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_speech_server_packets'($*)) dnl gen_require(` type speech_server_packet_t; ') dontaudit $1 speech_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_speech_server_packets'($*)) dnl ') ######################################## ## ## Send and receive speech_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_speech_server_packets'($*)) dnl corenet_send_speech_server_packets($1) corenet_receive_speech_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_speech_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive speech_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl corenet_dontaudit_send_speech_server_packets($1) corenet_dontaudit_receive_speech_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_speech_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to speech_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_speech_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_speech_server_packets'($*)) dnl gen_require(` type speech_server_packet_t; ') allow $1 speech_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_speech_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_squid_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_squid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the squid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_squid_port'($*)) dnl gen_require(` type squid_port_t; ') dontaudit $1 squid_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_squid_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_squid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the squid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_squid_port'($*)) dnl gen_require(` type squid_port_t; ') dontaudit $1 squid_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_squid_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_squid_port'($*)) dnl corenet_udp_send_squid_port($1) corenet_udp_receive_squid_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_squid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the squid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl corenet_dontaudit_udp_send_squid_port($1) corenet_dontaudit_udp_receive_squid_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_squid_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_squid_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the squid port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_squid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to squid port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_squid_port'($*)) dnl gen_require(` type squid_port_t; ') dontaudit $1 squid_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_squid_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the squid port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_squid_port'($*)) dnl gen_require(` type squid_port_t; ') allow $1 squid_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_squid_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to squid port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_squid_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_squid_port'($*)) dnl gen_require(` type squid_port_t; ') dontaudit $1 squid_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_squid_port'($*)) dnl ') ######################################## ## ## Send squid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_squid_client_packets'($*)) dnl gen_require(` type squid_client_packet_t; ') allow $1 squid_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_squid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send squid_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_client_packets'($*)) dnl gen_require(` type squid_client_packet_t; ') dontaudit $1 squid_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_client_packets'($*)) dnl ') ######################################## ## ## Receive squid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_client_packets'($*)) dnl gen_require(` type squid_client_packet_t; ') allow $1 squid_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_squid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive squid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_client_packets'($*)) dnl gen_require(` type squid_client_packet_t; ') dontaudit $1 squid_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_client_packets'($*)) dnl ') ######################################## ## ## Send and receive squid_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_client_packets'($*)) dnl corenet_send_squid_client_packets($1) corenet_receive_squid_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive squid_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl corenet_dontaudit_send_squid_client_packets($1) corenet_dontaudit_receive_squid_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to squid_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_squid_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_client_packets'($*)) dnl gen_require(` type squid_client_packet_t; ') allow $1 squid_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_client_packets'($*)) dnl ') ######################################## ## ## Send squid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_squid_server_packets'($*)) dnl gen_require(` type squid_server_packet_t; ') allow $1 squid_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_squid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send squid_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_squid_server_packets'($*)) dnl gen_require(` type squid_server_packet_t; ') dontaudit $1 squid_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_squid_server_packets'($*)) dnl ') ######################################## ## ## Receive squid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_squid_server_packets'($*)) dnl gen_require(` type squid_server_packet_t; ') allow $1 squid_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_squid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive squid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_squid_server_packets'($*)) dnl gen_require(` type squid_server_packet_t; ') dontaudit $1 squid_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_squid_server_packets'($*)) dnl ') ######################################## ## ## Send and receive squid_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_squid_server_packets'($*)) dnl corenet_send_squid_server_packets($1) corenet_receive_squid_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_squid_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive squid_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl corenet_dontaudit_send_squid_server_packets($1) corenet_dontaudit_receive_squid_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_squid_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to squid_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_squid_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_squid_server_packets'($*)) dnl gen_require(` type squid_server_packet_t; ') allow $1 squid_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_squid_server_packets'($*)) dnl ') # snmp and htcp ######################################## ## ## Send and receive TCP traffic on the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssdp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssdp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ssdp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') dontaudit $1 ssdp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssdp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssdp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ssdp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') dontaudit $1 ssdp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssdp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssdp_port'($*)) dnl corenet_udp_send_ssdp_port($1) corenet_udp_receive_ssdp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssdp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ssdp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl corenet_dontaudit_udp_send_ssdp_port($1) corenet_dontaudit_udp_receive_ssdp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssdp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssdp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ssdp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssdp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ssdp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') dontaudit $1 ssdp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ssdp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ssdp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') allow $1 ssdp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssdp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ssdp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ssdp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ssdp_port'($*)) dnl gen_require(` type ssdp_port_t; ') dontaudit $1 ssdp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ssdp_port'($*)) dnl ') ######################################## ## ## Send ssdp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_client_packets'($*)) dnl gen_require(` type ssdp_client_packet_t; ') allow $1 ssdp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ssdp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl gen_require(` type ssdp_client_packet_t; ') dontaudit $1 ssdp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Receive ssdp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_client_packets'($*)) dnl gen_require(` type ssdp_client_packet_t; ') allow $1 ssdp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ssdp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl gen_require(` type ssdp_client_packet_t; ') dontaudit $1 ssdp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ssdp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_client_packets'($*)) dnl corenet_send_ssdp_client_packets($1) corenet_receive_ssdp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ssdp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl corenet_dontaudit_send_ssdp_client_packets($1) corenet_dontaudit_receive_ssdp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ssdp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ssdp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_client_packets'($*)) dnl gen_require(` type ssdp_client_packet_t; ') allow $1 ssdp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_client_packets'($*)) dnl ') ######################################## ## ## Send ssdp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ssdp_server_packets'($*)) dnl gen_require(` type ssdp_server_packet_t; ') allow $1 ssdp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ssdp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl gen_require(` type ssdp_server_packet_t; ') dontaudit $1 ssdp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Receive ssdp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ssdp_server_packets'($*)) dnl gen_require(` type ssdp_server_packet_t; ') allow $1 ssdp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ssdp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl gen_require(` type ssdp_server_packet_t; ') dontaudit $1 ssdp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ssdp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssdp_server_packets'($*)) dnl corenet_send_ssdp_server_packets($1) corenet_receive_ssdp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ssdp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl corenet_dontaudit_send_ssdp_server_packets($1) corenet_dontaudit_receive_ssdp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ssdp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ssdp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssdp_server_packets'($*)) dnl gen_require(` type ssdp_server_packet_t; ') allow $1 ssdp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssdp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ssh_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ssh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ssh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') dontaudit $1 ssh_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ssh_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ssh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ssh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') dontaudit $1 ssh_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ssh_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ssh_port'($*)) dnl corenet_udp_send_ssh_port($1) corenet_udp_receive_ssh_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ssh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ssh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl corenet_dontaudit_udp_send_ssh_port($1) corenet_dontaudit_udp_receive_ssh_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ssh_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ssh_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ssh port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ssh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ssh port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') dontaudit $1 ssh_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ssh_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ssh port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') allow $1 ssh_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ssh_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ssh port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ssh_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ssh_port'($*)) dnl gen_require(` type ssh_port_t; ') dontaudit $1 ssh_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ssh_port'($*)) dnl ') ######################################## ## ## Send ssh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_client_packets'($*)) dnl gen_require(` type ssh_client_packet_t; ') allow $1 ssh_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ssh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ssh_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_client_packets'($*)) dnl gen_require(` type ssh_client_packet_t; ') dontaudit $1 ssh_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_client_packets'($*)) dnl ') ######################################## ## ## Receive ssh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_client_packets'($*)) dnl gen_require(` type ssh_client_packet_t; ') allow $1 ssh_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ssh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl gen_require(` type ssh_client_packet_t; ') dontaudit $1 ssh_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ssh_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_client_packets'($*)) dnl corenet_send_ssh_client_packets($1) corenet_receive_ssh_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ssh_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl corenet_dontaudit_send_ssh_client_packets($1) corenet_dontaudit_receive_ssh_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ssh_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ssh_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_client_packets'($*)) dnl gen_require(` type ssh_client_packet_t; ') allow $1 ssh_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_client_packets'($*)) dnl ') ######################################## ## ## Send ssh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ssh_server_packets'($*)) dnl gen_require(` type ssh_server_packet_t; ') allow $1 ssh_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ssh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ssh_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ssh_server_packets'($*)) dnl gen_require(` type ssh_server_packet_t; ') dontaudit $1 ssh_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ssh_server_packets'($*)) dnl ') ######################################## ## ## Receive ssh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ssh_server_packets'($*)) dnl gen_require(` type ssh_server_packet_t; ') allow $1 ssh_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ssh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ssh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl gen_require(` type ssh_server_packet_t; ') dontaudit $1 ssh_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ssh_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ssh_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ssh_server_packets'($*)) dnl corenet_send_ssh_server_packets($1) corenet_receive_ssh_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ssh_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ssh_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl corenet_dontaudit_send_ssh_server_packets($1) corenet_dontaudit_receive_ssh_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ssh_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ssh_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ssh_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ssh_server_packets'($*)) dnl gen_require(` type ssh_server_packet_t; ') allow $1 ssh_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ssh_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_stunnel_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_stunnel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the stunnel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') dontaudit $1 stunnel_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_stunnel_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_stunnel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the stunnel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') dontaudit $1 stunnel_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_stunnel_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_stunnel_port'($*)) dnl corenet_udp_send_stunnel_port($1) corenet_udp_receive_stunnel_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_stunnel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the stunnel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl corenet_dontaudit_udp_send_stunnel_port($1) corenet_dontaudit_udp_receive_stunnel_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_stunnel_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_stunnel_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the stunnel port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_stunnel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to stunnel port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') dontaudit $1 stunnel_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_stunnel_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the stunnel port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') allow $1 stunnel_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_stunnel_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to stunnel port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_stunnel_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_stunnel_port'($*)) dnl gen_require(` type stunnel_port_t; ') dontaudit $1 stunnel_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_stunnel_port'($*)) dnl ') ######################################## ## ## Send stunnel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_client_packets'($*)) dnl gen_require(` type stunnel_client_packet_t; ') allow $1 stunnel_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send stunnel_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl gen_require(` type stunnel_client_packet_t; ') dontaudit $1 stunnel_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Receive stunnel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_client_packets'($*)) dnl gen_require(` type stunnel_client_packet_t; ') allow $1 stunnel_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive stunnel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl gen_require(` type stunnel_client_packet_t; ') dontaudit $1 stunnel_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Send and receive stunnel_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_client_packets'($*)) dnl corenet_send_stunnel_client_packets($1) corenet_receive_stunnel_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive stunnel_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl corenet_dontaudit_send_stunnel_client_packets($1) corenet_dontaudit_receive_stunnel_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to stunnel_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_stunnel_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_client_packets'($*)) dnl gen_require(` type stunnel_client_packet_t; ') allow $1 stunnel_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_client_packets'($*)) dnl ') ######################################## ## ## Send stunnel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_stunnel_server_packets'($*)) dnl gen_require(` type stunnel_server_packet_t; ') allow $1 stunnel_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send stunnel_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl gen_require(` type stunnel_server_packet_t; ') dontaudit $1 stunnel_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Receive stunnel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_stunnel_server_packets'($*)) dnl gen_require(` type stunnel_server_packet_t; ') allow $1 stunnel_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive stunnel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl gen_require(` type stunnel_server_packet_t; ') dontaudit $1 stunnel_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Send and receive stunnel_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_stunnel_server_packets'($*)) dnl corenet_send_stunnel_server_packets($1) corenet_receive_stunnel_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive stunnel_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl corenet_dontaudit_send_stunnel_server_packets($1) corenet_dontaudit_receive_stunnel_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_stunnel_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to stunnel_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_stunnel_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_stunnel_server_packets'($*)) dnl gen_require(` type stunnel_server_packet_t; ') allow $1 stunnel_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_stunnel_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svn_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_svn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the svn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svn_port'($*)) dnl gen_require(` type svn_port_t; ') dontaudit $1 svn_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svn_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the svn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svn_port'($*)) dnl gen_require(` type svn_port_t; ') dontaudit $1 svn_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svn_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svn_port'($*)) dnl corenet_udp_send_svn_port($1) corenet_udp_receive_svn_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the svn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl corenet_dontaudit_udp_send_svn_port($1) corenet_dontaudit_udp_receive_svn_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svn_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svn_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the svn port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to svn port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_svn_port'($*)) dnl gen_require(` type svn_port_t; ') dontaudit $1 svn_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_svn_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the svn port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svn_port'($*)) dnl gen_require(` type svn_port_t; ') allow $1 svn_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svn_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to svn port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_svn_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_svn_port'($*)) dnl gen_require(` type svn_port_t; ') dontaudit $1 svn_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_svn_port'($*)) dnl ') ######################################## ## ## Send svn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_svn_client_packets'($*)) dnl gen_require(` type svn_client_packet_t; ') allow $1 svn_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_svn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send svn_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_client_packets'($*)) dnl gen_require(` type svn_client_packet_t; ') dontaudit $1 svn_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_client_packets'($*)) dnl ') ######################################## ## ## Receive svn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_client_packets'($*)) dnl gen_require(` type svn_client_packet_t; ') allow $1 svn_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_svn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive svn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_client_packets'($*)) dnl gen_require(` type svn_client_packet_t; ') dontaudit $1 svn_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_client_packets'($*)) dnl ') ######################################## ## ## Send and receive svn_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_client_packets'($*)) dnl corenet_send_svn_client_packets($1) corenet_receive_svn_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive svn_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl corenet_dontaudit_send_svn_client_packets($1) corenet_dontaudit_receive_svn_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to svn_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_svn_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_client_packets'($*)) dnl gen_require(` type svn_client_packet_t; ') allow $1 svn_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_client_packets'($*)) dnl ') ######################################## ## ## Send svn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_svn_server_packets'($*)) dnl gen_require(` type svn_server_packet_t; ') allow $1 svn_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_svn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send svn_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svn_server_packets'($*)) dnl gen_require(` type svn_server_packet_t; ') dontaudit $1 svn_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svn_server_packets'($*)) dnl ') ######################################## ## ## Receive svn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_svn_server_packets'($*)) dnl gen_require(` type svn_server_packet_t; ') allow $1 svn_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_svn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive svn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svn_server_packets'($*)) dnl gen_require(` type svn_server_packet_t; ') dontaudit $1 svn_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svn_server_packets'($*)) dnl ') ######################################## ## ## Send and receive svn_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svn_server_packets'($*)) dnl corenet_send_svn_server_packets($1) corenet_receive_svn_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svn_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive svn_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl corenet_dontaudit_send_svn_server_packets($1) corenet_dontaudit_receive_svn_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svn_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to svn_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_svn_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svn_server_packets'($*)) dnl gen_require(` type svn_server_packet_t; ') allow $1 svn_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_svn_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_svrloc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_svrloc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the svrloc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') dontaudit $1 svrloc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_svrloc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_svrloc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the svrloc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') dontaudit $1 svrloc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_svrloc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_svrloc_port'($*)) dnl corenet_udp_send_svrloc_port($1) corenet_udp_receive_svrloc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_svrloc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the svrloc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl corenet_dontaudit_udp_send_svrloc_port($1) corenet_dontaudit_udp_receive_svrloc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_svrloc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_svrloc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the svrloc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_svrloc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to svrloc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') dontaudit $1 svrloc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_svrloc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the svrloc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') allow $1 svrloc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_svrloc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to svrloc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_svrloc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_svrloc_port'($*)) dnl gen_require(` type svrloc_port_t; ') dontaudit $1 svrloc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_svrloc_port'($*)) dnl ') ######################################## ## ## Send svrloc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_client_packets'($*)) dnl gen_require(` type svrloc_client_packet_t; ') allow $1 svrloc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send svrloc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl gen_require(` type svrloc_client_packet_t; ') dontaudit $1 svrloc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Receive svrloc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_client_packets'($*)) dnl gen_require(` type svrloc_client_packet_t; ') allow $1 svrloc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive svrloc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl gen_require(` type svrloc_client_packet_t; ') dontaudit $1 svrloc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive svrloc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_client_packets'($*)) dnl corenet_send_svrloc_client_packets($1) corenet_receive_svrloc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive svrloc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl corenet_dontaudit_send_svrloc_client_packets($1) corenet_dontaudit_receive_svrloc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to svrloc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_svrloc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_client_packets'($*)) dnl gen_require(` type svrloc_client_packet_t; ') allow $1 svrloc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_client_packets'($*)) dnl ') ######################################## ## ## Send svrloc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_svrloc_server_packets'($*)) dnl gen_require(` type svrloc_server_packet_t; ') allow $1 svrloc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send svrloc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl gen_require(` type svrloc_server_packet_t; ') dontaudit $1 svrloc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Receive svrloc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_svrloc_server_packets'($*)) dnl gen_require(` type svrloc_server_packet_t; ') allow $1 svrloc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive svrloc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl gen_require(` type svrloc_server_packet_t; ') dontaudit $1 svrloc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive svrloc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_svrloc_server_packets'($*)) dnl corenet_send_svrloc_server_packets($1) corenet_receive_svrloc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive svrloc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl corenet_dontaudit_send_svrloc_server_packets($1) corenet_dontaudit_receive_svrloc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to svrloc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_svrloc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_svrloc_server_packets'($*)) dnl gen_require(` type svrloc_server_packet_t; ') allow $1 svrloc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_svrloc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swat_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_swat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the swat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swat_port'($*)) dnl gen_require(` type swat_port_t; ') dontaudit $1 swat_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swat_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the swat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swat_port'($*)) dnl gen_require(` type swat_port_t; ') dontaudit $1 swat_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swat_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swat_port'($*)) dnl corenet_udp_send_swat_port($1) corenet_udp_receive_swat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the swat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl corenet_dontaudit_udp_send_swat_port($1) corenet_dontaudit_udp_receive_swat_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swat_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swat_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the swat port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to swat port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_swat_port'($*)) dnl gen_require(` type swat_port_t; ') dontaudit $1 swat_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_swat_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the swat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swat_port'($*)) dnl gen_require(` type swat_port_t; ') allow $1 swat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swat_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to swat port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_swat_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_swat_port'($*)) dnl gen_require(` type swat_port_t; ') dontaudit $1 swat_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_swat_port'($*)) dnl ') ######################################## ## ## Send swat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_swat_client_packets'($*)) dnl gen_require(` type swat_client_packet_t; ') allow $1 swat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_swat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send swat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_client_packets'($*)) dnl gen_require(` type swat_client_packet_t; ') dontaudit $1 swat_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_client_packets'($*)) dnl ') ######################################## ## ## Receive swat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_client_packets'($*)) dnl gen_require(` type swat_client_packet_t; ') allow $1 swat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_swat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive swat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_client_packets'($*)) dnl gen_require(` type swat_client_packet_t; ') dontaudit $1 swat_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_client_packets'($*)) dnl ') ######################################## ## ## Send and receive swat_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_client_packets'($*)) dnl corenet_send_swat_client_packets($1) corenet_receive_swat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive swat_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl corenet_dontaudit_send_swat_client_packets($1) corenet_dontaudit_receive_swat_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to swat_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_swat_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_client_packets'($*)) dnl gen_require(` type swat_client_packet_t; ') allow $1 swat_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_client_packets'($*)) dnl ') ######################################## ## ## Send swat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_swat_server_packets'($*)) dnl gen_require(` type swat_server_packet_t; ') allow $1 swat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_swat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send swat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swat_server_packets'($*)) dnl gen_require(` type swat_server_packet_t; ') dontaudit $1 swat_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swat_server_packets'($*)) dnl ') ######################################## ## ## Receive swat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_swat_server_packets'($*)) dnl gen_require(` type swat_server_packet_t; ') allow $1 swat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_swat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive swat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swat_server_packets'($*)) dnl gen_require(` type swat_server_packet_t; ') dontaudit $1 swat_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive swat_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swat_server_packets'($*)) dnl corenet_send_swat_server_packets($1) corenet_receive_swat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swat_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive swat_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl corenet_dontaudit_send_swat_server_packets($1) corenet_dontaudit_receive_swat_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swat_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to swat_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_swat_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swat_server_packets'($*)) dnl gen_require(` type swat_server_packet_t; ') allow $1 swat_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_swat_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_swift_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_swift_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the swift port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_swift_port'($*)) dnl gen_require(` type swift_port_t; ') dontaudit $1 swift_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_swift_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_swift_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the swift port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_swift_port'($*)) dnl gen_require(` type swift_port_t; ') dontaudit $1 swift_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_swift_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_swift_port'($*)) dnl corenet_udp_send_swift_port($1) corenet_udp_receive_swift_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_swift_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the swift port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_swift_port'($*)) dnl corenet_dontaudit_udp_send_swift_port($1) corenet_dontaudit_udp_receive_swift_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_swift_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_swift_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the swift port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_swift_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to swift port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_swift_port'($*)) dnl gen_require(` type swift_port_t; ') dontaudit $1 swift_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_swift_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the swift port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_swift_port'($*)) dnl gen_require(` type swift_port_t; ') allow $1 swift_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_swift_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to swift port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_swift_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_swift_port'($*)) dnl gen_require(` type swift_port_t; ') dontaudit $1 swift_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_swift_port'($*)) dnl ') ######################################## ## ## Send swift_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_swift_client_packets'($*)) dnl gen_require(` type swift_client_packet_t; ') allow $1 swift_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_swift_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send swift_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swift_client_packets'($*)) dnl gen_require(` type swift_client_packet_t; ') dontaudit $1 swift_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swift_client_packets'($*)) dnl ') ######################################## ## ## Receive swift_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_swift_client_packets'($*)) dnl gen_require(` type swift_client_packet_t; ') allow $1 swift_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_swift_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive swift_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swift_client_packets'($*)) dnl gen_require(` type swift_client_packet_t; ') dontaudit $1 swift_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swift_client_packets'($*)) dnl ') ######################################## ## ## Send and receive swift_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swift_client_packets'($*)) dnl corenet_send_swift_client_packets($1) corenet_receive_swift_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swift_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive swift_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swift_client_packets'($*)) dnl corenet_dontaudit_send_swift_client_packets($1) corenet_dontaudit_receive_swift_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swift_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to swift_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_swift_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swift_client_packets'($*)) dnl gen_require(` type swift_client_packet_t; ') allow $1 swift_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_swift_client_packets'($*)) dnl ') ######################################## ## ## Send swift_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_swift_server_packets'($*)) dnl gen_require(` type swift_server_packet_t; ') allow $1 swift_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_swift_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send swift_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_swift_server_packets'($*)) dnl gen_require(` type swift_server_packet_t; ') dontaudit $1 swift_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_swift_server_packets'($*)) dnl ') ######################################## ## ## Receive swift_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_swift_server_packets'($*)) dnl gen_require(` type swift_server_packet_t; ') allow $1 swift_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_swift_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive swift_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_swift_server_packets'($*)) dnl gen_require(` type swift_server_packet_t; ') dontaudit $1 swift_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_swift_server_packets'($*)) dnl ') ######################################## ## ## Send and receive swift_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_swift_server_packets'($*)) dnl corenet_send_swift_server_packets($1) corenet_receive_swift_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_swift_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive swift_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_swift_server_packets'($*)) dnl corenet_dontaudit_send_swift_server_packets($1) corenet_dontaudit_receive_swift_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_swift_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to swift_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_swift_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_swift_server_packets'($*)) dnl gen_require(` type swift_server_packet_t; ') allow $1 swift_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_swift_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_sype_transport_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_sype_transport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the sype_transport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') dontaudit $1 sype_transport_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_sype_transport_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_sype_transport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the sype_transport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') dontaudit $1 sype_transport_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_sype_transport_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_sype_transport_port'($*)) dnl corenet_udp_send_sype_transport_port($1) corenet_udp_receive_sype_transport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_sype_transport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the sype_transport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl corenet_dontaudit_udp_send_sype_transport_port($1) corenet_dontaudit_udp_receive_sype_transport_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_sype_transport_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_sype_transport_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the sype_transport port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_sype_transport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to sype_transport port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') dontaudit $1 sype_transport_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_sype_transport_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the sype_transport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') allow $1 sype_transport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_sype_transport_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to sype_transport port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_sype_transport_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_sype_transport_port'($*)) dnl gen_require(` type sype_transport_port_t; ') dontaudit $1 sype_transport_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_sype_transport_port'($*)) dnl ') ######################################## ## ## Send sype_transport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_client_packets'($*)) dnl gen_require(` type sype_transport_client_packet_t; ') allow $1 sype_transport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sype_transport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl gen_require(` type sype_transport_client_packet_t; ') dontaudit $1 sype_transport_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Receive sype_transport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_client_packets'($*)) dnl gen_require(` type sype_transport_client_packet_t; ') allow $1 sype_transport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sype_transport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl gen_require(` type sype_transport_client_packet_t; ') dontaudit $1 sype_transport_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Send and receive sype_transport_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_client_packets'($*)) dnl corenet_send_sype_transport_client_packets($1) corenet_receive_sype_transport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sype_transport_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl corenet_dontaudit_send_sype_transport_client_packets($1) corenet_dontaudit_receive_sype_transport_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sype_transport_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sype_transport_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_client_packets'($*)) dnl gen_require(` type sype_transport_client_packet_t; ') allow $1 sype_transport_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_client_packets'($*)) dnl ') ######################################## ## ## Send sype_transport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_sype_transport_server_packets'($*)) dnl gen_require(` type sype_transport_server_packet_t; ') allow $1 sype_transport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send sype_transport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl gen_require(` type sype_transport_server_packet_t; ') dontaudit $1 sype_transport_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Receive sype_transport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_sype_transport_server_packets'($*)) dnl gen_require(` type sype_transport_server_packet_t; ') allow $1 sype_transport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive sype_transport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl gen_require(` type sype_transport_server_packet_t; ') dontaudit $1 sype_transport_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive sype_transport_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_sype_transport_server_packets'($*)) dnl corenet_send_sype_transport_server_packets($1) corenet_receive_sype_transport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive sype_transport_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl corenet_dontaudit_send_sype_transport_server_packets($1) corenet_dontaudit_receive_sype_transport_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to sype_transport_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_sype_transport_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_sype_transport_server_packets'($*)) dnl gen_require(` type sype_transport_server_packet_t; ') allow $1 sype_transport_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_sype_transport_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslogd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslogd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the syslogd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') dontaudit $1 syslogd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslogd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslogd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the syslogd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') dontaudit $1 syslogd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslogd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslogd_port'($*)) dnl corenet_udp_send_syslogd_port($1) corenet_udp_receive_syslogd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslogd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the syslogd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl corenet_dontaudit_udp_send_syslogd_port($1) corenet_dontaudit_udp_receive_syslogd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslogd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslogd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the syslogd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslogd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to syslogd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') dontaudit $1 syslogd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_syslogd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the syslogd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') allow $1 syslogd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslogd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to syslogd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_syslogd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_syslogd_port'($*)) dnl gen_require(` type syslogd_port_t; ') dontaudit $1 syslogd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_syslogd_port'($*)) dnl ') ######################################## ## ## Send syslogd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_client_packets'($*)) dnl gen_require(` type syslogd_client_packet_t; ') allow $1 syslogd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send syslogd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl gen_require(` type syslogd_client_packet_t; ') dontaudit $1 syslogd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Receive syslogd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_client_packets'($*)) dnl gen_require(` type syslogd_client_packet_t; ') allow $1 syslogd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive syslogd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl gen_require(` type syslogd_client_packet_t; ') dontaudit $1 syslogd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive syslogd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_client_packets'($*)) dnl corenet_send_syslogd_client_packets($1) corenet_receive_syslogd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive syslogd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl corenet_dontaudit_send_syslogd_client_packets($1) corenet_dontaudit_receive_syslogd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to syslogd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_syslogd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_client_packets'($*)) dnl gen_require(` type syslogd_client_packet_t; ') allow $1 syslogd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_client_packets'($*)) dnl ') ######################################## ## ## Send syslogd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_syslogd_server_packets'($*)) dnl gen_require(` type syslogd_server_packet_t; ') allow $1 syslogd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send syslogd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl gen_require(` type syslogd_server_packet_t; ') dontaudit $1 syslogd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Receive syslogd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_syslogd_server_packets'($*)) dnl gen_require(` type syslogd_server_packet_t; ') allow $1 syslogd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive syslogd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl gen_require(` type syslogd_server_packet_t; ') dontaudit $1 syslogd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive syslogd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslogd_server_packets'($*)) dnl corenet_send_syslogd_server_packets($1) corenet_receive_syslogd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive syslogd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl corenet_dontaudit_send_syslogd_server_packets($1) corenet_dontaudit_receive_syslogd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to syslogd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_syslogd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslogd_server_packets'($*)) dnl gen_require(` type syslogd_server_packet_t; ') allow $1 syslogd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslogd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_syslog_tls_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_syslog_tls_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the syslog_tls port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') dontaudit $1 syslog_tls_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_syslog_tls_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_syslog_tls_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the syslog_tls port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') dontaudit $1 syslog_tls_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_syslog_tls_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl corenet_udp_send_syslog_tls_port($1) corenet_udp_receive_syslog_tls_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_syslog_tls_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the syslog_tls port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl corenet_dontaudit_udp_send_syslog_tls_port($1) corenet_dontaudit_udp_receive_syslog_tls_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_syslog_tls_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_syslog_tls_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the syslog_tls port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_syslog_tls_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to syslog_tls port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') dontaudit $1 syslog_tls_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_syslog_tls_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the syslog_tls port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') allow $1 syslog_tls_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_syslog_tls_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to syslog_tls port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_syslog_tls_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_syslog_tls_port'($*)) dnl gen_require(` type syslog_tls_port_t; ') dontaudit $1 syslog_tls_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_syslog_tls_port'($*)) dnl ') ######################################## ## ## Send syslog_tls_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_client_packets'($*)) dnl gen_require(` type syslog_tls_client_packet_t; ') allow $1 syslog_tls_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send syslog_tls_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl gen_require(` type syslog_tls_client_packet_t; ') dontaudit $1 syslog_tls_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Receive syslog_tls_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_client_packets'($*)) dnl gen_require(` type syslog_tls_client_packet_t; ') allow $1 syslog_tls_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive syslog_tls_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl gen_require(` type syslog_tls_client_packet_t; ') dontaudit $1 syslog_tls_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Send and receive syslog_tls_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl corenet_send_syslog_tls_client_packets($1) corenet_receive_syslog_tls_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive syslog_tls_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl corenet_dontaudit_send_syslog_tls_client_packets($1) corenet_dontaudit_receive_syslog_tls_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to syslog_tls_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_syslog_tls_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_client_packets'($*)) dnl gen_require(` type syslog_tls_client_packet_t; ') allow $1 syslog_tls_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_client_packets'($*)) dnl ') ######################################## ## ## Send syslog_tls_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_syslog_tls_server_packets'($*)) dnl gen_require(` type syslog_tls_server_packet_t; ') allow $1 syslog_tls_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send syslog_tls_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl gen_require(` type syslog_tls_server_packet_t; ') dontaudit $1 syslog_tls_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Receive syslog_tls_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_syslog_tls_server_packets'($*)) dnl gen_require(` type syslog_tls_server_packet_t; ') allow $1 syslog_tls_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive syslog_tls_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl gen_require(` type syslog_tls_server_packet_t; ') dontaudit $1 syslog_tls_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Send and receive syslog_tls_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl corenet_send_syslog_tls_server_packets($1) corenet_receive_syslog_tls_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive syslog_tls_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl corenet_dontaudit_send_syslog_tls_server_packets($1) corenet_dontaudit_receive_syslog_tls_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to syslog_tls_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_syslog_tls_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_syslog_tls_server_packets'($*)) dnl gen_require(` type syslog_tls_server_packet_t; ') allow $1 syslog_tls_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_syslog_tls_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_statsd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_statsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the statsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') dontaudit $1 statsd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_statsd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_statsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the statsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') dontaudit $1 statsd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_statsd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_statsd_port'($*)) dnl corenet_udp_send_statsd_port($1) corenet_udp_receive_statsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_statsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the statsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_statsd_port'($*)) dnl corenet_dontaudit_udp_send_statsd_port($1) corenet_dontaudit_udp_receive_statsd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_statsd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_statsd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the statsd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_statsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to statsd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') dontaudit $1 statsd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_statsd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the statsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') allow $1 statsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_statsd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to statsd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_statsd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_statsd_port'($*)) dnl gen_require(` type statsd_port_t; ') dontaudit $1 statsd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_statsd_port'($*)) dnl ') ######################################## ## ## Send statsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_statsd_client_packets'($*)) dnl gen_require(` type statsd_client_packet_t; ') allow $1 statsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_statsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send statsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_statsd_client_packets'($*)) dnl gen_require(` type statsd_client_packet_t; ') dontaudit $1 statsd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_statsd_client_packets'($*)) dnl ') ######################################## ## ## Receive statsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_statsd_client_packets'($*)) dnl gen_require(` type statsd_client_packet_t; ') allow $1 statsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_statsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive statsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_statsd_client_packets'($*)) dnl gen_require(` type statsd_client_packet_t; ') dontaudit $1 statsd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_statsd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive statsd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_statsd_client_packets'($*)) dnl corenet_send_statsd_client_packets($1) corenet_receive_statsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_statsd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive statsd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_statsd_client_packets'($*)) dnl corenet_dontaudit_send_statsd_client_packets($1) corenet_dontaudit_receive_statsd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_statsd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to statsd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_statsd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_statsd_client_packets'($*)) dnl gen_require(` type statsd_client_packet_t; ') allow $1 statsd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_statsd_client_packets'($*)) dnl ') ######################################## ## ## Send statsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_statsd_server_packets'($*)) dnl gen_require(` type statsd_server_packet_t; ') allow $1 statsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_statsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send statsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_statsd_server_packets'($*)) dnl gen_require(` type statsd_server_packet_t; ') dontaudit $1 statsd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_statsd_server_packets'($*)) dnl ') ######################################## ## ## Receive statsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_statsd_server_packets'($*)) dnl gen_require(` type statsd_server_packet_t; ') allow $1 statsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_statsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive statsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_statsd_server_packets'($*)) dnl gen_require(` type statsd_server_packet_t; ') dontaudit $1 statsd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_statsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive statsd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_statsd_server_packets'($*)) dnl corenet_send_statsd_server_packets($1) corenet_receive_statsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_statsd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive statsd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_statsd_server_packets'($*)) dnl corenet_dontaudit_send_statsd_server_packets($1) corenet_dontaudit_receive_statsd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_statsd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to statsd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_statsd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_statsd_server_packets'($*)) dnl gen_require(` type statsd_server_packet_t; ') allow $1 statsd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_statsd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tangd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_tangd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the tangd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') dontaudit $1 tangd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tangd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tangd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the tangd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') dontaudit $1 tangd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tangd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tangd_port'($*)) dnl corenet_udp_send_tangd_port($1) corenet_udp_receive_tangd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tangd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the tangd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tangd_port'($*)) dnl corenet_dontaudit_udp_send_tangd_port($1) corenet_dontaudit_udp_receive_tangd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tangd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tangd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the tangd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tangd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to tangd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') dontaudit $1 tangd_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tangd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the tangd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') allow $1 tangd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tangd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to tangd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_tangd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tangd_port'($*)) dnl gen_require(` type tangd_port_t; ') dontaudit $1 tangd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tangd_port'($*)) dnl ') ######################################## ## ## Send tangd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tangd_client_packets'($*)) dnl gen_require(` type tangd_client_packet_t; ') allow $1 tangd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tangd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tangd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tangd_client_packets'($*)) dnl gen_require(` type tangd_client_packet_t; ') dontaudit $1 tangd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tangd_client_packets'($*)) dnl ') ######################################## ## ## Receive tangd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tangd_client_packets'($*)) dnl gen_require(` type tangd_client_packet_t; ') allow $1 tangd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tangd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tangd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tangd_client_packets'($*)) dnl gen_require(` type tangd_client_packet_t; ') dontaudit $1 tangd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tangd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive tangd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tangd_client_packets'($*)) dnl corenet_send_tangd_client_packets($1) corenet_receive_tangd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tangd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tangd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tangd_client_packets'($*)) dnl corenet_dontaudit_send_tangd_client_packets($1) corenet_dontaudit_receive_tangd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tangd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tangd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tangd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tangd_client_packets'($*)) dnl gen_require(` type tangd_client_packet_t; ') allow $1 tangd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tangd_client_packets'($*)) dnl ') ######################################## ## ## Send tangd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tangd_server_packets'($*)) dnl gen_require(` type tangd_server_packet_t; ') allow $1 tangd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tangd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tangd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tangd_server_packets'($*)) dnl gen_require(` type tangd_server_packet_t; ') dontaudit $1 tangd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tangd_server_packets'($*)) dnl ') ######################################## ## ## Receive tangd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tangd_server_packets'($*)) dnl gen_require(` type tangd_server_packet_t; ') allow $1 tangd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tangd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tangd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tangd_server_packets'($*)) dnl gen_require(` type tangd_server_packet_t; ') dontaudit $1 tangd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tangd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive tangd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tangd_server_packets'($*)) dnl corenet_send_tangd_server_packets($1) corenet_receive_tangd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tangd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tangd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tangd_server_packets'($*)) dnl corenet_dontaudit_send_tangd_server_packets($1) corenet_dontaudit_receive_tangd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tangd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tangd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tangd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tangd_server_packets'($*)) dnl gen_require(` type tangd_server_packet_t; ') allow $1 tangd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tangd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tcs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_tcs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the tcs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') dontaudit $1 tcs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tcs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tcs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the tcs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') dontaudit $1 tcs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tcs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tcs_port'($*)) dnl corenet_udp_send_tcs_port($1) corenet_udp_receive_tcs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tcs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the tcs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl corenet_dontaudit_udp_send_tcs_port($1) corenet_dontaudit_udp_receive_tcs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tcs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tcs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the tcs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tcs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to tcs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') dontaudit $1 tcs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tcs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the tcs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') allow $1 tcs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tcs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to tcs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_tcs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tcs_port'($*)) dnl gen_require(` type tcs_port_t; ') dontaudit $1 tcs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tcs_port'($*)) dnl ') ######################################## ## ## Send tcs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_client_packets'($*)) dnl gen_require(` type tcs_client_packet_t; ') allow $1 tcs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tcs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tcs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_client_packets'($*)) dnl gen_require(` type tcs_client_packet_t; ') dontaudit $1 tcs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_client_packets'($*)) dnl ') ######################################## ## ## Receive tcs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_client_packets'($*)) dnl gen_require(` type tcs_client_packet_t; ') allow $1 tcs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tcs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl gen_require(` type tcs_client_packet_t; ') dontaudit $1 tcs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive tcs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_client_packets'($*)) dnl corenet_send_tcs_client_packets($1) corenet_receive_tcs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tcs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl corenet_dontaudit_send_tcs_client_packets($1) corenet_dontaudit_receive_tcs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tcs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tcs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_client_packets'($*)) dnl gen_require(` type tcs_client_packet_t; ') allow $1 tcs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_client_packets'($*)) dnl ') ######################################## ## ## Send tcs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tcs_server_packets'($*)) dnl gen_require(` type tcs_server_packet_t; ') allow $1 tcs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tcs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tcs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tcs_server_packets'($*)) dnl gen_require(` type tcs_server_packet_t; ') dontaudit $1 tcs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tcs_server_packets'($*)) dnl ') ######################################## ## ## Receive tcs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tcs_server_packets'($*)) dnl gen_require(` type tcs_server_packet_t; ') allow $1 tcs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tcs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tcs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl gen_require(` type tcs_server_packet_t; ') dontaudit $1 tcs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tcs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive tcs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tcs_server_packets'($*)) dnl corenet_send_tcs_server_packets($1) corenet_receive_tcs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tcs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tcs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl corenet_dontaudit_send_tcs_server_packets($1) corenet_dontaudit_receive_tcs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tcs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tcs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tcs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tcs_server_packets'($*)) dnl gen_require(` type tcs_server_packet_t; ') allow $1 tcs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tcs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_telnetd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_telnetd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the telnetd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') dontaudit $1 telnetd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_telnetd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_telnetd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the telnetd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') dontaudit $1 telnetd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_telnetd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_telnetd_port'($*)) dnl corenet_udp_send_telnetd_port($1) corenet_udp_receive_telnetd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_telnetd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the telnetd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl corenet_dontaudit_udp_send_telnetd_port($1) corenet_dontaudit_udp_receive_telnetd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_telnetd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_telnetd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the telnetd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_telnetd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to telnetd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') dontaudit $1 telnetd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_telnetd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the telnetd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') allow $1 telnetd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_telnetd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to telnetd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_telnetd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_telnetd_port'($*)) dnl gen_require(` type telnetd_port_t; ') dontaudit $1 telnetd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_telnetd_port'($*)) dnl ') ######################################## ## ## Send telnetd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_client_packets'($*)) dnl gen_require(` type telnetd_client_packet_t; ') allow $1 telnetd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send telnetd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl gen_require(` type telnetd_client_packet_t; ') dontaudit $1 telnetd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Receive telnetd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_client_packets'($*)) dnl gen_require(` type telnetd_client_packet_t; ') allow $1 telnetd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive telnetd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl gen_require(` type telnetd_client_packet_t; ') dontaudit $1 telnetd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive telnetd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_client_packets'($*)) dnl corenet_send_telnetd_client_packets($1) corenet_receive_telnetd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive telnetd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl corenet_dontaudit_send_telnetd_client_packets($1) corenet_dontaudit_receive_telnetd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to telnetd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_telnetd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_client_packets'($*)) dnl gen_require(` type telnetd_client_packet_t; ') allow $1 telnetd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_client_packets'($*)) dnl ') ######################################## ## ## Send telnetd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_telnetd_server_packets'($*)) dnl gen_require(` type telnetd_server_packet_t; ') allow $1 telnetd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send telnetd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl gen_require(` type telnetd_server_packet_t; ') dontaudit $1 telnetd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Receive telnetd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_telnetd_server_packets'($*)) dnl gen_require(` type telnetd_server_packet_t; ') allow $1 telnetd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive telnetd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl gen_require(` type telnetd_server_packet_t; ') dontaudit $1 telnetd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive telnetd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_telnetd_server_packets'($*)) dnl corenet_send_telnetd_server_packets($1) corenet_receive_telnetd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive telnetd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl corenet_dontaudit_send_telnetd_server_packets($1) corenet_dontaudit_receive_telnetd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to telnetd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_telnetd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_telnetd_server_packets'($*)) dnl gen_require(` type telnetd_server_packet_t; ') allow $1 telnetd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_telnetd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tftp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_tftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the tftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') dontaudit $1 tftp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tftp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the tftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') dontaudit $1 tftp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tftp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tftp_port'($*)) dnl corenet_udp_send_tftp_port($1) corenet_udp_receive_tftp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the tftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl corenet_dontaudit_udp_send_tftp_port($1) corenet_dontaudit_udp_receive_tftp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tftp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tftp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the tftp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to tftp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') dontaudit $1 tftp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tftp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the tftp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') allow $1 tftp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tftp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to tftp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_tftp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tftp_port'($*)) dnl gen_require(` type tftp_port_t; ') dontaudit $1 tftp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tftp_port'($*)) dnl ') ######################################## ## ## Send tftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_client_packets'($*)) dnl gen_require(` type tftp_client_packet_t; ') allow $1 tftp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tftp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_client_packets'($*)) dnl gen_require(` type tftp_client_packet_t; ') dontaudit $1 tftp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_client_packets'($*)) dnl ') ######################################## ## ## Receive tftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_client_packets'($*)) dnl gen_require(` type tftp_client_packet_t; ') allow $1 tftp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl gen_require(` type tftp_client_packet_t; ') dontaudit $1 tftp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive tftp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_client_packets'($*)) dnl corenet_send_tftp_client_packets($1) corenet_receive_tftp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tftp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl corenet_dontaudit_send_tftp_client_packets($1) corenet_dontaudit_receive_tftp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tftp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tftp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_client_packets'($*)) dnl gen_require(` type tftp_client_packet_t; ') allow $1 tftp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_client_packets'($*)) dnl ') ######################################## ## ## Send tftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tftp_server_packets'($*)) dnl gen_require(` type tftp_server_packet_t; ') allow $1 tftp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tftp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tftp_server_packets'($*)) dnl gen_require(` type tftp_server_packet_t; ') dontaudit $1 tftp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tftp_server_packets'($*)) dnl ') ######################################## ## ## Receive tftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tftp_server_packets'($*)) dnl gen_require(` type tftp_server_packet_t; ') allow $1 tftp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl gen_require(` type tftp_server_packet_t; ') dontaudit $1 tftp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tftp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive tftp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tftp_server_packets'($*)) dnl corenet_send_tftp_server_packets($1) corenet_receive_tftp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tftp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tftp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl corenet_dontaudit_send_tftp_server_packets($1) corenet_dontaudit_receive_tftp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tftp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tftp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tftp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tftp_server_packets'($*)) dnl gen_require(` type tftp_server_packet_t; ') allow $1 tftp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tftp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tor_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_tor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the tor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tor_port'($*)) dnl gen_require(` type tor_port_t; ') dontaudit $1 tor_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tor_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the tor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tor_port'($*)) dnl gen_require(` type tor_port_t; ') dontaudit $1 tor_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tor_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tor_port'($*)) dnl corenet_udp_send_tor_port($1) corenet_udp_receive_tor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the tor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl corenet_dontaudit_udp_send_tor_port($1) corenet_dontaudit_udp_receive_tor_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tor_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tor_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the tor port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to tor port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tor_port'($*)) dnl gen_require(` type tor_port_t; ') dontaudit $1 tor_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tor_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the tor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tor_port'($*)) dnl gen_require(` type tor_port_t; ') allow $1 tor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tor_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to tor port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_tor_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tor_port'($*)) dnl gen_require(` type tor_port_t; ') dontaudit $1 tor_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tor_port'($*)) dnl ') ######################################## ## ## Send tor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tor_client_packets'($*)) dnl gen_require(` type tor_client_packet_t; ') allow $1 tor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_client_packets'($*)) dnl gen_require(` type tor_client_packet_t; ') dontaudit $1 tor_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_client_packets'($*)) dnl ') ######################################## ## ## Receive tor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_client_packets'($*)) dnl gen_require(` type tor_client_packet_t; ') allow $1 tor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_client_packets'($*)) dnl gen_require(` type tor_client_packet_t; ') dontaudit $1 tor_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_client_packets'($*)) dnl ') ######################################## ## ## Send and receive tor_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_client_packets'($*)) dnl corenet_send_tor_client_packets($1) corenet_receive_tor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tor_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl corenet_dontaudit_send_tor_client_packets($1) corenet_dontaudit_receive_tor_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tor_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tor_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_client_packets'($*)) dnl gen_require(` type tor_client_packet_t; ') allow $1 tor_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_client_packets'($*)) dnl ') ######################################## ## ## Send tor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tor_server_packets'($*)) dnl gen_require(` type tor_server_packet_t; ') allow $1 tor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tor_server_packets'($*)) dnl gen_require(` type tor_server_packet_t; ') dontaudit $1 tor_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tor_server_packets'($*)) dnl ') ######################################## ## ## Receive tor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tor_server_packets'($*)) dnl gen_require(` type tor_server_packet_t; ') allow $1 tor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tor_server_packets'($*)) dnl gen_require(` type tor_server_packet_t; ') dontaudit $1 tor_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive tor_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tor_server_packets'($*)) dnl corenet_send_tor_server_packets($1) corenet_receive_tor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tor_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tor_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl corenet_dontaudit_send_tor_server_packets($1) corenet_dontaudit_receive_tor_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tor_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tor_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tor_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tor_server_packets'($*)) dnl gen_require(` type tor_server_packet_t; ') allow $1 tor_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tor_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_traceroute_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_traceroute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the traceroute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') dontaudit $1 traceroute_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_traceroute_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_traceroute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the traceroute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') dontaudit $1 traceroute_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_traceroute_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_traceroute_port'($*)) dnl corenet_udp_send_traceroute_port($1) corenet_udp_receive_traceroute_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_traceroute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the traceroute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl corenet_dontaudit_udp_send_traceroute_port($1) corenet_dontaudit_udp_receive_traceroute_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_traceroute_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_traceroute_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the traceroute port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_traceroute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to traceroute port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') dontaudit $1 traceroute_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_traceroute_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the traceroute port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') allow $1 traceroute_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_traceroute_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to traceroute port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_traceroute_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_traceroute_port'($*)) dnl gen_require(` type traceroute_port_t; ') dontaudit $1 traceroute_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_traceroute_port'($*)) dnl ') ######################################## ## ## Send traceroute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_client_packets'($*)) dnl gen_require(` type traceroute_client_packet_t; ') allow $1 traceroute_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send traceroute_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl gen_require(` type traceroute_client_packet_t; ') dontaudit $1 traceroute_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Receive traceroute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_client_packets'($*)) dnl gen_require(` type traceroute_client_packet_t; ') allow $1 traceroute_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive traceroute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl gen_require(` type traceroute_client_packet_t; ') dontaudit $1 traceroute_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Send and receive traceroute_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_client_packets'($*)) dnl corenet_send_traceroute_client_packets($1) corenet_receive_traceroute_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive traceroute_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl corenet_dontaudit_send_traceroute_client_packets($1) corenet_dontaudit_receive_traceroute_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to traceroute_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_traceroute_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_client_packets'($*)) dnl gen_require(` type traceroute_client_packet_t; ') allow $1 traceroute_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_client_packets'($*)) dnl ') ######################################## ## ## Send traceroute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_traceroute_server_packets'($*)) dnl gen_require(` type traceroute_server_packet_t; ') allow $1 traceroute_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send traceroute_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl gen_require(` type traceroute_server_packet_t; ') dontaudit $1 traceroute_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Receive traceroute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_traceroute_server_packets'($*)) dnl gen_require(` type traceroute_server_packet_t; ') allow $1 traceroute_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive traceroute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl gen_require(` type traceroute_server_packet_t; ') dontaudit $1 traceroute_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Send and receive traceroute_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_traceroute_server_packets'($*)) dnl corenet_send_traceroute_server_packets($1) corenet_receive_traceroute_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive traceroute_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl corenet_dontaudit_send_traceroute_server_packets($1) corenet_dontaudit_receive_traceroute_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to traceroute_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_traceroute_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_traceroute_server_packets'($*)) dnl gen_require(` type traceroute_server_packet_t; ') allow $1 traceroute_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_traceroute_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_tram_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_tram_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the tram port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_tram_port'($*)) dnl gen_require(` type tram_port_t; ') dontaudit $1 tram_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_tram_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_tram_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the tram port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_tram_port'($*)) dnl gen_require(` type tram_port_t; ') dontaudit $1 tram_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_tram_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_tram_port'($*)) dnl corenet_udp_send_tram_port($1) corenet_udp_receive_tram_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_tram_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the tram port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_tram_port'($*)) dnl corenet_dontaudit_udp_send_tram_port($1) corenet_dontaudit_udp_receive_tram_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_tram_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_tram_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the tram port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_tram_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to tram port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_tram_port'($*)) dnl gen_require(` type tram_port_t; ') dontaudit $1 tram_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_tram_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the tram port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_tram_port'($*)) dnl gen_require(` type tram_port_t; ') allow $1 tram_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_tram_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to tram port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_tram_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_tram_port'($*)) dnl gen_require(` type tram_port_t; ') dontaudit $1 tram_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_tram_port'($*)) dnl ') ######################################## ## ## Send tram_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tram_client_packets'($*)) dnl gen_require(` type tram_client_packet_t; ') allow $1 tram_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tram_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tram_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tram_client_packets'($*)) dnl gen_require(` type tram_client_packet_t; ') dontaudit $1 tram_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tram_client_packets'($*)) dnl ') ######################################## ## ## Receive tram_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tram_client_packets'($*)) dnl gen_require(` type tram_client_packet_t; ') allow $1 tram_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tram_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tram_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tram_client_packets'($*)) dnl gen_require(` type tram_client_packet_t; ') dontaudit $1 tram_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tram_client_packets'($*)) dnl ') ######################################## ## ## Send and receive tram_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tram_client_packets'($*)) dnl corenet_send_tram_client_packets($1) corenet_receive_tram_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tram_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tram_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tram_client_packets'($*)) dnl corenet_dontaudit_send_tram_client_packets($1) corenet_dontaudit_receive_tram_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tram_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tram_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tram_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tram_client_packets'($*)) dnl gen_require(` type tram_client_packet_t; ') allow $1 tram_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tram_client_packets'($*)) dnl ') ######################################## ## ## Send tram_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_tram_server_packets'($*)) dnl gen_require(` type tram_server_packet_t; ') allow $1 tram_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_tram_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send tram_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_tram_server_packets'($*)) dnl gen_require(` type tram_server_packet_t; ') dontaudit $1 tram_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_tram_server_packets'($*)) dnl ') ######################################## ## ## Receive tram_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_tram_server_packets'($*)) dnl gen_require(` type tram_server_packet_t; ') allow $1 tram_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_tram_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive tram_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_tram_server_packets'($*)) dnl gen_require(` type tram_server_packet_t; ') dontaudit $1 tram_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_tram_server_packets'($*)) dnl ') ######################################## ## ## Send and receive tram_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_tram_server_packets'($*)) dnl corenet_send_tram_server_packets($1) corenet_receive_tram_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_tram_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive tram_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_tram_server_packets'($*)) dnl corenet_dontaudit_send_tram_server_packets($1) corenet_dontaudit_receive_tram_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_tram_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to tram_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_tram_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_tram_server_packets'($*)) dnl gen_require(` type tram_server_packet_t; ') allow $1 tram_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_tram_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_transproxy_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_transproxy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the transproxy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') dontaudit $1 transproxy_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_transproxy_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_transproxy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the transproxy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') dontaudit $1 transproxy_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_transproxy_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_transproxy_port'($*)) dnl corenet_udp_send_transproxy_port($1) corenet_udp_receive_transproxy_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_transproxy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the transproxy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl corenet_dontaudit_udp_send_transproxy_port($1) corenet_dontaudit_udp_receive_transproxy_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_transproxy_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_transproxy_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the transproxy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_transproxy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to transproxy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') dontaudit $1 transproxy_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_transproxy_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the transproxy port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') allow $1 transproxy_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_transproxy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to transproxy port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_transproxy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_transproxy_port'($*)) dnl gen_require(` type transproxy_port_t; ') dontaudit $1 transproxy_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_transproxy_port'($*)) dnl ') ######################################## ## ## Send transproxy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_client_packets'($*)) dnl gen_require(` type transproxy_client_packet_t; ') allow $1 transproxy_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send transproxy_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl gen_require(` type transproxy_client_packet_t; ') dontaudit $1 transproxy_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Receive transproxy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_client_packets'($*)) dnl gen_require(` type transproxy_client_packet_t; ') allow $1 transproxy_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive transproxy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl gen_require(` type transproxy_client_packet_t; ') dontaudit $1 transproxy_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Send and receive transproxy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_client_packets'($*)) dnl corenet_send_transproxy_client_packets($1) corenet_receive_transproxy_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive transproxy_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl corenet_dontaudit_send_transproxy_client_packets($1) corenet_dontaudit_receive_transproxy_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to transproxy_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_transproxy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_client_packets'($*)) dnl gen_require(` type transproxy_client_packet_t; ') allow $1 transproxy_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_client_packets'($*)) dnl ') ######################################## ## ## Send transproxy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_transproxy_server_packets'($*)) dnl gen_require(` type transproxy_server_packet_t; ') allow $1 transproxy_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send transproxy_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl gen_require(` type transproxy_server_packet_t; ') dontaudit $1 transproxy_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Receive transproxy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_transproxy_server_packets'($*)) dnl gen_require(` type transproxy_server_packet_t; ') allow $1 transproxy_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive transproxy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl gen_require(` type transproxy_server_packet_t; ') dontaudit $1 transproxy_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Send and receive transproxy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_transproxy_server_packets'($*)) dnl corenet_send_transproxy_server_packets($1) corenet_receive_transproxy_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive transproxy_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl corenet_dontaudit_send_transproxy_server_packets($1) corenet_dontaudit_receive_transproxy_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to transproxy_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_transproxy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_transproxy_server_packets'($*)) dnl gen_require(` type transproxy_server_packet_t; ') allow $1 transproxy_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_transproxy_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trisoap_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_trisoap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the trisoap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') dontaudit $1 trisoap_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trisoap_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trisoap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the trisoap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') dontaudit $1 trisoap_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trisoap_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trisoap_port'($*)) dnl corenet_udp_send_trisoap_port($1) corenet_udp_receive_trisoap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trisoap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the trisoap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl corenet_dontaudit_udp_send_trisoap_port($1) corenet_dontaudit_udp_receive_trisoap_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trisoap_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trisoap_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the trisoap port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trisoap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to trisoap port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') dontaudit $1 trisoap_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_trisoap_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the trisoap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') allow $1 trisoap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trisoap_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to trisoap port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_trisoap_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_trisoap_port'($*)) dnl gen_require(` type trisoap_port_t; ') dontaudit $1 trisoap_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_trisoap_port'($*)) dnl ') ######################################## ## ## Send trisoap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_client_packets'($*)) dnl gen_require(` type trisoap_client_packet_t; ') allow $1 trisoap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send trisoap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl gen_require(` type trisoap_client_packet_t; ') dontaudit $1 trisoap_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Receive trisoap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_client_packets'($*)) dnl gen_require(` type trisoap_client_packet_t; ') allow $1 trisoap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive trisoap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl gen_require(` type trisoap_client_packet_t; ') dontaudit $1 trisoap_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Send and receive trisoap_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_client_packets'($*)) dnl corenet_send_trisoap_client_packets($1) corenet_receive_trisoap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive trisoap_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl corenet_dontaudit_send_trisoap_client_packets($1) corenet_dontaudit_receive_trisoap_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to trisoap_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_trisoap_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_client_packets'($*)) dnl gen_require(` type trisoap_client_packet_t; ') allow $1 trisoap_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_client_packets'($*)) dnl ') ######################################## ## ## Send trisoap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_trisoap_server_packets'($*)) dnl gen_require(` type trisoap_server_packet_t; ') allow $1 trisoap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send trisoap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl gen_require(` type trisoap_server_packet_t; ') dontaudit $1 trisoap_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Receive trisoap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_trisoap_server_packets'($*)) dnl gen_require(` type trisoap_server_packet_t; ') allow $1 trisoap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive trisoap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl gen_require(` type trisoap_server_packet_t; ') dontaudit $1 trisoap_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive trisoap_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trisoap_server_packets'($*)) dnl corenet_send_trisoap_server_packets($1) corenet_receive_trisoap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive trisoap_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl corenet_dontaudit_send_trisoap_server_packets($1) corenet_dontaudit_receive_trisoap_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to trisoap_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_trisoap_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trisoap_server_packets'($*)) dnl gen_require(` type trisoap_server_packet_t; ') allow $1 trisoap_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_trisoap_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_trivnet1_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_trivnet1_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the trivnet1 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') dontaudit $1 trivnet1_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_trivnet1_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_trivnet1_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the trivnet1 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') dontaudit $1 trivnet1_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_trivnet1_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_trivnet1_port'($*)) dnl corenet_udp_send_trivnet1_port($1) corenet_udp_receive_trivnet1_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_trivnet1_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the trivnet1 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl corenet_dontaudit_udp_send_trivnet1_port($1) corenet_dontaudit_udp_receive_trivnet1_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_trivnet1_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_trivnet1_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the trivnet1 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_trivnet1_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to trivnet1 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') dontaudit $1 trivnet1_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_trivnet1_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the trivnet1 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') allow $1 trivnet1_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_trivnet1_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to trivnet1 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_trivnet1_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_trivnet1_port'($*)) dnl gen_require(` type trivnet1_port_t; ') dontaudit $1 trivnet1_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_trivnet1_port'($*)) dnl ') ######################################## ## ## Send trivnet1_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_client_packets'($*)) dnl gen_require(` type trivnet1_client_packet_t; ') allow $1 trivnet1_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send trivnet1_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl gen_require(` type trivnet1_client_packet_t; ') dontaudit $1 trivnet1_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Receive trivnet1_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_client_packets'($*)) dnl gen_require(` type trivnet1_client_packet_t; ') allow $1 trivnet1_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive trivnet1_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl gen_require(` type trivnet1_client_packet_t; ') dontaudit $1 trivnet1_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Send and receive trivnet1_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_client_packets'($*)) dnl corenet_send_trivnet1_client_packets($1) corenet_receive_trivnet1_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive trivnet1_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl corenet_dontaudit_send_trivnet1_client_packets($1) corenet_dontaudit_receive_trivnet1_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to trivnet1_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_trivnet1_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_client_packets'($*)) dnl gen_require(` type trivnet1_client_packet_t; ') allow $1 trivnet1_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_client_packets'($*)) dnl ') ######################################## ## ## Send trivnet1_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_trivnet1_server_packets'($*)) dnl gen_require(` type trivnet1_server_packet_t; ') allow $1 trivnet1_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send trivnet1_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl gen_require(` type trivnet1_server_packet_t; ') dontaudit $1 trivnet1_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Receive trivnet1_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_trivnet1_server_packets'($*)) dnl gen_require(` type trivnet1_server_packet_t; ') allow $1 trivnet1_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive trivnet1_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl gen_require(` type trivnet1_server_packet_t; ') dontaudit $1 trivnet1_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Send and receive trivnet1_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_trivnet1_server_packets'($*)) dnl corenet_send_trivnet1_server_packets($1) corenet_receive_trivnet1_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive trivnet1_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl corenet_dontaudit_send_trivnet1_server_packets($1) corenet_dontaudit_receive_trivnet1_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to trivnet1_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_trivnet1_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_trivnet1_server_packets'($*)) dnl gen_require(` type trivnet1_server_packet_t; ') allow $1 trivnet1_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_trivnet1_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_ups_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_ups_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the ups port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_ups_port'($*)) dnl gen_require(` type ups_port_t; ') dontaudit $1 ups_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_ups_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_ups_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the ups port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_ups_port'($*)) dnl gen_require(` type ups_port_t; ') dontaudit $1 ups_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_ups_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_ups_port'($*)) dnl corenet_udp_send_ups_port($1) corenet_udp_receive_ups_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_ups_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the ups port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl corenet_dontaudit_udp_send_ups_port($1) corenet_dontaudit_udp_receive_ups_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_ups_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_ups_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the ups port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_ups_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to ups port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_ups_port'($*)) dnl gen_require(` type ups_port_t; ') dontaudit $1 ups_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_ups_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the ups port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_ups_port'($*)) dnl gen_require(` type ups_port_t; ') allow $1 ups_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_ups_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to ups port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_ups_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_ups_port'($*)) dnl gen_require(` type ups_port_t; ') dontaudit $1 ups_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_ups_port'($*)) dnl ') ######################################## ## ## Send ups_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ups_client_packets'($*)) dnl gen_require(` type ups_client_packet_t; ') allow $1 ups_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ups_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ups_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_client_packets'($*)) dnl gen_require(` type ups_client_packet_t; ') dontaudit $1 ups_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_client_packets'($*)) dnl ') ######################################## ## ## Receive ups_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_client_packets'($*)) dnl gen_require(` type ups_client_packet_t; ') allow $1 ups_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ups_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ups_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_client_packets'($*)) dnl gen_require(` type ups_client_packet_t; ') dontaudit $1 ups_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_client_packets'($*)) dnl ') ######################################## ## ## Send and receive ups_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_client_packets'($*)) dnl corenet_send_ups_client_packets($1) corenet_receive_ups_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ups_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl corenet_dontaudit_send_ups_client_packets($1) corenet_dontaudit_receive_ups_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ups_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ups_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_client_packets'($*)) dnl gen_require(` type ups_client_packet_t; ') allow $1 ups_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_client_packets'($*)) dnl ') ######################################## ## ## Send ups_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_ups_server_packets'($*)) dnl gen_require(` type ups_server_packet_t; ') allow $1 ups_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_ups_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ups_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_ups_server_packets'($*)) dnl gen_require(` type ups_server_packet_t; ') dontaudit $1 ups_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_ups_server_packets'($*)) dnl ') ######################################## ## ## Receive ups_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_ups_server_packets'($*)) dnl gen_require(` type ups_server_packet_t; ') allow $1 ups_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_ups_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive ups_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_ups_server_packets'($*)) dnl gen_require(` type ups_server_packet_t; ') dontaudit $1 ups_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_ups_server_packets'($*)) dnl ') ######################################## ## ## Send and receive ups_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_ups_server_packets'($*)) dnl corenet_send_ups_server_packets($1) corenet_receive_ups_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_ups_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ups_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl corenet_dontaudit_send_ups_server_packets($1) corenet_dontaudit_receive_ups_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_ups_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to ups_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_ups_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_ups_server_packets'($*)) dnl gen_require(` type ups_server_packet_t; ') allow $1 ups_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_ups_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_utcpserver_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_utcpserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the utcpserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') dontaudit $1 utcpserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_utcpserver_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_utcpserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the utcpserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') dontaudit $1 utcpserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_utcpserver_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_utcpserver_port'($*)) dnl corenet_udp_send_utcpserver_port($1) corenet_udp_receive_utcpserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_utcpserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the utcpserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl corenet_dontaudit_udp_send_utcpserver_port($1) corenet_dontaudit_udp_receive_utcpserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_utcpserver_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_utcpserver_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the utcpserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_utcpserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to utcpserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') dontaudit $1 utcpserver_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_utcpserver_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the utcpserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') allow $1 utcpserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_utcpserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to utcpserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_utcpserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_utcpserver_port'($*)) dnl gen_require(` type utcpserver_port_t; ') dontaudit $1 utcpserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_utcpserver_port'($*)) dnl ') ######################################## ## ## Send utcpserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_client_packets'($*)) dnl gen_require(` type utcpserver_client_packet_t; ') allow $1 utcpserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send utcpserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl gen_require(` type utcpserver_client_packet_t; ') dontaudit $1 utcpserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Receive utcpserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_client_packets'($*)) dnl gen_require(` type utcpserver_client_packet_t; ') allow $1 utcpserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive utcpserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl gen_require(` type utcpserver_client_packet_t; ') dontaudit $1 utcpserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Send and receive utcpserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_client_packets'($*)) dnl corenet_send_utcpserver_client_packets($1) corenet_receive_utcpserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive utcpserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl corenet_dontaudit_send_utcpserver_client_packets($1) corenet_dontaudit_receive_utcpserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to utcpserver_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_utcpserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_client_packets'($*)) dnl gen_require(` type utcpserver_client_packet_t; ') allow $1 utcpserver_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_client_packets'($*)) dnl ') ######################################## ## ## Send utcpserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_utcpserver_server_packets'($*)) dnl gen_require(` type utcpserver_server_packet_t; ') allow $1 utcpserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send utcpserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl gen_require(` type utcpserver_server_packet_t; ') dontaudit $1 utcpserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Receive utcpserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_utcpserver_server_packets'($*)) dnl gen_require(` type utcpserver_server_packet_t; ') allow $1 utcpserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive utcpserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl gen_require(` type utcpserver_server_packet_t; ') dontaudit $1 utcpserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive utcpserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_utcpserver_server_packets'($*)) dnl corenet_send_utcpserver_server_packets($1) corenet_receive_utcpserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive utcpserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl corenet_dontaudit_send_utcpserver_server_packets($1) corenet_dontaudit_receive_utcpserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_utcpserver_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to utcpserver_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_utcpserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_utcpserver_server_packets'($*)) dnl gen_require(` type utcpserver_server_packet_t; ') allow $1 utcpserver_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_utcpserver_server_packets'($*)) dnl ') # no defined portcon ######################################## ## ## Send and receive TCP traffic on the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_uucpd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_uucpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the uucpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') dontaudit $1 uucpd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_uucpd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_uucpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the uucpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') dontaudit $1 uucpd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_uucpd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_uucpd_port'($*)) dnl corenet_udp_send_uucpd_port($1) corenet_udp_receive_uucpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_uucpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the uucpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl corenet_dontaudit_udp_send_uucpd_port($1) corenet_dontaudit_udp_receive_uucpd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_uucpd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_uucpd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the uucpd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_uucpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to uucpd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') dontaudit $1 uucpd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_uucpd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the uucpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') allow $1 uucpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_uucpd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to uucpd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_uucpd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_uucpd_port'($*)) dnl gen_require(` type uucpd_port_t; ') dontaudit $1 uucpd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_uucpd_port'($*)) dnl ') ######################################## ## ## Send uucpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_client_packets'($*)) dnl gen_require(` type uucpd_client_packet_t; ') allow $1 uucpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send uucpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl gen_require(` type uucpd_client_packet_t; ') dontaudit $1 uucpd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Receive uucpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_client_packets'($*)) dnl gen_require(` type uucpd_client_packet_t; ') allow $1 uucpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive uucpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl gen_require(` type uucpd_client_packet_t; ') dontaudit $1 uucpd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive uucpd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_client_packets'($*)) dnl corenet_send_uucpd_client_packets($1) corenet_receive_uucpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive uucpd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl corenet_dontaudit_send_uucpd_client_packets($1) corenet_dontaudit_receive_uucpd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to uucpd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_uucpd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_client_packets'($*)) dnl gen_require(` type uucpd_client_packet_t; ') allow $1 uucpd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_client_packets'($*)) dnl ') ######################################## ## ## Send uucpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_uucpd_server_packets'($*)) dnl gen_require(` type uucpd_server_packet_t; ') allow $1 uucpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send uucpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl gen_require(` type uucpd_server_packet_t; ') dontaudit $1 uucpd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Receive uucpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_uucpd_server_packets'($*)) dnl gen_require(` type uucpd_server_packet_t; ') allow $1 uucpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive uucpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl gen_require(` type uucpd_server_packet_t; ') dontaudit $1 uucpd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive uucpd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_uucpd_server_packets'($*)) dnl corenet_send_uucpd_server_packets($1) corenet_receive_uucpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive uucpd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl corenet_dontaudit_send_uucpd_server_packets($1) corenet_dontaudit_receive_uucpd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to uucpd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_uucpd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_uucpd_server_packets'($*)) dnl gen_require(` type uucpd_server_packet_t; ') allow $1 uucpd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_uucpd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_us_cli_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_us_cli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the us_cli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') dontaudit $1 us_cli_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_us_cli_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_us_cli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the us_cli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') dontaudit $1 us_cli_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_us_cli_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_us_cli_port'($*)) dnl corenet_udp_send_us_cli_port($1) corenet_udp_receive_us_cli_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_us_cli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the us_cli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_us_cli_port'($*)) dnl corenet_dontaudit_udp_send_us_cli_port($1) corenet_dontaudit_udp_receive_us_cli_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_us_cli_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_us_cli_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the us_cli port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_us_cli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to us_cli port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') dontaudit $1 us_cli_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_us_cli_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the us_cli port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') allow $1 us_cli_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_us_cli_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to us_cli port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_us_cli_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_us_cli_port'($*)) dnl gen_require(` type us_cli_port_t; ') dontaudit $1 us_cli_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_us_cli_port'($*)) dnl ') ######################################## ## ## Send us_cli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_us_cli_client_packets'($*)) dnl gen_require(` type us_cli_client_packet_t; ') allow $1 us_cli_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send us_cli_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_us_cli_client_packets'($*)) dnl gen_require(` type us_cli_client_packet_t; ') dontaudit $1 us_cli_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Receive us_cli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_us_cli_client_packets'($*)) dnl gen_require(` type us_cli_client_packet_t; ') allow $1 us_cli_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive us_cli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_us_cli_client_packets'($*)) dnl gen_require(` type us_cli_client_packet_t; ') dontaudit $1 us_cli_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Send and receive us_cli_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_us_cli_client_packets'($*)) dnl corenet_send_us_cli_client_packets($1) corenet_receive_us_cli_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive us_cli_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_us_cli_client_packets'($*)) dnl corenet_dontaudit_send_us_cli_client_packets($1) corenet_dontaudit_receive_us_cli_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to us_cli_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_us_cli_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_us_cli_client_packets'($*)) dnl gen_require(` type us_cli_client_packet_t; ') allow $1 us_cli_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_us_cli_client_packets'($*)) dnl ') ######################################## ## ## Send us_cli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_us_cli_server_packets'($*)) dnl gen_require(` type us_cli_server_packet_t; ') allow $1 us_cli_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send us_cli_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_us_cli_server_packets'($*)) dnl gen_require(` type us_cli_server_packet_t; ') dontaudit $1 us_cli_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Receive us_cli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_us_cli_server_packets'($*)) dnl gen_require(` type us_cli_server_packet_t; ') allow $1 us_cli_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive us_cli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_us_cli_server_packets'($*)) dnl gen_require(` type us_cli_server_packet_t; ') dontaudit $1 us_cli_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Send and receive us_cli_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_us_cli_server_packets'($*)) dnl corenet_send_us_cli_server_packets($1) corenet_receive_us_cli_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive us_cli_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_us_cli_server_packets'($*)) dnl corenet_dontaudit_send_us_cli_server_packets($1) corenet_dontaudit_receive_us_cli_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to us_cli_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_us_cli_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_us_cli_server_packets'($*)) dnl gen_require(` type us_cli_server_packet_t; ') allow $1 us_cli_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_us_cli_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_varnishd_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_varnishd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the varnishd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') dontaudit $1 varnishd_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_varnishd_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_varnishd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the varnishd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') dontaudit $1 varnishd_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_varnishd_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_varnishd_port'($*)) dnl corenet_udp_send_varnishd_port($1) corenet_udp_receive_varnishd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_varnishd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the varnishd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl corenet_dontaudit_udp_send_varnishd_port($1) corenet_dontaudit_udp_receive_varnishd_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_varnishd_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_varnishd_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the varnishd port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_varnishd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to varnishd port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') dontaudit $1 varnishd_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_varnishd_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the varnishd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') allow $1 varnishd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_varnishd_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to varnishd port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_varnishd_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_varnishd_port'($*)) dnl gen_require(` type varnishd_port_t; ') dontaudit $1 varnishd_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_varnishd_port'($*)) dnl ') ######################################## ## ## Send varnishd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_client_packets'($*)) dnl gen_require(` type varnishd_client_packet_t; ') allow $1 varnishd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send varnishd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl gen_require(` type varnishd_client_packet_t; ') dontaudit $1 varnishd_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Receive varnishd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_client_packets'($*)) dnl gen_require(` type varnishd_client_packet_t; ') allow $1 varnishd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive varnishd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl gen_require(` type varnishd_client_packet_t; ') dontaudit $1 varnishd_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Send and receive varnishd_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_client_packets'($*)) dnl corenet_send_varnishd_client_packets($1) corenet_receive_varnishd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive varnishd_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl corenet_dontaudit_send_varnishd_client_packets($1) corenet_dontaudit_receive_varnishd_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to varnishd_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_varnishd_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_client_packets'($*)) dnl gen_require(` type varnishd_client_packet_t; ') allow $1 varnishd_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_client_packets'($*)) dnl ') ######################################## ## ## Send varnishd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_varnishd_server_packets'($*)) dnl gen_require(` type varnishd_server_packet_t; ') allow $1 varnishd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send varnishd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl gen_require(` type varnishd_server_packet_t; ') dontaudit $1 varnishd_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Receive varnishd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_varnishd_server_packets'($*)) dnl gen_require(` type varnishd_server_packet_t; ') allow $1 varnishd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive varnishd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl gen_require(` type varnishd_server_packet_t; ') dontaudit $1 varnishd_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive varnishd_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_varnishd_server_packets'($*)) dnl corenet_send_varnishd_server_packets($1) corenet_receive_varnishd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive varnishd_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl corenet_dontaudit_send_varnishd_server_packets($1) corenet_dontaudit_receive_varnishd_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to varnishd_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_varnishd_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_varnishd_server_packets'($*)) dnl gen_require(` type varnishd_server_packet_t; ') allow $1 varnishd_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_varnishd_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_versa_tek_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_versa_tek_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the versa_tek port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') dontaudit $1 versa_tek_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_versa_tek_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_versa_tek_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the versa_tek port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') dontaudit $1 versa_tek_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_versa_tek_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_versa_tek_port'($*)) dnl corenet_udp_send_versa_tek_port($1) corenet_udp_receive_versa_tek_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_versa_tek_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the versa_tek port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_versa_tek_port'($*)) dnl corenet_dontaudit_udp_send_versa_tek_port($1) corenet_dontaudit_udp_receive_versa_tek_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_versa_tek_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_versa_tek_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the versa_tek port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_versa_tek_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to versa_tek port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') dontaudit $1 versa_tek_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_versa_tek_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the versa_tek port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') allow $1 versa_tek_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_versa_tek_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to versa_tek port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_versa_tek_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_versa_tek_port'($*)) dnl gen_require(` type versa_tek_port_t; ') dontaudit $1 versa_tek_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_versa_tek_port'($*)) dnl ') ######################################## ## ## Send versa_tek_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_versa_tek_client_packets'($*)) dnl gen_require(` type versa_tek_client_packet_t; ') allow $1 versa_tek_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send versa_tek_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_versa_tek_client_packets'($*)) dnl gen_require(` type versa_tek_client_packet_t; ') dontaudit $1 versa_tek_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Receive versa_tek_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_versa_tek_client_packets'($*)) dnl gen_require(` type versa_tek_client_packet_t; ') allow $1 versa_tek_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive versa_tek_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_versa_tek_client_packets'($*)) dnl gen_require(` type versa_tek_client_packet_t; ') dontaudit $1 versa_tek_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Send and receive versa_tek_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_versa_tek_client_packets'($*)) dnl corenet_send_versa_tek_client_packets($1) corenet_receive_versa_tek_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive versa_tek_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_versa_tek_client_packets'($*)) dnl corenet_dontaudit_send_versa_tek_client_packets($1) corenet_dontaudit_receive_versa_tek_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to versa_tek_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_versa_tek_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_versa_tek_client_packets'($*)) dnl gen_require(` type versa_tek_client_packet_t; ') allow $1 versa_tek_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_versa_tek_client_packets'($*)) dnl ') ######################################## ## ## Send versa_tek_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_versa_tek_server_packets'($*)) dnl gen_require(` type versa_tek_server_packet_t; ') allow $1 versa_tek_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send versa_tek_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_versa_tek_server_packets'($*)) dnl gen_require(` type versa_tek_server_packet_t; ') dontaudit $1 versa_tek_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Receive versa_tek_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_versa_tek_server_packets'($*)) dnl gen_require(` type versa_tek_server_packet_t; ') allow $1 versa_tek_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive versa_tek_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_versa_tek_server_packets'($*)) dnl gen_require(` type versa_tek_server_packet_t; ') dontaudit $1 versa_tek_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Send and receive versa_tek_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_versa_tek_server_packets'($*)) dnl corenet_send_versa_tek_server_packets($1) corenet_receive_versa_tek_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive versa_tek_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_versa_tek_server_packets'($*)) dnl corenet_dontaudit_send_versa_tek_server_packets($1) corenet_dontaudit_receive_versa_tek_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to versa_tek_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_versa_tek_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_versa_tek_server_packets'($*)) dnl gen_require(` type versa_tek_server_packet_t; ') allow $1 versa_tek_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_versa_tek_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the virt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_port'($*)) dnl gen_require(` type virt_port_t; ') dontaudit $1 virt_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the virt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_port'($*)) dnl gen_require(` type virt_port_t; ') dontaudit $1 virt_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_port'($*)) dnl corenet_udp_send_virt_port($1) corenet_udp_receive_virt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the virt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl corenet_dontaudit_udp_send_virt_port($1) corenet_dontaudit_udp_receive_virt_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the virt port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to virt port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virt_port'($*)) dnl gen_require(` type virt_port_t; ') dontaudit $1 virt_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virt_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the virt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_port'($*)) dnl gen_require(` type virt_port_t; ') allow $1 virt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to virt port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_virt_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virt_port'($*)) dnl gen_require(` type virt_port_t; ') dontaudit $1 virt_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virt_port'($*)) dnl ') ######################################## ## ## Send virt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virt_client_packets'($*)) dnl gen_require(` type virt_client_packet_t; ') allow $1 virt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_client_packets'($*)) dnl gen_require(` type virt_client_packet_t; ') dontaudit $1 virt_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_client_packets'($*)) dnl ') ######################################## ## ## Receive virt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_client_packets'($*)) dnl gen_require(` type virt_client_packet_t; ') allow $1 virt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_client_packets'($*)) dnl gen_require(` type virt_client_packet_t; ') dontaudit $1 virt_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_client_packets'($*)) dnl ') ######################################## ## ## Send and receive virt_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_client_packets'($*)) dnl corenet_send_virt_client_packets($1) corenet_receive_virt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virt_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl corenet_dontaudit_send_virt_client_packets($1) corenet_dontaudit_receive_virt_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virt_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virt_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_client_packets'($*)) dnl gen_require(` type virt_client_packet_t; ') allow $1 virt_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_client_packets'($*)) dnl ') ######################################## ## ## Send virt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virt_server_packets'($*)) dnl gen_require(` type virt_server_packet_t; ') allow $1 virt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_server_packets'($*)) dnl gen_require(` type virt_server_packet_t; ') dontaudit $1 virt_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_server_packets'($*)) dnl ') ######################################## ## ## Receive virt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_server_packets'($*)) dnl gen_require(` type virt_server_packet_t; ') allow $1 virt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_server_packets'($*)) dnl gen_require(` type virt_server_packet_t; ') dontaudit $1 virt_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive virt_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_server_packets'($*)) dnl corenet_send_virt_server_packets($1) corenet_receive_virt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virt_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl corenet_dontaudit_send_virt_server_packets($1) corenet_dontaudit_receive_virt_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virt_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virt_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_server_packets'($*)) dnl gen_require(` type virt_server_packet_t; ') allow $1 virt_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virtual_places_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_virtual_places_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the virtual_places port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') dontaudit $1 virtual_places_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virtual_places_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virtual_places_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the virtual_places port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') dontaudit $1 virtual_places_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virtual_places_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virtual_places_port'($*)) dnl corenet_udp_send_virtual_places_port($1) corenet_udp_receive_virtual_places_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virtual_places_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the virtual_places port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl corenet_dontaudit_udp_send_virtual_places_port($1) corenet_dontaudit_udp_receive_virtual_places_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virtual_places_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virtual_places_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the virtual_places port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virtual_places_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to virtual_places port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') dontaudit $1 virtual_places_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virtual_places_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the virtual_places port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') allow $1 virtual_places_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virtual_places_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to virtual_places port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_virtual_places_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virtual_places_port'($*)) dnl gen_require(` type virtual_places_port_t; ') dontaudit $1 virtual_places_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virtual_places_port'($*)) dnl ') ######################################## ## ## Send virtual_places_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_client_packets'($*)) dnl gen_require(` type virtual_places_client_packet_t; ') allow $1 virtual_places_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virtual_places_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl gen_require(` type virtual_places_client_packet_t; ') dontaudit $1 virtual_places_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Receive virtual_places_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_client_packets'($*)) dnl gen_require(` type virtual_places_client_packet_t; ') allow $1 virtual_places_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virtual_places_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl gen_require(` type virtual_places_client_packet_t; ') dontaudit $1 virtual_places_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Send and receive virtual_places_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_client_packets'($*)) dnl corenet_send_virtual_places_client_packets($1) corenet_receive_virtual_places_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virtual_places_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl corenet_dontaudit_send_virtual_places_client_packets($1) corenet_dontaudit_receive_virtual_places_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virtual_places_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virtual_places_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_client_packets'($*)) dnl gen_require(` type virtual_places_client_packet_t; ') allow $1 virtual_places_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_client_packets'($*)) dnl ') ######################################## ## ## Send virtual_places_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virtual_places_server_packets'($*)) dnl gen_require(` type virtual_places_server_packet_t; ') allow $1 virtual_places_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virtual_places_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl gen_require(` type virtual_places_server_packet_t; ') dontaudit $1 virtual_places_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Receive virtual_places_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virtual_places_server_packets'($*)) dnl gen_require(` type virtual_places_server_packet_t; ') allow $1 virtual_places_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virtual_places_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl gen_require(` type virtual_places_server_packet_t; ') dontaudit $1 virtual_places_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Send and receive virtual_places_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virtual_places_server_packets'($*)) dnl corenet_send_virtual_places_server_packets($1) corenet_receive_virtual_places_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virtual_places_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl corenet_dontaudit_send_virtual_places_server_packets($1) corenet_dontaudit_receive_virtual_places_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virtual_places_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virtual_places_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virtual_places_server_packets'($*)) dnl gen_require(` type virtual_places_server_packet_t; ') allow $1 virtual_places_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virtual_places_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_virt_migration_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_virt_migration_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the virt_migration port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') dontaudit $1 virt_migration_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_virt_migration_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_virt_migration_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the virt_migration port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') dontaudit $1 virt_migration_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_virt_migration_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_virt_migration_port'($*)) dnl corenet_udp_send_virt_migration_port($1) corenet_udp_receive_virt_migration_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_virt_migration_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the virt_migration port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl corenet_dontaudit_udp_send_virt_migration_port($1) corenet_dontaudit_udp_receive_virt_migration_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_virt_migration_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_virt_migration_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the virt_migration port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_virt_migration_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to virt_migration port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') dontaudit $1 virt_migration_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_virt_migration_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the virt_migration port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') allow $1 virt_migration_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_virt_migration_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to virt_migration port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_virt_migration_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_virt_migration_port'($*)) dnl gen_require(` type virt_migration_port_t; ') dontaudit $1 virt_migration_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_virt_migration_port'($*)) dnl ') ######################################## ## ## Send virt_migration_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_client_packets'($*)) dnl gen_require(` type virt_migration_client_packet_t; ') allow $1 virt_migration_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virt_migration_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl gen_require(` type virt_migration_client_packet_t; ') dontaudit $1 virt_migration_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Receive virt_migration_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_client_packets'($*)) dnl gen_require(` type virt_migration_client_packet_t; ') allow $1 virt_migration_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virt_migration_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl gen_require(` type virt_migration_client_packet_t; ') dontaudit $1 virt_migration_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Send and receive virt_migration_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_client_packets'($*)) dnl corenet_send_virt_migration_client_packets($1) corenet_receive_virt_migration_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virt_migration_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl corenet_dontaudit_send_virt_migration_client_packets($1) corenet_dontaudit_receive_virt_migration_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virt_migration_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virt_migration_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_client_packets'($*)) dnl gen_require(` type virt_migration_client_packet_t; ') allow $1 virt_migration_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_client_packets'($*)) dnl ') ######################################## ## ## Send virt_migration_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_virt_migration_server_packets'($*)) dnl gen_require(` type virt_migration_server_packet_t; ') allow $1 virt_migration_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send virt_migration_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl gen_require(` type virt_migration_server_packet_t; ') dontaudit $1 virt_migration_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Receive virt_migration_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_virt_migration_server_packets'($*)) dnl gen_require(` type virt_migration_server_packet_t; ') allow $1 virt_migration_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive virt_migration_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl gen_require(` type virt_migration_server_packet_t; ') dontaudit $1 virt_migration_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Send and receive virt_migration_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_virt_migration_server_packets'($*)) dnl corenet_send_virt_migration_server_packets($1) corenet_receive_virt_migration_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive virt_migration_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl corenet_dontaudit_send_virt_migration_server_packets($1) corenet_dontaudit_receive_virt_migration_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to virt_migration_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_virt_migration_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_virt_migration_server_packets'($*)) dnl gen_require(` type virt_migration_server_packet_t; ') allow $1 virt_migration_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_virt_migration_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vnc_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_vnc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the vnc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') dontaudit $1 vnc_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vnc_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vnc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the vnc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') dontaudit $1 vnc_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vnc_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vnc_port'($*)) dnl corenet_udp_send_vnc_port($1) corenet_udp_receive_vnc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vnc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the vnc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl corenet_dontaudit_udp_send_vnc_port($1) corenet_dontaudit_udp_receive_vnc_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vnc_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vnc_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the vnc port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vnc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to vnc port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') dontaudit $1 vnc_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_vnc_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the vnc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') allow $1 vnc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vnc_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to vnc port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_vnc_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_vnc_port'($*)) dnl gen_require(` type vnc_port_t; ') dontaudit $1 vnc_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_vnc_port'($*)) dnl ') ######################################## ## ## Send vnc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_client_packets'($*)) dnl gen_require(` type vnc_client_packet_t; ') allow $1 vnc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_vnc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send vnc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_client_packets'($*)) dnl gen_require(` type vnc_client_packet_t; ') dontaudit $1 vnc_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_client_packets'($*)) dnl ') ######################################## ## ## Receive vnc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_client_packets'($*)) dnl gen_require(` type vnc_client_packet_t; ') allow $1 vnc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive vnc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl gen_require(` type vnc_client_packet_t; ') dontaudit $1 vnc_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_client_packets'($*)) dnl ') ######################################## ## ## Send and receive vnc_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_client_packets'($*)) dnl corenet_send_vnc_client_packets($1) corenet_receive_vnc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive vnc_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl corenet_dontaudit_send_vnc_client_packets($1) corenet_dontaudit_receive_vnc_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to vnc_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_vnc_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_client_packets'($*)) dnl gen_require(` type vnc_client_packet_t; ') allow $1 vnc_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_client_packets'($*)) dnl ') ######################################## ## ## Send vnc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_vnc_server_packets'($*)) dnl gen_require(` type vnc_server_packet_t; ') allow $1 vnc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_vnc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send vnc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vnc_server_packets'($*)) dnl gen_require(` type vnc_server_packet_t; ') dontaudit $1 vnc_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vnc_server_packets'($*)) dnl ') ######################################## ## ## Receive vnc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_vnc_server_packets'($*)) dnl gen_require(` type vnc_server_packet_t; ') allow $1 vnc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_vnc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive vnc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl gen_require(` type vnc_server_packet_t; ') dontaudit $1 vnc_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vnc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive vnc_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vnc_server_packets'($*)) dnl corenet_send_vnc_server_packets($1) corenet_receive_vnc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vnc_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive vnc_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl corenet_dontaudit_send_vnc_server_packets($1) corenet_dontaudit_receive_vnc_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vnc_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to vnc_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_vnc_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vnc_server_packets'($*)) dnl gen_require(` type vnc_server_packet_t; ') allow $1 vnc_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_vnc_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_vqp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_vqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the vqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') dontaudit $1 vqp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_vqp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_vqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the vqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') dontaudit $1 vqp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_vqp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_vqp_port'($*)) dnl corenet_udp_send_vqp_port($1) corenet_udp_receive_vqp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_vqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the vqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_vqp_port'($*)) dnl corenet_dontaudit_udp_send_vqp_port($1) corenet_dontaudit_udp_receive_vqp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_vqp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_vqp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the vqp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_vqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to vqp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') dontaudit $1 vqp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_vqp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the vqp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') allow $1 vqp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_vqp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to vqp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_vqp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_vqp_port'($*)) dnl gen_require(` type vqp_port_t; ') dontaudit $1 vqp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_vqp_port'($*)) dnl ') ######################################## ## ## Send vqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_vqp_client_packets'($*)) dnl gen_require(` type vqp_client_packet_t; ') allow $1 vqp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_vqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send vqp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vqp_client_packets'($*)) dnl gen_require(` type vqp_client_packet_t; ') dontaudit $1 vqp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vqp_client_packets'($*)) dnl ') ######################################## ## ## Receive vqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_vqp_client_packets'($*)) dnl gen_require(` type vqp_client_packet_t; ') allow $1 vqp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_vqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive vqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vqp_client_packets'($*)) dnl gen_require(` type vqp_client_packet_t; ') dontaudit $1 vqp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vqp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive vqp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vqp_client_packets'($*)) dnl corenet_send_vqp_client_packets($1) corenet_receive_vqp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vqp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive vqp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vqp_client_packets'($*)) dnl corenet_dontaudit_send_vqp_client_packets($1) corenet_dontaudit_receive_vqp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vqp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to vqp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_vqp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vqp_client_packets'($*)) dnl gen_require(` type vqp_client_packet_t; ') allow $1 vqp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_vqp_client_packets'($*)) dnl ') ######################################## ## ## Send vqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_vqp_server_packets'($*)) dnl gen_require(` type vqp_server_packet_t; ') allow $1 vqp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_vqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send vqp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_vqp_server_packets'($*)) dnl gen_require(` type vqp_server_packet_t; ') dontaudit $1 vqp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_vqp_server_packets'($*)) dnl ') ######################################## ## ## Receive vqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_vqp_server_packets'($*)) dnl gen_require(` type vqp_server_packet_t; ') allow $1 vqp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_vqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive vqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_vqp_server_packets'($*)) dnl gen_require(` type vqp_server_packet_t; ') dontaudit $1 vqp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_vqp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive vqp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_vqp_server_packets'($*)) dnl corenet_send_vqp_server_packets($1) corenet_receive_vqp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_vqp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive vqp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_vqp_server_packets'($*)) dnl corenet_dontaudit_send_vqp_server_packets($1) corenet_dontaudit_receive_vqp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_vqp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to vqp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_vqp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_vqp_server_packets'($*)) dnl gen_require(` type vqp_server_packet_t; ') allow $1 vqp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_vqp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wccp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_wccp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the wccp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') dontaudit $1 wccp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wccp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wccp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the wccp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') dontaudit $1 wccp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wccp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wccp_port'($*)) dnl corenet_udp_send_wccp_port($1) corenet_udp_receive_wccp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wccp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the wccp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl corenet_dontaudit_udp_send_wccp_port($1) corenet_dontaudit_udp_receive_wccp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wccp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wccp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the wccp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wccp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to wccp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') dontaudit $1 wccp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wccp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the wccp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') allow $1 wccp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wccp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to wccp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_wccp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wccp_port'($*)) dnl gen_require(` type wccp_port_t; ') dontaudit $1 wccp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wccp_port'($*)) dnl ') ######################################## ## ## Send wccp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_client_packets'($*)) dnl gen_require(` type wccp_client_packet_t; ') allow $1 wccp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wccp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wccp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_client_packets'($*)) dnl gen_require(` type wccp_client_packet_t; ') dontaudit $1 wccp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_client_packets'($*)) dnl ') ######################################## ## ## Receive wccp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_client_packets'($*)) dnl gen_require(` type wccp_client_packet_t; ') allow $1 wccp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wccp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl gen_require(` type wccp_client_packet_t; ') dontaudit $1 wccp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive wccp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_client_packets'($*)) dnl corenet_send_wccp_client_packets($1) corenet_receive_wccp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wccp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl corenet_dontaudit_send_wccp_client_packets($1) corenet_dontaudit_receive_wccp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wccp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wccp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_client_packets'($*)) dnl gen_require(` type wccp_client_packet_t; ') allow $1 wccp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_client_packets'($*)) dnl ') ######################################## ## ## Send wccp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wccp_server_packets'($*)) dnl gen_require(` type wccp_server_packet_t; ') allow $1 wccp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wccp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wccp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wccp_server_packets'($*)) dnl gen_require(` type wccp_server_packet_t; ') dontaudit $1 wccp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wccp_server_packets'($*)) dnl ') ######################################## ## ## Receive wccp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wccp_server_packets'($*)) dnl gen_require(` type wccp_server_packet_t; ') allow $1 wccp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wccp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wccp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl gen_require(` type wccp_server_packet_t; ') dontaudit $1 wccp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wccp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive wccp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wccp_server_packets'($*)) dnl corenet_send_wccp_server_packets($1) corenet_receive_wccp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wccp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wccp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl corenet_dontaudit_send_wccp_server_packets($1) corenet_dontaudit_receive_wccp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wccp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wccp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wccp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wccp_server_packets'($*)) dnl gen_require(` type wccp_server_packet_t; ') allow $1 wccp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wccp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_websm_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_websm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the websm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_websm_port'($*)) dnl gen_require(` type websm_port_t; ') dontaudit $1 websm_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_websm_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_websm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the websm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_websm_port'($*)) dnl gen_require(` type websm_port_t; ') dontaudit $1 websm_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_websm_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_websm_port'($*)) dnl corenet_udp_send_websm_port($1) corenet_udp_receive_websm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_websm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the websm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl corenet_dontaudit_udp_send_websm_port($1) corenet_dontaudit_udp_receive_websm_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_websm_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_websm_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the websm port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_websm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to websm port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_websm_port'($*)) dnl gen_require(` type websm_port_t; ') dontaudit $1 websm_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_websm_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the websm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_websm_port'($*)) dnl gen_require(` type websm_port_t; ') allow $1 websm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_websm_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to websm port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_websm_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_websm_port'($*)) dnl gen_require(` type websm_port_t; ') dontaudit $1 websm_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_websm_port'($*)) dnl ') ######################################## ## ## Send websm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_websm_client_packets'($*)) dnl gen_require(` type websm_client_packet_t; ') allow $1 websm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_websm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send websm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_client_packets'($*)) dnl gen_require(` type websm_client_packet_t; ') dontaudit $1 websm_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_client_packets'($*)) dnl ') ######################################## ## ## Receive websm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_client_packets'($*)) dnl gen_require(` type websm_client_packet_t; ') allow $1 websm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_websm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive websm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_client_packets'($*)) dnl gen_require(` type websm_client_packet_t; ') dontaudit $1 websm_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_client_packets'($*)) dnl ') ######################################## ## ## Send and receive websm_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_client_packets'($*)) dnl corenet_send_websm_client_packets($1) corenet_receive_websm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive websm_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl corenet_dontaudit_send_websm_client_packets($1) corenet_dontaudit_receive_websm_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to websm_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_websm_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_client_packets'($*)) dnl gen_require(` type websm_client_packet_t; ') allow $1 websm_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_client_packets'($*)) dnl ') ######################################## ## ## Send websm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_websm_server_packets'($*)) dnl gen_require(` type websm_server_packet_t; ') allow $1 websm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_websm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send websm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_websm_server_packets'($*)) dnl gen_require(` type websm_server_packet_t; ') dontaudit $1 websm_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_websm_server_packets'($*)) dnl ') ######################################## ## ## Receive websm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_websm_server_packets'($*)) dnl gen_require(` type websm_server_packet_t; ') allow $1 websm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_websm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive websm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_websm_server_packets'($*)) dnl gen_require(` type websm_server_packet_t; ') dontaudit $1 websm_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_websm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive websm_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_websm_server_packets'($*)) dnl corenet_send_websm_server_packets($1) corenet_receive_websm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_websm_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive websm_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl corenet_dontaudit_send_websm_server_packets($1) corenet_dontaudit_receive_websm_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_websm_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to websm_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_websm_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_websm_server_packets'($*)) dnl gen_require(` type websm_server_packet_t; ') allow $1 websm_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_websm_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_whois_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_whois_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the whois port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_whois_port'($*)) dnl gen_require(` type whois_port_t; ') dontaudit $1 whois_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_whois_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_whois_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the whois port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_whois_port'($*)) dnl gen_require(` type whois_port_t; ') dontaudit $1 whois_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_whois_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_whois_port'($*)) dnl corenet_udp_send_whois_port($1) corenet_udp_receive_whois_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_whois_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the whois port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl corenet_dontaudit_udp_send_whois_port($1) corenet_dontaudit_udp_receive_whois_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_whois_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_whois_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the whois port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_whois_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to whois port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_whois_port'($*)) dnl gen_require(` type whois_port_t; ') dontaudit $1 whois_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_whois_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the whois port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_whois_port'($*)) dnl gen_require(` type whois_port_t; ') allow $1 whois_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_whois_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to whois port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_whois_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_whois_port'($*)) dnl gen_require(` type whois_port_t; ') dontaudit $1 whois_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_whois_port'($*)) dnl ') ######################################## ## ## Send whois_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_whois_client_packets'($*)) dnl gen_require(` type whois_client_packet_t; ') allow $1 whois_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_whois_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send whois_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_client_packets'($*)) dnl gen_require(` type whois_client_packet_t; ') dontaudit $1 whois_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_client_packets'($*)) dnl ') ######################################## ## ## Receive whois_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_client_packets'($*)) dnl gen_require(` type whois_client_packet_t; ') allow $1 whois_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_whois_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive whois_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_client_packets'($*)) dnl gen_require(` type whois_client_packet_t; ') dontaudit $1 whois_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_client_packets'($*)) dnl ') ######################################## ## ## Send and receive whois_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_client_packets'($*)) dnl corenet_send_whois_client_packets($1) corenet_receive_whois_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive whois_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl corenet_dontaudit_send_whois_client_packets($1) corenet_dontaudit_receive_whois_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to whois_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_whois_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_client_packets'($*)) dnl gen_require(` type whois_client_packet_t; ') allow $1 whois_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_client_packets'($*)) dnl ') ######################################## ## ## Send whois_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_whois_server_packets'($*)) dnl gen_require(` type whois_server_packet_t; ') allow $1 whois_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_whois_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send whois_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_whois_server_packets'($*)) dnl gen_require(` type whois_server_packet_t; ') dontaudit $1 whois_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_whois_server_packets'($*)) dnl ') ######################################## ## ## Receive whois_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_whois_server_packets'($*)) dnl gen_require(` type whois_server_packet_t; ') allow $1 whois_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_whois_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive whois_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_whois_server_packets'($*)) dnl gen_require(` type whois_server_packet_t; ') dontaudit $1 whois_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_whois_server_packets'($*)) dnl ') ######################################## ## ## Send and receive whois_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_whois_server_packets'($*)) dnl corenet_send_whois_server_packets($1) corenet_receive_whois_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_whois_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive whois_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl corenet_dontaudit_send_whois_server_packets($1) corenet_dontaudit_receive_whois_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_whois_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to whois_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_whois_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_whois_server_packets'($*)) dnl gen_require(` type whois_server_packet_t; ') allow $1 whois_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_whois_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_winshadow_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_winshadow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the winshadow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') dontaudit $1 winshadow_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_winshadow_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_winshadow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the winshadow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') dontaudit $1 winshadow_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_winshadow_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_winshadow_port'($*)) dnl corenet_udp_send_winshadow_port($1) corenet_udp_receive_winshadow_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_winshadow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the winshadow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl corenet_dontaudit_udp_send_winshadow_port($1) corenet_dontaudit_udp_receive_winshadow_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_winshadow_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_winshadow_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the winshadow port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_winshadow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to winshadow port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') dontaudit $1 winshadow_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_winshadow_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the winshadow port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') allow $1 winshadow_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_winshadow_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to winshadow port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_winshadow_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_winshadow_port'($*)) dnl gen_require(` type winshadow_port_t; ') dontaudit $1 winshadow_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_winshadow_port'($*)) dnl ') ######################################## ## ## Send winshadow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_client_packets'($*)) dnl gen_require(` type winshadow_client_packet_t; ') allow $1 winshadow_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send winshadow_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl gen_require(` type winshadow_client_packet_t; ') dontaudit $1 winshadow_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Receive winshadow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_client_packets'($*)) dnl gen_require(` type winshadow_client_packet_t; ') allow $1 winshadow_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive winshadow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl gen_require(` type winshadow_client_packet_t; ') dontaudit $1 winshadow_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Send and receive winshadow_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_client_packets'($*)) dnl corenet_send_winshadow_client_packets($1) corenet_receive_winshadow_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive winshadow_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl corenet_dontaudit_send_winshadow_client_packets($1) corenet_dontaudit_receive_winshadow_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to winshadow_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_winshadow_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_client_packets'($*)) dnl gen_require(` type winshadow_client_packet_t; ') allow $1 winshadow_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_client_packets'($*)) dnl ') ######################################## ## ## Send winshadow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_winshadow_server_packets'($*)) dnl gen_require(` type winshadow_server_packet_t; ') allow $1 winshadow_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send winshadow_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl gen_require(` type winshadow_server_packet_t; ') dontaudit $1 winshadow_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Receive winshadow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_winshadow_server_packets'($*)) dnl gen_require(` type winshadow_server_packet_t; ') allow $1 winshadow_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive winshadow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl gen_require(` type winshadow_server_packet_t; ') dontaudit $1 winshadow_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Send and receive winshadow_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_winshadow_server_packets'($*)) dnl corenet_send_winshadow_server_packets($1) corenet_receive_winshadow_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive winshadow_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl corenet_dontaudit_send_winshadow_server_packets($1) corenet_dontaudit_receive_winshadow_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to winshadow_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_winshadow_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_winshadow_server_packets'($*)) dnl gen_require(` type winshadow_server_packet_t; ') allow $1 winshadow_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_winshadow_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wap_wsp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_wap_wsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the wap_wsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') dontaudit $1 wap_wsp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wap_wsp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wap_wsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the wap_wsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') dontaudit $1 wap_wsp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wap_wsp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wap_wsp_port'($*)) dnl corenet_udp_send_wap_wsp_port($1) corenet_udp_receive_wap_wsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wap_wsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the wap_wsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wap_wsp_port'($*)) dnl corenet_dontaudit_udp_send_wap_wsp_port($1) corenet_dontaudit_udp_receive_wap_wsp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wap_wsp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wap_wsp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the wap_wsp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wap_wsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to wap_wsp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') dontaudit $1 wap_wsp_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wap_wsp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the wap_wsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') allow $1 wap_wsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wap_wsp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to wap_wsp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_wap_wsp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wap_wsp_port'($*)) dnl gen_require(` type wap_wsp_port_t; ') dontaudit $1 wap_wsp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wap_wsp_port'($*)) dnl ') ######################################## ## ## Send wap_wsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wap_wsp_client_packets'($*)) dnl gen_require(` type wap_wsp_client_packet_t; ') allow $1 wap_wsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wap_wsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wap_wsp_client_packets'($*)) dnl gen_require(` type wap_wsp_client_packet_t; ') dontaudit $1 wap_wsp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Receive wap_wsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wap_wsp_client_packets'($*)) dnl gen_require(` type wap_wsp_client_packet_t; ') allow $1 wap_wsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wap_wsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wap_wsp_client_packets'($*)) dnl gen_require(` type wap_wsp_client_packet_t; ') dontaudit $1 wap_wsp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive wap_wsp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wap_wsp_client_packets'($*)) dnl corenet_send_wap_wsp_client_packets($1) corenet_receive_wap_wsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wap_wsp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wap_wsp_client_packets'($*)) dnl corenet_dontaudit_send_wap_wsp_client_packets($1) corenet_dontaudit_receive_wap_wsp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wap_wsp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wap_wsp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wap_wsp_client_packets'($*)) dnl gen_require(` type wap_wsp_client_packet_t; ') allow $1 wap_wsp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wap_wsp_client_packets'($*)) dnl ') ######################################## ## ## Send wap_wsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wap_wsp_server_packets'($*)) dnl gen_require(` type wap_wsp_server_packet_t; ') allow $1 wap_wsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wap_wsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wap_wsp_server_packets'($*)) dnl gen_require(` type wap_wsp_server_packet_t; ') dontaudit $1 wap_wsp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Receive wap_wsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wap_wsp_server_packets'($*)) dnl gen_require(` type wap_wsp_server_packet_t; ') allow $1 wap_wsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wap_wsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wap_wsp_server_packets'($*)) dnl gen_require(` type wap_wsp_server_packet_t; ') dontaudit $1 wap_wsp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive wap_wsp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wap_wsp_server_packets'($*)) dnl corenet_send_wap_wsp_server_packets($1) corenet_receive_wap_wsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wap_wsp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wap_wsp_server_packets'($*)) dnl corenet_dontaudit_send_wap_wsp_server_packets($1) corenet_dontaudit_receive_wap_wsp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wap_wsp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wap_wsp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wap_wsp_server_packets'($*)) dnl gen_require(` type wap_wsp_server_packet_t; ') allow $1 wap_wsp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wap_wsp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsdapi_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsdapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the wsdapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') dontaudit $1 wsdapi_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsdapi_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsdapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the wsdapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') dontaudit $1 wsdapi_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsdapi_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsdapi_port'($*)) dnl corenet_udp_send_wsdapi_port($1) corenet_udp_receive_wsdapi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsdapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the wsdapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl corenet_dontaudit_udp_send_wsdapi_port($1) corenet_dontaudit_udp_receive_wsdapi_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsdapi_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsdapi_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the wsdapi port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsdapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to wsdapi port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') dontaudit $1 wsdapi_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wsdapi_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the wsdapi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') allow $1 wsdapi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsdapi_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to wsdapi port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_wsdapi_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wsdapi_port'($*)) dnl gen_require(` type wsdapi_port_t; ') dontaudit $1 wsdapi_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wsdapi_port'($*)) dnl ') ######################################## ## ## Send wsdapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_client_packets'($*)) dnl gen_require(` type wsdapi_client_packet_t; ') allow $1 wsdapi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wsdapi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl gen_require(` type wsdapi_client_packet_t; ') dontaudit $1 wsdapi_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Receive wsdapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_client_packets'($*)) dnl gen_require(` type wsdapi_client_packet_t; ') allow $1 wsdapi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wsdapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl gen_require(` type wsdapi_client_packet_t; ') dontaudit $1 wsdapi_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Send and receive wsdapi_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_client_packets'($*)) dnl corenet_send_wsdapi_client_packets($1) corenet_receive_wsdapi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wsdapi_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl corenet_dontaudit_send_wsdapi_client_packets($1) corenet_dontaudit_receive_wsdapi_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wsdapi_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wsdapi_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_client_packets'($*)) dnl gen_require(` type wsdapi_client_packet_t; ') allow $1 wsdapi_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_client_packets'($*)) dnl ') ######################################## ## ## Send wsdapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wsdapi_server_packets'($*)) dnl gen_require(` type wsdapi_server_packet_t; ') allow $1 wsdapi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wsdapi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl gen_require(` type wsdapi_server_packet_t; ') dontaudit $1 wsdapi_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Receive wsdapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wsdapi_server_packets'($*)) dnl gen_require(` type wsdapi_server_packet_t; ') allow $1 wsdapi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wsdapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl gen_require(` type wsdapi_server_packet_t; ') dontaudit $1 wsdapi_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive wsdapi_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsdapi_server_packets'($*)) dnl corenet_send_wsdapi_server_packets($1) corenet_receive_wsdapi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wsdapi_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl corenet_dontaudit_send_wsdapi_server_packets($1) corenet_dontaudit_receive_wsdapi_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wsdapi_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wsdapi_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsdapi_server_packets'($*)) dnl gen_require(` type wsdapi_server_packet_t; ') allow $1 wsdapi_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsdapi_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_wsicopy_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_wsicopy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the wsicopy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') dontaudit $1 wsicopy_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_wsicopy_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_wsicopy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the wsicopy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') dontaudit $1 wsicopy_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_wsicopy_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_wsicopy_port'($*)) dnl corenet_udp_send_wsicopy_port($1) corenet_udp_receive_wsicopy_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_wsicopy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the wsicopy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl corenet_dontaudit_udp_send_wsicopy_port($1) corenet_dontaudit_udp_receive_wsicopy_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_wsicopy_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_wsicopy_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the wsicopy port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_wsicopy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to wsicopy port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') dontaudit $1 wsicopy_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_wsicopy_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the wsicopy port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') allow $1 wsicopy_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_wsicopy_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to wsicopy port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_wsicopy_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_wsicopy_port'($*)) dnl gen_require(` type wsicopy_port_t; ') dontaudit $1 wsicopy_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_wsicopy_port'($*)) dnl ') ######################################## ## ## Send wsicopy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_client_packets'($*)) dnl gen_require(` type wsicopy_client_packet_t; ') allow $1 wsicopy_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wsicopy_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl gen_require(` type wsicopy_client_packet_t; ') dontaudit $1 wsicopy_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Receive wsicopy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_client_packets'($*)) dnl gen_require(` type wsicopy_client_packet_t; ') allow $1 wsicopy_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wsicopy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl gen_require(` type wsicopy_client_packet_t; ') dontaudit $1 wsicopy_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Send and receive wsicopy_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_client_packets'($*)) dnl corenet_send_wsicopy_client_packets($1) corenet_receive_wsicopy_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wsicopy_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl corenet_dontaudit_send_wsicopy_client_packets($1) corenet_dontaudit_receive_wsicopy_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wsicopy_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wsicopy_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_client_packets'($*)) dnl gen_require(` type wsicopy_client_packet_t; ') allow $1 wsicopy_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_client_packets'($*)) dnl ') ######################################## ## ## Send wsicopy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_wsicopy_server_packets'($*)) dnl gen_require(` type wsicopy_server_packet_t; ') allow $1 wsicopy_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send wsicopy_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl gen_require(` type wsicopy_server_packet_t; ') dontaudit $1 wsicopy_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Receive wsicopy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_wsicopy_server_packets'($*)) dnl gen_require(` type wsicopy_server_packet_t; ') allow $1 wsicopy_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive wsicopy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl gen_require(` type wsicopy_server_packet_t; ') dontaudit $1 wsicopy_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Send and receive wsicopy_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_wsicopy_server_packets'($*)) dnl corenet_send_wsicopy_server_packets($1) corenet_receive_wsicopy_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive wsicopy_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl corenet_dontaudit_send_wsicopy_server_packets($1) corenet_dontaudit_receive_wsicopy_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to wsicopy_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_wsicopy_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_wsicopy_server_packets'($*)) dnl gen_require(` type wsicopy_server_packet_t; ') allow $1 wsicopy_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_wsicopy_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xdmcp_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xdmcp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xdmcp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') dontaudit $1 xdmcp_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xdmcp_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xdmcp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xdmcp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') dontaudit $1 xdmcp_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xdmcp_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xdmcp_port'($*)) dnl corenet_udp_send_xdmcp_port($1) corenet_udp_receive_xdmcp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xdmcp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xdmcp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl corenet_dontaudit_udp_send_xdmcp_port($1) corenet_dontaudit_udp_receive_xdmcp_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xdmcp_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xdmcp_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xdmcp port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xdmcp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xdmcp port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') dontaudit $1 xdmcp_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xdmcp_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xdmcp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') allow $1 xdmcp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xdmcp_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xdmcp port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xdmcp_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xdmcp_port'($*)) dnl gen_require(` type xdmcp_port_t; ') dontaudit $1 xdmcp_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xdmcp_port'($*)) dnl ') ######################################## ## ## Send xdmcp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_client_packets'($*)) dnl gen_require(` type xdmcp_client_packet_t; ') allow $1 xdmcp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xdmcp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl gen_require(` type xdmcp_client_packet_t; ') dontaudit $1 xdmcp_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Receive xdmcp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_client_packets'($*)) dnl gen_require(` type xdmcp_client_packet_t; ') allow $1 xdmcp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xdmcp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl gen_require(` type xdmcp_client_packet_t; ') dontaudit $1 xdmcp_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xdmcp_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_client_packets'($*)) dnl corenet_send_xdmcp_client_packets($1) corenet_receive_xdmcp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xdmcp_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl corenet_dontaudit_send_xdmcp_client_packets($1) corenet_dontaudit_receive_xdmcp_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xdmcp_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xdmcp_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_client_packets'($*)) dnl gen_require(` type xdmcp_client_packet_t; ') allow $1 xdmcp_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_client_packets'($*)) dnl ') ######################################## ## ## Send xdmcp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xdmcp_server_packets'($*)) dnl gen_require(` type xdmcp_server_packet_t; ') allow $1 xdmcp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xdmcp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl gen_require(` type xdmcp_server_packet_t; ') dontaudit $1 xdmcp_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Receive xdmcp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xdmcp_server_packets'($*)) dnl gen_require(` type xdmcp_server_packet_t; ') allow $1 xdmcp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xdmcp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl gen_require(` type xdmcp_server_packet_t; ') dontaudit $1 xdmcp_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xdmcp_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xdmcp_server_packets'($*)) dnl corenet_send_xdmcp_server_packets($1) corenet_receive_xdmcp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xdmcp_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl corenet_dontaudit_send_xdmcp_server_packets($1) corenet_dontaudit_receive_xdmcp_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xdmcp_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xdmcp_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xdmcp_server_packets'($*)) dnl gen_require(` type xdmcp_server_packet_t; ') allow $1 xdmcp_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xdmcp_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xen_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xen_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xen port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xen_port'($*)) dnl gen_require(` type xen_port_t; ') dontaudit $1 xen_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xen_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xen_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xen port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xen_port'($*)) dnl gen_require(` type xen_port_t; ') dontaudit $1 xen_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xen_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xen_port'($*)) dnl corenet_udp_send_xen_port($1) corenet_udp_receive_xen_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xen_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xen port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl corenet_dontaudit_udp_send_xen_port($1) corenet_dontaudit_udp_receive_xen_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xen_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xen_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xen port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xen_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xen port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xen_port'($*)) dnl gen_require(` type xen_port_t; ') dontaudit $1 xen_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xen_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xen port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xen_port'($*)) dnl gen_require(` type xen_port_t; ') allow $1 xen_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xen_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xen port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xen_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xen_port'($*)) dnl gen_require(` type xen_port_t; ') dontaudit $1 xen_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xen_port'($*)) dnl ') ######################################## ## ## Send xen_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xen_client_packets'($*)) dnl gen_require(` type xen_client_packet_t; ') allow $1 xen_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xen_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xen_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_client_packets'($*)) dnl gen_require(` type xen_client_packet_t; ') dontaudit $1 xen_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_client_packets'($*)) dnl ') ######################################## ## ## Receive xen_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_client_packets'($*)) dnl gen_require(` type xen_client_packet_t; ') allow $1 xen_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xen_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xen_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_client_packets'($*)) dnl gen_require(` type xen_client_packet_t; ') dontaudit $1 xen_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xen_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_client_packets'($*)) dnl corenet_send_xen_client_packets($1) corenet_receive_xen_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xen_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl corenet_dontaudit_send_xen_client_packets($1) corenet_dontaudit_receive_xen_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xen_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xen_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_client_packets'($*)) dnl gen_require(` type xen_client_packet_t; ') allow $1 xen_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_client_packets'($*)) dnl ') ######################################## ## ## Send xen_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xen_server_packets'($*)) dnl gen_require(` type xen_server_packet_t; ') allow $1 xen_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xen_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xen_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xen_server_packets'($*)) dnl gen_require(` type xen_server_packet_t; ') dontaudit $1 xen_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xen_server_packets'($*)) dnl ') ######################################## ## ## Receive xen_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xen_server_packets'($*)) dnl gen_require(` type xen_server_packet_t; ') allow $1 xen_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xen_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xen_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xen_server_packets'($*)) dnl gen_require(` type xen_server_packet_t; ') dontaudit $1 xen_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xen_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xen_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xen_server_packets'($*)) dnl corenet_send_xen_server_packets($1) corenet_receive_xen_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xen_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xen_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl corenet_dontaudit_send_xen_server_packets($1) corenet_dontaudit_receive_xen_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xen_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xen_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xen_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xen_server_packets'($*)) dnl gen_require(` type xen_server_packet_t; ') allow $1 xen_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xen_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') dontaudit $1 xinuexpansion3_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') dontaudit $1 xinuexpansion3_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xinuexpansion3_port'($*)) dnl corenet_udp_send_xinuexpansion3_port($1) corenet_udp_receive_xinuexpansion3_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xinuexpansion3 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xinuexpansion3_port'($*)) dnl corenet_dontaudit_udp_send_xinuexpansion3_port($1) corenet_dontaudit_udp_receive_xinuexpansion3_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xinuexpansion3 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') dontaudit $1 xinuexpansion3_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') allow $1 xinuexpansion3_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xinuexpansion3 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xinuexpansion3_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xinuexpansion3_port'($*)) dnl gen_require(` type xinuexpansion3_port_t; ') dontaudit $1 xinuexpansion3_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xinuexpansion3_port'($*)) dnl ') ######################################## ## ## Send xinuexpansion3_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion3_client_packets'($*)) dnl gen_require(` type xinuexpansion3_client_packet_t; ') allow $1 xinuexpansion3_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xinuexpansion3_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion3_client_packets'($*)) dnl gen_require(` type xinuexpansion3_client_packet_t; ') dontaudit $1 xinuexpansion3_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Receive xinuexpansion3_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion3_client_packets'($*)) dnl gen_require(` type xinuexpansion3_client_packet_t; ') allow $1 xinuexpansion3_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xinuexpansion3_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion3_client_packets'($*)) dnl gen_require(` type xinuexpansion3_client_packet_t; ') dontaudit $1 xinuexpansion3_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xinuexpansion3_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion3_client_packets'($*)) dnl corenet_send_xinuexpansion3_client_packets($1) corenet_receive_xinuexpansion3_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xinuexpansion3_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion3_client_packets'($*)) dnl corenet_dontaudit_send_xinuexpansion3_client_packets($1) corenet_dontaudit_receive_xinuexpansion3_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xinuexpansion3_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xinuexpansion3_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion3_client_packets'($*)) dnl gen_require(` type xinuexpansion3_client_packet_t; ') allow $1 xinuexpansion3_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion3_client_packets'($*)) dnl ') ######################################## ## ## Send xinuexpansion3_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion3_server_packets'($*)) dnl gen_require(` type xinuexpansion3_server_packet_t; ') allow $1 xinuexpansion3_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xinuexpansion3_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion3_server_packets'($*)) dnl gen_require(` type xinuexpansion3_server_packet_t; ') dontaudit $1 xinuexpansion3_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Receive xinuexpansion3_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion3_server_packets'($*)) dnl gen_require(` type xinuexpansion3_server_packet_t; ') allow $1 xinuexpansion3_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xinuexpansion3_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion3_server_packets'($*)) dnl gen_require(` type xinuexpansion3_server_packet_t; ') dontaudit $1 xinuexpansion3_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xinuexpansion3_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion3_server_packets'($*)) dnl corenet_send_xinuexpansion3_server_packets($1) corenet_receive_xinuexpansion3_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xinuexpansion3_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion3_server_packets'($*)) dnl corenet_dontaudit_send_xinuexpansion3_server_packets($1) corenet_dontaudit_receive_xinuexpansion3_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xinuexpansion3_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xinuexpansion3_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion3_server_packets'($*)) dnl gen_require(` type xinuexpansion3_server_packet_t; ') allow $1 xinuexpansion3_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion3_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') dontaudit $1 xinuexpansion4_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') dontaudit $1 xinuexpansion4_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xinuexpansion4_port'($*)) dnl corenet_udp_send_xinuexpansion4_port($1) corenet_udp_receive_xinuexpansion4_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xinuexpansion4 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xinuexpansion4_port'($*)) dnl corenet_dontaudit_udp_send_xinuexpansion4_port($1) corenet_dontaudit_udp_receive_xinuexpansion4_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xinuexpansion4 port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') dontaudit $1 xinuexpansion4_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') allow $1 xinuexpansion4_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xinuexpansion4 port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xinuexpansion4_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xinuexpansion4_port'($*)) dnl gen_require(` type xinuexpansion4_port_t; ') dontaudit $1 xinuexpansion4_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xinuexpansion4_port'($*)) dnl ') ######################################## ## ## Send xinuexpansion4_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion4_client_packets'($*)) dnl gen_require(` type xinuexpansion4_client_packet_t; ') allow $1 xinuexpansion4_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xinuexpansion4_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion4_client_packets'($*)) dnl gen_require(` type xinuexpansion4_client_packet_t; ') dontaudit $1 xinuexpansion4_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Receive xinuexpansion4_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion4_client_packets'($*)) dnl gen_require(` type xinuexpansion4_client_packet_t; ') allow $1 xinuexpansion4_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xinuexpansion4_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion4_client_packets'($*)) dnl gen_require(` type xinuexpansion4_client_packet_t; ') dontaudit $1 xinuexpansion4_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xinuexpansion4_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion4_client_packets'($*)) dnl corenet_send_xinuexpansion4_client_packets($1) corenet_receive_xinuexpansion4_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xinuexpansion4_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion4_client_packets'($*)) dnl corenet_dontaudit_send_xinuexpansion4_client_packets($1) corenet_dontaudit_receive_xinuexpansion4_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xinuexpansion4_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xinuexpansion4_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion4_client_packets'($*)) dnl gen_require(` type xinuexpansion4_client_packet_t; ') allow $1 xinuexpansion4_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion4_client_packets'($*)) dnl ') ######################################## ## ## Send xinuexpansion4_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xinuexpansion4_server_packets'($*)) dnl gen_require(` type xinuexpansion4_server_packet_t; ') allow $1 xinuexpansion4_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xinuexpansion4_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xinuexpansion4_server_packets'($*)) dnl gen_require(` type xinuexpansion4_server_packet_t; ') dontaudit $1 xinuexpansion4_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Receive xinuexpansion4_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xinuexpansion4_server_packets'($*)) dnl gen_require(` type xinuexpansion4_server_packet_t; ') allow $1 xinuexpansion4_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xinuexpansion4_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xinuexpansion4_server_packets'($*)) dnl gen_require(` type xinuexpansion4_server_packet_t; ') dontaudit $1 xinuexpansion4_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xinuexpansion4_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xinuexpansion4_server_packets'($*)) dnl corenet_send_xinuexpansion4_server_packets($1) corenet_receive_xinuexpansion4_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xinuexpansion4_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xinuexpansion4_server_packets'($*)) dnl corenet_dontaudit_send_xinuexpansion4_server_packets($1) corenet_dontaudit_receive_xinuexpansion4_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xinuexpansion4_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xinuexpansion4_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xinuexpansion4_server_packets'($*)) dnl gen_require(` type xinuexpansion4_server_packet_t; ') allow $1 xinuexpansion4_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xinuexpansion4_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xfs_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') dontaudit $1 xfs_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xfs_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') dontaudit $1 xfs_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xfs_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xfs_port'($*)) dnl corenet_udp_send_xfs_port($1) corenet_udp_receive_xfs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl corenet_dontaudit_udp_send_xfs_port($1) corenet_dontaudit_udp_receive_xfs_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xfs_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xfs_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xfs port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xfs port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') dontaudit $1 xfs_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xfs_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xfs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') allow $1 xfs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xfs_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xfs port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xfs_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xfs_port'($*)) dnl gen_require(` type xfs_port_t; ') dontaudit $1 xfs_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xfs_port'($*)) dnl ') ######################################## ## ## Send xfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_client_packets'($*)) dnl gen_require(` type xfs_client_packet_t; ') allow $1 xfs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xfs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_client_packets'($*)) dnl gen_require(` type xfs_client_packet_t; ') dontaudit $1 xfs_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_client_packets'($*)) dnl ') ######################################## ## ## Receive xfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_client_packets'($*)) dnl gen_require(` type xfs_client_packet_t; ') allow $1 xfs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl gen_require(` type xfs_client_packet_t; ') dontaudit $1 xfs_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xfs_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_client_packets'($*)) dnl corenet_send_xfs_client_packets($1) corenet_receive_xfs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xfs_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl corenet_dontaudit_send_xfs_client_packets($1) corenet_dontaudit_receive_xfs_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xfs_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xfs_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_client_packets'($*)) dnl gen_require(` type xfs_client_packet_t; ') allow $1 xfs_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_client_packets'($*)) dnl ') ######################################## ## ## Send xfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xfs_server_packets'($*)) dnl gen_require(` type xfs_server_packet_t; ') allow $1 xfs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xfs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xfs_server_packets'($*)) dnl gen_require(` type xfs_server_packet_t; ') dontaudit $1 xfs_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xfs_server_packets'($*)) dnl ') ######################################## ## ## Receive xfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xfs_server_packets'($*)) dnl gen_require(` type xfs_server_packet_t; ') allow $1 xfs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl gen_require(` type xfs_server_packet_t; ') dontaudit $1 xfs_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xfs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xfs_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xfs_server_packets'($*)) dnl corenet_send_xfs_server_packets($1) corenet_receive_xfs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xfs_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xfs_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl corenet_dontaudit_send_xfs_server_packets($1) corenet_dontaudit_receive_xfs_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xfs_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xfs_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xfs_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xfs_server_packets'($*)) dnl gen_require(` type xfs_server_packet_t; ') allow $1 xfs_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xfs_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xmsg_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xmsg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xmsg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') dontaudit $1 xmsg_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xmsg_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xmsg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xmsg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') dontaudit $1 xmsg_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xmsg_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xmsg_port'($*)) dnl corenet_udp_send_xmsg_port($1) corenet_udp_receive_xmsg_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xmsg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xmsg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xmsg_port'($*)) dnl corenet_dontaudit_udp_send_xmsg_port($1) corenet_dontaudit_udp_receive_xmsg_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xmsg_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xmsg_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xmsg port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xmsg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xmsg port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') dontaudit $1 xmsg_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xmsg_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xmsg port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') allow $1 xmsg_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xmsg_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xmsg port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xmsg_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xmsg_port'($*)) dnl gen_require(` type xmsg_port_t; ') dontaudit $1 xmsg_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xmsg_port'($*)) dnl ') ######################################## ## ## Send xmsg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xmsg_client_packets'($*)) dnl gen_require(` type xmsg_client_packet_t; ') allow $1 xmsg_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xmsg_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xmsg_client_packets'($*)) dnl gen_require(` type xmsg_client_packet_t; ') dontaudit $1 xmsg_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Receive xmsg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xmsg_client_packets'($*)) dnl gen_require(` type xmsg_client_packet_t; ') allow $1 xmsg_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xmsg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xmsg_client_packets'($*)) dnl gen_require(` type xmsg_client_packet_t; ') dontaudit $1 xmsg_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xmsg_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xmsg_client_packets'($*)) dnl corenet_send_xmsg_client_packets($1) corenet_receive_xmsg_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xmsg_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xmsg_client_packets'($*)) dnl corenet_dontaudit_send_xmsg_client_packets($1) corenet_dontaudit_receive_xmsg_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xmsg_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xmsg_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xmsg_client_packets'($*)) dnl gen_require(` type xmsg_client_packet_t; ') allow $1 xmsg_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xmsg_client_packets'($*)) dnl ') ######################################## ## ## Send xmsg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xmsg_server_packets'($*)) dnl gen_require(` type xmsg_server_packet_t; ') allow $1 xmsg_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xmsg_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xmsg_server_packets'($*)) dnl gen_require(` type xmsg_server_packet_t; ') dontaudit $1 xmsg_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Receive xmsg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xmsg_server_packets'($*)) dnl gen_require(` type xmsg_server_packet_t; ') allow $1 xmsg_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xmsg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xmsg_server_packets'($*)) dnl gen_require(` type xmsg_server_packet_t; ') dontaudit $1 xmsg_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xmsg_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xmsg_server_packets'($*)) dnl corenet_send_xmsg_server_packets($1) corenet_receive_xmsg_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xmsg_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xmsg_server_packets'($*)) dnl corenet_dontaudit_send_xmsg_server_packets($1) corenet_dontaudit_receive_xmsg_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xmsg_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xmsg_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xmsg_server_packets'($*)) dnl gen_require(` type xmsg_server_packet_t; ') allow $1 xmsg_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xmsg_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xodbc_connect port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') dontaudit $1 xodbc_connect_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xodbc_connect port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') dontaudit $1 xodbc_connect_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xodbc_connect_port'($*)) dnl corenet_udp_send_xodbc_connect_port($1) corenet_udp_receive_xodbc_connect_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xodbc_connect port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xodbc_connect_port'($*)) dnl corenet_dontaudit_udp_send_xodbc_connect_port($1) corenet_dontaudit_udp_receive_xodbc_connect_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xodbc_connect port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') dontaudit $1 xodbc_connect_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xodbc_connect port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') allow $1 xodbc_connect_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xodbc_connect port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xodbc_connect_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xodbc_connect_port'($*)) dnl gen_require(` type xodbc_connect_port_t; ') dontaudit $1 xodbc_connect_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xodbc_connect_port'($*)) dnl ') ######################################## ## ## Send xodbc_connect_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xodbc_connect_client_packets'($*)) dnl gen_require(` type xodbc_connect_client_packet_t; ') allow $1 xodbc_connect_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xodbc_connect_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xodbc_connect_client_packets'($*)) dnl gen_require(` type xodbc_connect_client_packet_t; ') dontaudit $1 xodbc_connect_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Receive xodbc_connect_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xodbc_connect_client_packets'($*)) dnl gen_require(` type xodbc_connect_client_packet_t; ') allow $1 xodbc_connect_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xodbc_connect_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xodbc_connect_client_packets'($*)) dnl gen_require(` type xodbc_connect_client_packet_t; ') dontaudit $1 xodbc_connect_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xodbc_connect_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xodbc_connect_client_packets'($*)) dnl corenet_send_xodbc_connect_client_packets($1) corenet_receive_xodbc_connect_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xodbc_connect_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xodbc_connect_client_packets'($*)) dnl corenet_dontaudit_send_xodbc_connect_client_packets($1) corenet_dontaudit_receive_xodbc_connect_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xodbc_connect_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xodbc_connect_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xodbc_connect_client_packets'($*)) dnl gen_require(` type xodbc_connect_client_packet_t; ') allow $1 xodbc_connect_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xodbc_connect_client_packets'($*)) dnl ') ######################################## ## ## Send xodbc_connect_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xodbc_connect_server_packets'($*)) dnl gen_require(` type xodbc_connect_server_packet_t; ') allow $1 xodbc_connect_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xodbc_connect_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xodbc_connect_server_packets'($*)) dnl gen_require(` type xodbc_connect_server_packet_t; ') dontaudit $1 xodbc_connect_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Receive xodbc_connect_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xodbc_connect_server_packets'($*)) dnl gen_require(` type xodbc_connect_server_packet_t; ') allow $1 xodbc_connect_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xodbc_connect_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xodbc_connect_server_packets'($*)) dnl gen_require(` type xodbc_connect_server_packet_t; ') dontaudit $1 xodbc_connect_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xodbc_connect_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xodbc_connect_server_packets'($*)) dnl corenet_send_xodbc_connect_server_packets($1) corenet_receive_xodbc_connect_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xodbc_connect_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xodbc_connect_server_packets'($*)) dnl corenet_dontaudit_send_xodbc_connect_server_packets($1) corenet_dontaudit_receive_xodbc_connect_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xodbc_connect_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xodbc_connect_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xodbc_connect_server_packets'($*)) dnl gen_require(` type xodbc_connect_server_packet_t; ') allow $1 xodbc_connect_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xodbc_connect_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_xserver_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_xserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the xserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') dontaudit $1 xserver_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_xserver_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_xserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the xserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') dontaudit $1 xserver_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_xserver_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_xserver_port'($*)) dnl corenet_udp_send_xserver_port($1) corenet_udp_receive_xserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_xserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the xserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl corenet_dontaudit_udp_send_xserver_port($1) corenet_dontaudit_udp_receive_xserver_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_xserver_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_xserver_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the xserver port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_xserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to xserver port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') dontaudit $1 xserver_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_xserver_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the xserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') allow $1 xserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_xserver_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to xserver port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_xserver_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_xserver_port'($*)) dnl gen_require(` type xserver_port_t; ') dontaudit $1 xserver_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_xserver_port'($*)) dnl ') ######################################## ## ## Send xserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_client_packets'($*)) dnl gen_require(` type xserver_client_packet_t; ') allow $1 xserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_client_packets'($*)) dnl gen_require(` type xserver_client_packet_t; ') dontaudit $1 xserver_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_client_packets'($*)) dnl ') ######################################## ## ## Receive xserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_client_packets'($*)) dnl gen_require(` type xserver_client_packet_t; ') allow $1 xserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl gen_require(` type xserver_client_packet_t; ') dontaudit $1 xserver_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_client_packets'($*)) dnl ') ######################################## ## ## Send and receive xserver_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_client_packets'($*)) dnl corenet_send_xserver_client_packets($1) corenet_receive_xserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xserver_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl corenet_dontaudit_send_xserver_client_packets($1) corenet_dontaudit_receive_xserver_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xserver_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xserver_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_client_packets'($*)) dnl gen_require(` type xserver_client_packet_t; ') allow $1 xserver_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_client_packets'($*)) dnl ') ######################################## ## ## Send xserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_xserver_server_packets'($*)) dnl gen_require(` type xserver_server_packet_t; ') allow $1 xserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_xserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send xserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_xserver_server_packets'($*)) dnl gen_require(` type xserver_server_packet_t; ') dontaudit $1 xserver_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_xserver_server_packets'($*)) dnl ') ######################################## ## ## Receive xserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_xserver_server_packets'($*)) dnl gen_require(` type xserver_server_packet_t; ') allow $1 xserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_xserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive xserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl gen_require(` type xserver_server_packet_t; ') dontaudit $1 xserver_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_xserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive xserver_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_xserver_server_packets'($*)) dnl corenet_send_xserver_server_packets($1) corenet_receive_xserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_xserver_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive xserver_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl corenet_dontaudit_send_xserver_server_packets($1) corenet_dontaudit_receive_xserver_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_xserver_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to xserver_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_xserver_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_xserver_server_packets'($*)) dnl gen_require(` type xserver_server_packet_t; ') allow $1 xserver_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_xserver_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the qpasa_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') dontaudit $1 qpasa_agent_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the qpasa_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') dontaudit $1 qpasa_agent_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_qpasa_agent_port'($*)) dnl corenet_udp_send_qpasa_agent_port($1) corenet_udp_receive_qpasa_agent_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the qpasa_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_qpasa_agent_port'($*)) dnl corenet_dontaudit_udp_send_qpasa_agent_port($1) corenet_dontaudit_udp_receive_qpasa_agent_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to qpasa_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') dontaudit $1 qpasa_agent_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the qpasa_agent port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') allow $1 qpasa_agent_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to qpasa_agent port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_qpasa_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_qpasa_agent_port'($*)) dnl gen_require(` type qpasa_agent_port_t; ') dontaudit $1 qpasa_agent_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_qpasa_agent_port'($*)) dnl ') ######################################## ## ## Send qpasa_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_qpasa_agent_client_packets'($*)) dnl gen_require(` type qpasa_agent_client_packet_t; ') allow $1 qpasa_agent_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send qpasa_agent_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_qpasa_agent_client_packets'($*)) dnl gen_require(` type qpasa_agent_client_packet_t; ') dontaudit $1 qpasa_agent_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Receive qpasa_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_qpasa_agent_client_packets'($*)) dnl gen_require(` type qpasa_agent_client_packet_t; ') allow $1 qpasa_agent_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive qpasa_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_qpasa_agent_client_packets'($*)) dnl gen_require(` type qpasa_agent_client_packet_t; ') dontaudit $1 qpasa_agent_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Send and receive qpasa_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_qpasa_agent_client_packets'($*)) dnl corenet_send_qpasa_agent_client_packets($1) corenet_receive_qpasa_agent_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive qpasa_agent_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_qpasa_agent_client_packets'($*)) dnl corenet_dontaudit_send_qpasa_agent_client_packets($1) corenet_dontaudit_receive_qpasa_agent_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to qpasa_agent_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_qpasa_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_qpasa_agent_client_packets'($*)) dnl gen_require(` type qpasa_agent_client_packet_t; ') allow $1 qpasa_agent_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_qpasa_agent_client_packets'($*)) dnl ') ######################################## ## ## Send qpasa_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_qpasa_agent_server_packets'($*)) dnl gen_require(` type qpasa_agent_server_packet_t; ') allow $1 qpasa_agent_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send qpasa_agent_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_qpasa_agent_server_packets'($*)) dnl gen_require(` type qpasa_agent_server_packet_t; ') dontaudit $1 qpasa_agent_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Receive qpasa_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_qpasa_agent_server_packets'($*)) dnl gen_require(` type qpasa_agent_server_packet_t; ') allow $1 qpasa_agent_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive qpasa_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_qpasa_agent_server_packets'($*)) dnl gen_require(` type qpasa_agent_server_packet_t; ') dontaudit $1 qpasa_agent_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Send and receive qpasa_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_qpasa_agent_server_packets'($*)) dnl corenet_send_qpasa_agent_server_packets($1) corenet_receive_qpasa_agent_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive qpasa_agent_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_qpasa_agent_server_packets'($*)) dnl corenet_dontaudit_send_qpasa_agent_server_packets($1) corenet_dontaudit_receive_qpasa_agent_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to qpasa_agent_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_qpasa_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_qpasa_agent_server_packets'($*)) dnl gen_require(` type qpasa_agent_server_packet_t; ') allow $1 qpasa_agent_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_qpasa_agent_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zarafa_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zarafa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zarafa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') dontaudit $1 zarafa_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zarafa_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zarafa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zarafa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') dontaudit $1 zarafa_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zarafa_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zarafa_port'($*)) dnl corenet_udp_send_zarafa_port($1) corenet_udp_receive_zarafa_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zarafa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zarafa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl corenet_dontaudit_udp_send_zarafa_port($1) corenet_dontaudit_udp_receive_zarafa_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zarafa_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zarafa_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zarafa port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zarafa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zarafa port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') dontaudit $1 zarafa_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zarafa_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zarafa port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') allow $1 zarafa_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zarafa_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zarafa port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zarafa_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zarafa_port'($*)) dnl gen_require(` type zarafa_port_t; ') dontaudit $1 zarafa_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zarafa_port'($*)) dnl ') ######################################## ## ## Send zarafa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_client_packets'($*)) dnl gen_require(` type zarafa_client_packet_t; ') allow $1 zarafa_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zarafa_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl gen_require(` type zarafa_client_packet_t; ') dontaudit $1 zarafa_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Receive zarafa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_client_packets'($*)) dnl gen_require(` type zarafa_client_packet_t; ') allow $1 zarafa_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zarafa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl gen_require(` type zarafa_client_packet_t; ') dontaudit $1 zarafa_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zarafa_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_client_packets'($*)) dnl corenet_send_zarafa_client_packets($1) corenet_receive_zarafa_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zarafa_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl corenet_dontaudit_send_zarafa_client_packets($1) corenet_dontaudit_receive_zarafa_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zarafa_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zarafa_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_client_packets'($*)) dnl gen_require(` type zarafa_client_packet_t; ') allow $1 zarafa_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_client_packets'($*)) dnl ') ######################################## ## ## Send zarafa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zarafa_server_packets'($*)) dnl gen_require(` type zarafa_server_packet_t; ') allow $1 zarafa_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zarafa_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl gen_require(` type zarafa_server_packet_t; ') dontaudit $1 zarafa_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Receive zarafa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zarafa_server_packets'($*)) dnl gen_require(` type zarafa_server_packet_t; ') allow $1 zarafa_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zarafa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl gen_require(` type zarafa_server_packet_t; ') dontaudit $1 zarafa_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zarafa_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zarafa_server_packets'($*)) dnl corenet_send_zarafa_server_packets($1) corenet_receive_zarafa_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zarafa_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl corenet_dontaudit_send_zarafa_server_packets($1) corenet_dontaudit_receive_zarafa_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zarafa_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zarafa_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zarafa_server_packets'($*)) dnl gen_require(` type zarafa_server_packet_t; ') allow $1 zarafa_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zarafa_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zabbix port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') dontaudit $1 zabbix_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zabbix port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') dontaudit $1 zabbix_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_port'($*)) dnl corenet_udp_send_zabbix_port($1) corenet_udp_receive_zabbix_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zabbix port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl corenet_dontaudit_udp_send_zabbix_port($1) corenet_dontaudit_udp_receive_zabbix_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zabbix port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zabbix port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') dontaudit $1 zabbix_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zabbix_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zabbix port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') allow $1 zabbix_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zabbix port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zabbix_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zabbix_port'($*)) dnl gen_require(` type zabbix_port_t; ') dontaudit $1 zabbix_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zabbix_port'($*)) dnl ') ######################################## ## ## Send zabbix_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_client_packets'($*)) dnl gen_require(` type zabbix_client_packet_t; ') allow $1 zabbix_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zabbix_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl gen_require(` type zabbix_client_packet_t; ') dontaudit $1 zabbix_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Receive zabbix_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_client_packets'($*)) dnl gen_require(` type zabbix_client_packet_t; ') allow $1 zabbix_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zabbix_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl gen_require(` type zabbix_client_packet_t; ') dontaudit $1 zabbix_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zabbix_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_client_packets'($*)) dnl corenet_send_zabbix_client_packets($1) corenet_receive_zabbix_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zabbix_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl corenet_dontaudit_send_zabbix_client_packets($1) corenet_dontaudit_receive_zabbix_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zabbix_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zabbix_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_client_packets'($*)) dnl gen_require(` type zabbix_client_packet_t; ') allow $1 zabbix_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_client_packets'($*)) dnl ') ######################################## ## ## Send zabbix_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_server_packets'($*)) dnl gen_require(` type zabbix_server_packet_t; ') allow $1 zabbix_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zabbix_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl gen_require(` type zabbix_server_packet_t; ') dontaudit $1 zabbix_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Receive zabbix_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_server_packets'($*)) dnl gen_require(` type zabbix_server_packet_t; ') allow $1 zabbix_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zabbix_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl gen_require(` type zabbix_server_packet_t; ') dontaudit $1 zabbix_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zabbix_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_server_packets'($*)) dnl corenet_send_zabbix_server_packets($1) corenet_receive_zabbix_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zabbix_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl corenet_dontaudit_send_zabbix_server_packets($1) corenet_dontaudit_receive_zabbix_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zabbix_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zabbix_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_server_packets'($*)) dnl gen_require(` type zabbix_server_packet_t; ') allow $1 zabbix_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zabbix_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') dontaudit $1 zabbix_agent_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zabbix_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') dontaudit $1 zabbix_agent_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl corenet_udp_send_zabbix_agent_port($1) corenet_udp_receive_zabbix_agent_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zabbix_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl corenet_dontaudit_udp_send_zabbix_agent_port($1) corenet_dontaudit_udp_receive_zabbix_agent_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zabbix_agent port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') dontaudit $1 zabbix_agent_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zabbix_agent port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') allow $1 zabbix_agent_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zabbix_agent port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zabbix_agent_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zabbix_agent_port'($*)) dnl gen_require(` type zabbix_agent_port_t; ') dontaudit $1 zabbix_agent_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zabbix_agent_port'($*)) dnl ') ######################################## ## ## Send zabbix_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_client_packets'($*)) dnl gen_require(` type zabbix_agent_client_packet_t; ') allow $1 zabbix_agent_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zabbix_agent_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl gen_require(` type zabbix_agent_client_packet_t; ') dontaudit $1 zabbix_agent_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Receive zabbix_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_client_packets'($*)) dnl gen_require(` type zabbix_agent_client_packet_t; ') allow $1 zabbix_agent_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zabbix_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl gen_require(` type zabbix_agent_client_packet_t; ') dontaudit $1 zabbix_agent_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zabbix_agent_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl corenet_send_zabbix_agent_client_packets($1) corenet_receive_zabbix_agent_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zabbix_agent_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl corenet_dontaudit_send_zabbix_agent_client_packets($1) corenet_dontaudit_receive_zabbix_agent_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zabbix_agent_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zabbix_agent_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl gen_require(` type zabbix_agent_client_packet_t; ') allow $1 zabbix_agent_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_client_packets'($*)) dnl ') ######################################## ## ## Send zabbix_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zabbix_agent_server_packets'($*)) dnl gen_require(` type zabbix_agent_server_packet_t; ') allow $1 zabbix_agent_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zabbix_agent_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl gen_require(` type zabbix_agent_server_packet_t; ') dontaudit $1 zabbix_agent_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Receive zabbix_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zabbix_agent_server_packets'($*)) dnl gen_require(` type zabbix_agent_server_packet_t; ') allow $1 zabbix_agent_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zabbix_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl gen_require(` type zabbix_agent_server_packet_t; ') dontaudit $1 zabbix_agent_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zabbix_agent_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl corenet_send_zabbix_agent_server_packets($1) corenet_receive_zabbix_agent_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zabbix_agent_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl corenet_dontaudit_send_zabbix_agent_server_packets($1) corenet_dontaudit_receive_zabbix_agent_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zabbix_agent_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zabbix_agent_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl gen_require(` type zabbix_agent_server_packet_t; ') allow $1 zabbix_agent_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zabbix_agent_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zookeeper_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') dontaudit $1 zookeeper_client_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zookeeper_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') dontaudit $1 zookeeper_client_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl corenet_udp_send_zookeeper_client_port($1) corenet_udp_receive_zookeeper_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zookeeper_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl corenet_dontaudit_udp_send_zookeeper_client_port($1) corenet_dontaudit_udp_receive_zookeeper_client_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zookeeper_client port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') dontaudit $1 zookeeper_client_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zookeeper_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') allow $1 zookeeper_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zookeeper_client port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zookeeper_client_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_client_port'($*)) dnl gen_require(` type zookeeper_client_port_t; ') dontaudit $1 zookeeper_client_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_client_port'($*)) dnl ') ######################################## ## ## Send zookeeper_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_client_packets'($*)) dnl gen_require(` type zookeeper_client_client_packet_t; ') allow $1 zookeeper_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl gen_require(` type zookeeper_client_client_packet_t; ') dontaudit $1 zookeeper_client_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_client_packets'($*)) dnl gen_require(` type zookeeper_client_client_packet_t; ') allow $1 zookeeper_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl gen_require(` type zookeeper_client_client_packet_t; ') dontaudit $1 zookeeper_client_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_client_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl corenet_send_zookeeper_client_client_packets($1) corenet_receive_zookeeper_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_client_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl corenet_dontaudit_send_zookeeper_client_client_packets($1) corenet_dontaudit_receive_zookeeper_client_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_client_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_client_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl gen_require(` type zookeeper_client_client_packet_t; ') allow $1 zookeeper_client_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_client_packets'($*)) dnl ') ######################################## ## ## Send zookeeper_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_client_server_packets'($*)) dnl gen_require(` type zookeeper_client_server_packet_t; ') allow $1 zookeeper_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl gen_require(` type zookeeper_client_server_packet_t; ') dontaudit $1 zookeeper_client_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_client_server_packets'($*)) dnl gen_require(` type zookeeper_client_server_packet_t; ') allow $1 zookeeper_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl gen_require(` type zookeeper_client_server_packet_t; ') dontaudit $1 zookeeper_client_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_client_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl corenet_send_zookeeper_client_server_packets($1) corenet_receive_zookeeper_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_client_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl corenet_dontaudit_send_zookeeper_client_server_packets($1) corenet_dontaudit_receive_zookeeper_client_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_client_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_client_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl gen_require(` type zookeeper_client_server_packet_t; ') allow $1 zookeeper_client_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_client_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zookeeper_election port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') dontaudit $1 zookeeper_election_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zookeeper_election port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') dontaudit $1 zookeeper_election_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl corenet_udp_send_zookeeper_election_port($1) corenet_udp_receive_zookeeper_election_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zookeeper_election port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl corenet_dontaudit_udp_send_zookeeper_election_port($1) corenet_dontaudit_udp_receive_zookeeper_election_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zookeeper_election port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') dontaudit $1 zookeeper_election_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zookeeper_election port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') allow $1 zookeeper_election_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zookeeper_election port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zookeeper_election_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_election_port'($*)) dnl gen_require(` type zookeeper_election_port_t; ') dontaudit $1 zookeeper_election_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_election_port'($*)) dnl ') ######################################## ## ## Send zookeeper_election_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_client_packets'($*)) dnl gen_require(` type zookeeper_election_client_packet_t; ') allow $1 zookeeper_election_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_election_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl gen_require(` type zookeeper_election_client_packet_t; ') dontaudit $1 zookeeper_election_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_election_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_client_packets'($*)) dnl gen_require(` type zookeeper_election_client_packet_t; ') allow $1 zookeeper_election_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_election_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl gen_require(` type zookeeper_election_client_packet_t; ') dontaudit $1 zookeeper_election_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_election_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl corenet_send_zookeeper_election_client_packets($1) corenet_receive_zookeeper_election_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_election_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl corenet_dontaudit_send_zookeeper_election_client_packets($1) corenet_dontaudit_receive_zookeeper_election_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_election_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_election_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl gen_require(` type zookeeper_election_client_packet_t; ') allow $1 zookeeper_election_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_client_packets'($*)) dnl ') ######################################## ## ## Send zookeeper_election_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_election_server_packets'($*)) dnl gen_require(` type zookeeper_election_server_packet_t; ') allow $1 zookeeper_election_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_election_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl gen_require(` type zookeeper_election_server_packet_t; ') dontaudit $1 zookeeper_election_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_election_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_election_server_packets'($*)) dnl gen_require(` type zookeeper_election_server_packet_t; ') allow $1 zookeeper_election_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_election_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl gen_require(` type zookeeper_election_server_packet_t; ') dontaudit $1 zookeeper_election_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_election_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl corenet_send_zookeeper_election_server_packets($1) corenet_receive_zookeeper_election_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_election_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl corenet_dontaudit_send_zookeeper_election_server_packets($1) corenet_dontaudit_receive_zookeeper_election_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_election_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_election_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl gen_require(` type zookeeper_election_server_packet_t; ') allow $1 zookeeper_election_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_election_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zookeeper_leader port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') dontaudit $1 zookeeper_leader_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zookeeper_leader port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') dontaudit $1 zookeeper_leader_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl corenet_udp_send_zookeeper_leader_port($1) corenet_udp_receive_zookeeper_leader_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zookeeper_leader port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl corenet_dontaudit_udp_send_zookeeper_leader_port($1) corenet_dontaudit_udp_receive_zookeeper_leader_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zookeeper_leader port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') dontaudit $1 zookeeper_leader_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') allow $1 zookeeper_leader_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zookeeper_leader port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zookeeper_leader_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zookeeper_leader_port'($*)) dnl gen_require(` type zookeeper_leader_port_t; ') dontaudit $1 zookeeper_leader_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zookeeper_leader_port'($*)) dnl ') ######################################## ## ## Send zookeeper_leader_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_client_packets'($*)) dnl gen_require(` type zookeeper_leader_client_packet_t; ') allow $1 zookeeper_leader_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_leader_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl gen_require(` type zookeeper_leader_client_packet_t; ') dontaudit $1 zookeeper_leader_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_leader_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_client_packets'($*)) dnl gen_require(` type zookeeper_leader_client_packet_t; ') allow $1 zookeeper_leader_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_leader_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl gen_require(` type zookeeper_leader_client_packet_t; ') dontaudit $1 zookeeper_leader_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_leader_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl corenet_send_zookeeper_leader_client_packets($1) corenet_receive_zookeeper_leader_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_leader_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl corenet_dontaudit_send_zookeeper_leader_client_packets($1) corenet_dontaudit_receive_zookeeper_leader_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_leader_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_leader_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl gen_require(` type zookeeper_leader_client_packet_t; ') allow $1 zookeeper_leader_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_client_packets'($*)) dnl ') ######################################## ## ## Send zookeeper_leader_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zookeeper_leader_server_packets'($*)) dnl gen_require(` type zookeeper_leader_server_packet_t; ') allow $1 zookeeper_leader_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zookeeper_leader_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl gen_require(` type zookeeper_leader_server_packet_t; ') dontaudit $1 zookeeper_leader_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Receive zookeeper_leader_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zookeeper_leader_server_packets'($*)) dnl gen_require(` type zookeeper_leader_server_packet_t; ') allow $1 zookeeper_leader_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zookeeper_leader_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl gen_require(` type zookeeper_leader_server_packet_t; ') dontaudit $1 zookeeper_leader_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zookeeper_leader_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl corenet_send_zookeeper_leader_server_packets($1) corenet_receive_zookeeper_leader_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zookeeper_leader_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl corenet_dontaudit_send_zookeeper_leader_server_packets($1) corenet_dontaudit_receive_zookeeper_leader_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zookeeper_leader_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zookeeper_leader_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl gen_require(` type zookeeper_leader_server_packet_t; ') allow $1 zookeeper_leader_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zookeeper_leader_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zebra_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zebra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zebra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') dontaudit $1 zebra_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zebra_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zebra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zebra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') dontaudit $1 zebra_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zebra_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zebra_port'($*)) dnl corenet_udp_send_zebra_port($1) corenet_udp_receive_zebra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zebra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zebra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl corenet_dontaudit_udp_send_zebra_port($1) corenet_dontaudit_udp_receive_zebra_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zebra_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:tcp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zebra_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zebra port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zebra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zebra port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') dontaudit $1 zebra_port_t:udp_socket name_bind; allow $1 self:capability net_bind_service; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zebra_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zebra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') allow $1 zebra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zebra_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zebra port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zebra_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zebra_port'($*)) dnl gen_require(` type zebra_port_t; ') dontaudit $1 zebra_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zebra_port'($*)) dnl ') ######################################## ## ## Send zebra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_client_packets'($*)) dnl gen_require(` type zebra_client_packet_t; ') allow $1 zebra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zebra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zebra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_client_packets'($*)) dnl gen_require(` type zebra_client_packet_t; ') dontaudit $1 zebra_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_client_packets'($*)) dnl ') ######################################## ## ## Receive zebra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_client_packets'($*)) dnl gen_require(` type zebra_client_packet_t; ') allow $1 zebra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zebra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl gen_require(` type zebra_client_packet_t; ') dontaudit $1 zebra_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zebra_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_client_packets'($*)) dnl corenet_send_zebra_client_packets($1) corenet_receive_zebra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zebra_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl corenet_dontaudit_send_zebra_client_packets($1) corenet_dontaudit_receive_zebra_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zebra_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zebra_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_client_packets'($*)) dnl gen_require(` type zebra_client_packet_t; ') allow $1 zebra_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_client_packets'($*)) dnl ') ######################################## ## ## Send zebra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zebra_server_packets'($*)) dnl gen_require(` type zebra_server_packet_t; ') allow $1 zebra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zebra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zebra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zebra_server_packets'($*)) dnl gen_require(` type zebra_server_packet_t; ') dontaudit $1 zebra_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zebra_server_packets'($*)) dnl ') ######################################## ## ## Receive zebra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zebra_server_packets'($*)) dnl gen_require(` type zebra_server_packet_t; ') allow $1 zebra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zebra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zebra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl gen_require(` type zebra_server_packet_t; ') dontaudit $1 zebra_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zebra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zebra_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zebra_server_packets'($*)) dnl corenet_send_zebra_server_packets($1) corenet_receive_zebra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zebra_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zebra_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl corenet_dontaudit_send_zebra_server_packets($1) corenet_dontaudit_receive_zebra_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zebra_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zebra_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zebra_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zebra_server_packets'($*)) dnl gen_require(` type zebra_server_packet_t; ') allow $1 zebra_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zebra_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zented_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zented_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zented port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zented_port'($*)) dnl gen_require(` type zented_port_t; ') dontaudit $1 zented_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zented_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zented_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zented port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zented_port'($*)) dnl gen_require(` type zented_port_t; ') dontaudit $1 zented_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zented_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zented_port'($*)) dnl corenet_udp_send_zented_port($1) corenet_udp_receive_zented_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zented_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zented port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl corenet_dontaudit_udp_send_zented_port($1) corenet_dontaudit_udp_receive_zented_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zented_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zented_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zented port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zented_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zented port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zented_port'($*)) dnl gen_require(` type zented_port_t; ') dontaudit $1 zented_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zented_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zented port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zented_port'($*)) dnl gen_require(` type zented_port_t; ') allow $1 zented_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zented_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zented port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zented_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zented_port'($*)) dnl gen_require(` type zented_port_t; ') dontaudit $1 zented_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zented_port'($*)) dnl ') ######################################## ## ## Send zented_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zented_client_packets'($*)) dnl gen_require(` type zented_client_packet_t; ') allow $1 zented_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zented_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zented_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_client_packets'($*)) dnl gen_require(` type zented_client_packet_t; ') dontaudit $1 zented_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_client_packets'($*)) dnl ') ######################################## ## ## Receive zented_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_client_packets'($*)) dnl gen_require(` type zented_client_packet_t; ') allow $1 zented_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zented_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zented_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_client_packets'($*)) dnl gen_require(` type zented_client_packet_t; ') dontaudit $1 zented_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zented_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_client_packets'($*)) dnl corenet_send_zented_client_packets($1) corenet_receive_zented_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zented_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl corenet_dontaudit_send_zented_client_packets($1) corenet_dontaudit_receive_zented_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zented_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zented_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_client_packets'($*)) dnl gen_require(` type zented_client_packet_t; ') allow $1 zented_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_client_packets'($*)) dnl ') ######################################## ## ## Send zented_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zented_server_packets'($*)) dnl gen_require(` type zented_server_packet_t; ') allow $1 zented_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zented_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zented_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zented_server_packets'($*)) dnl gen_require(` type zented_server_packet_t; ') dontaudit $1 zented_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zented_server_packets'($*)) dnl ') ######################################## ## ## Receive zented_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zented_server_packets'($*)) dnl gen_require(` type zented_server_packet_t; ') allow $1 zented_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zented_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zented_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zented_server_packets'($*)) dnl gen_require(` type zented_server_packet_t; ') dontaudit $1 zented_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zented_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zented_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zented_server_packets'($*)) dnl corenet_send_zented_server_packets($1) corenet_receive_zented_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zented_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zented_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl corenet_dontaudit_send_zented_server_packets($1) corenet_dontaudit_receive_zented_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zented_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zented_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zented_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zented_server_packets'($*)) dnl gen_require(` type zented_server_packet_t; ') allow $1 zented_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zented_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP traffic on the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:tcp_socket { send_msg recv_msg }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_zope_port'($*)) dnl ') ######################################## ## ## Send UDP traffic on the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_zope_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send UDP traffic on the zope port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_send_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_send_zope_port'($*)) dnl gen_require(` type zope_port_t; ') dontaudit $1 zope_port_t:udp_socket send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_send_zope_port'($*)) dnl ') ######################################## ## ## Receive UDP traffic on the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_zope_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP traffic on the zope port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_receive_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_receive_zope_port'($*)) dnl gen_require(` type zope_port_t; ') dontaudit $1 zope_port_t:udp_socket recv_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_receive_zope_port'($*)) dnl ') ######################################## ## ## Send and receive UDP traffic on the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_zope_port'($*)) dnl corenet_udp_send_zope_port($1) corenet_udp_receive_zope_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_zope_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive ## UDP traffic on the zope port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_sendrecv_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl corenet_dontaudit_udp_send_zope_port($1) corenet_dontaudit_udp_receive_zope_port($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_sendrecv_zope_port'($*)) dnl ') ######################################## ## ## Bind TCP sockets to the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_bind_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_bind_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:tcp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_bind_zope_port'($*)) dnl ') ######################################## ## ## Bind UDP sockets to the zope port. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_bind_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_bind_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_bind_zope_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to sbind to zope port. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_udp_bind_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_udp_bind_zope_port'($*)) dnl gen_require(` type zope_port_t; ') dontaudit $1 zope_port_t:udp_socket name_bind; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_udp_bind_zope_port'($*)) dnl ') ######################################## ## ## Make a TCP connection to the zope port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_tcp_connect_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_connect_zope_port'($*)) dnl gen_require(` type zope_port_t; ') allow $1 zope_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_connect_zope_port'($*)) dnl ') ######################################## ## ## Do not audit attempts to make a TCP connection to zope port. ## ## ## ## Domain allowed access. ## ## # define(`corenet_dontaudit_tcp_connect_zope_port',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_tcp_connect_zope_port'($*)) dnl gen_require(` type zope_port_t; ') dontaudit $1 zope_port_t:tcp_socket name_connect; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_tcp_connect_zope_port'($*)) dnl ') ######################################## ## ## Send zope_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zope_client_packets'($*)) dnl gen_require(` type zope_client_packet_t; ') allow $1 zope_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zope_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zope_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_client_packets'($*)) dnl gen_require(` type zope_client_packet_t; ') dontaudit $1 zope_client_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_client_packets'($*)) dnl ') ######################################## ## ## Receive zope_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_client_packets'($*)) dnl gen_require(` type zope_client_packet_t; ') allow $1 zope_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zope_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zope_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_client_packets'($*)) dnl gen_require(` type zope_client_packet_t; ') dontaudit $1 zope_client_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_client_packets'($*)) dnl ') ######################################## ## ## Send and receive zope_client packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_client_packets'($*)) dnl corenet_send_zope_client_packets($1) corenet_receive_zope_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_client_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zope_client packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl corenet_dontaudit_send_zope_client_packets($1) corenet_dontaudit_receive_zope_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_client_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zope_client the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zope_client_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_client_packets'($*)) dnl gen_require(` type zope_client_packet_t; ') allow $1 zope_client_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_client_packets'($*)) dnl ') ######################################## ## ## Send zope_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_send_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_send_zope_server_packets'($*)) dnl gen_require(` type zope_server_packet_t; ') allow $1 zope_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_send_zope_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send zope_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_send_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_send_zope_server_packets'($*)) dnl gen_require(` type zope_server_packet_t; ') dontaudit $1 zope_server_packet_t:packet send; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_send_zope_server_packets'($*)) dnl ') ######################################## ## ## Receive zope_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_receive_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_receive_zope_server_packets'($*)) dnl gen_require(` type zope_server_packet_t; ') allow $1 zope_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_receive_zope_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive zope_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_dontaudit_receive_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_receive_zope_server_packets'($*)) dnl gen_require(` type zope_server_packet_t; ') dontaudit $1 zope_server_packet_t:packet recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_receive_zope_server_packets'($*)) dnl ') ######################################## ## ## Send and receive zope_server packets. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_sendrecv_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_sendrecv_zope_server_packets'($*)) dnl corenet_send_zope_server_packets($1) corenet_receive_zope_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_sendrecv_zope_server_packets'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive zope_server packets. ## ## ## ## Domain to not audit. ## ## ## # define(`corenet_dontaudit_sendrecv_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl corenet_dontaudit_send_zope_server_packets($1) corenet_dontaudit_receive_zope_server_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_dontaudit_sendrecv_zope_server_packets'($*)) dnl ') ######################################## ## ## Relabel packets to zope_server the packet type. ## ## ## ## Domain allowed access. ## ## # define(`corenet_relabelto_zope_server_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_relabelto_zope_server_packets'($*)) dnl gen_require(` type zope_server_packet_t; ') allow $1 zope_server_packet_t:packet relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_relabelto_zope_server_packets'($*)) dnl ') ######################################## ## ## Send and receive TCP network traffic on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_tcp_sendrecv_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_tcp_sendrecv_lo_if'($*)) dnl gen_require(` type lo_netif_t; ') allow $1 lo_netif_t:netif { tcp_send tcp_recv egress ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_tcp_sendrecv_lo_if'($*)) dnl ') ######################################## ## ## Send UDP network traffic on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_send_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_send_lo_if'($*)) dnl gen_require(` type lo_netif_t; ') allow $1 lo_netif_t:netif { udp_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_send_lo_if'($*)) dnl ') ######################################## ## ## Receive UDP network traffic on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_receive_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_receive_lo_if'($*)) dnl gen_require(` type lo_netif_t; ') allow $1 lo_netif_t:netif { udp_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_receive_lo_if'($*)) dnl ') ######################################## ## ## Send and receive UDP network traffic on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_udp_sendrecv_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_udp_sendrecv_lo_if'($*)) dnl corenet_udp_send_lo_if($1) corenet_udp_receive_lo_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_udp_sendrecv_lo_if'($*)) dnl ') ######################################## ## ## Send raw IP packets on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_raw_send_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_send_lo_if'($*)) dnl gen_require(` type lo_netif_t; ') allow $1 lo_netif_t:netif { rawip_send egress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_send_lo_if'($*)) dnl ') ######################################## ## ## Receive raw IP packets on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_raw_receive_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_receive_lo_if'($*)) dnl gen_require(` type lo_netif_t; ') allow $1 lo_netif_t:netif { rawip_recv ingress }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_receive_lo_if'($*)) dnl ') ######################################## ## ## Send and receive raw IP packets on the lo interface. ## ## ## ## Domain allowed access. ## ## ## # define(`corenet_raw_sendrecv_lo_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `corenet_raw_sendrecv_lo_if'($*)) dnl corenet_raw_send_lo_if($1) corenet_raw_receive_lo_if($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `corenet_raw_sendrecv_lo_if'($*)) dnl ') ## ## Device nodes and interfaces for many basic system devices. ## ## ##

## This module creates the device node concept and provides ## the policy for many of the device files. Notable exceptions are ## the mass storage and terminal devices that are covered by other ## modules. ##

##

## This module creates the concept of a device node. That is a ## char or block device file, usually in /dev. All types that ## are used to label device nodes should use the dev_node macro. ##

##

## Additionally, this module controls access to three things: ##

    ##
  • the device directories containing device nodes
  • ##
  • device nodes as a group
  • ##
  • individual access to specific device nodes covered by ## this module.
  • ##
##

##
## ## Depended on by other required modules. ## ######################################## ## ## Make the specified type usable for device ## nodes in a filesystem. ## ## ##

## Make the specified type usable for device nodes ## in a filesystem. Types used for device nodes that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors ## while the system is running. ##

##

## Example: ##

##

## type mydev_t; ## dev_node(mydev_t) ## allow mydomain_t mydev_t:chr_file read_chr_file_perms; ##

##

## Related interfaces: ##

##
    ##
  • term_tty()
  • ##
  • term_pty()
  • ##
##
## ## ## Type to be used for device nodes. ## ## ## # define(`dev_node',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_node'($*)) dnl gen_require(` attribute device_node; ') typeattribute $1 device_node; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_node'($*)) dnl ') ######################################## ## ## Associate the specified file type with device filesystem. ## ## ## ## The type of the file to be associated. ## ## # define(`dev_associate',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_associate'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:filesystem associate; fs_associate_tmpfs($1) #For backwards compatibility popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_associate'($*)) dnl ') ######################################## ## ## Get attributes of device filesystems. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_fs'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_fs'($*)) dnl ') ######################################## ## ## Mount a filesystem on /dev ## ## ## ## Domain allow access. ## ## # define(`dev_mounton',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_mounton'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_mounton'($*)) dnl ') ######################################## ## ## Allow caller domain to mounton all device nodes ## ## ## ## Domain allow access. ## ## # define(`dev_mounton_all_device_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_mounton_all_device_nodes'($*)) dnl gen_require(` attribute device_node; ') allow $1 device_node:file mounton; allow $1 device_node:chr_file mounton; allow $1 device_node:blk_file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_mounton_all_device_nodes'($*)) dnl ') ######################################## ## ## Allow full relabeling (to and from) of all device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_relabel_all_dev_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_nodes'($*)) dnl gen_require(` attribute device_node; type device_t; ') relabel_dirs_pattern($1, device_t, device_node) relabel_files_pattern($1, device_t, device_node) relabel_lnk_files_pattern($1, device_t, device_node) relabel_fifo_files_pattern($1, device_t, device_node) relabel_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1, device_t, device_node) relabel_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_nodes'($*)) dnl ') ######################################## ## ## Allow full relabeling (to and from) of all device files. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_relabel_all_dev_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_all_dev_files'($*)) dnl gen_require(` type device_t; ') relabel_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_all_dev_files'($*)) dnl ') ######################################## ## ## List all of the device nodes in a device directory. ## ## ## ## Domain allowed access. ## ## # define(`dev_list_all_dev_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_list_all_dev_nodes'($*)) dnl gen_require(` type device_t; ') list_dirs_pattern($1, device_t, device_t) read_lnk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_list_all_dev_nodes'($*)) dnl ') ######################################## ## ## Set the attributes of /dev directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_dirs'($*)) dnl gen_require(` type device_t; ') setattr_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_generic_dirs'($*)) dnl ') ######################################## ## ## Dontaudit attempts to list all device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_list_all_dev_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_list_all_dev_nodes'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_list_all_dev_nodes'($*)) dnl ') ######################################## ## ## Dontaudit attempts to list all device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_all_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_all_access_check'($*)) dnl gen_require(` attribute device_node; ') dontaudit $1 device_node:file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_all_access_check'($*)) dnl ') ######################################## ## ## Add entries to directories in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_add_entry_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_add_entry_generic_dirs'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:dir add_entry_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_add_entry_generic_dirs'($*)) dnl ') ######################################## ## ## Add entries to directories in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_remove_entry_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_remove_entry_generic_dirs'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:dir del_entry_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_remove_entry_generic_dirs'($*)) dnl ') ######################################## ## ## Create a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_generic_dirs'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:dir list_dir_perms; create_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_generic_dirs'($*)) dnl ') ######################################## ## ## Watch generic device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_watch_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_watch_generic_dirs'($*)) dnl gen_require(` type device_t; ') watch_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_watch_generic_dirs'($*)) dnl ') ######################################## ## ## Delete a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_generic_dirs'($*)) dnl gen_require(` type device_t; ') delete_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_generic_dirs'($*)) dnl ') ######################################## ## ## Manage of directories in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_generic_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_generic_dirs'($*)) dnl gen_require(` type device_t; ') manage_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_generic_dirs'($*)) dnl ') ######################################## ## ## Allow full relabeling (to and from) of directories in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_generic_dev_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_dev_dirs'($*)) dnl gen_require(` type device_t; ') relabel_dirs_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_generic_dev_dirs'($*)) dnl ') ######################################## ## ## dontaudit getattr generic files in /dev. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_files'($*)) dnl ') ######################################## ## ## Read generic files in /dev. ## ## ## ## Domain to not audit. ## ## # define(`dev_read_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_generic_files'($*)) dnl gen_require(` type device_t; ') read_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_generic_files'($*)) dnl ') ####################################### ## ## Read generic files in /dev. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_generic_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:file { read getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_generic_files'($*)) dnl ') ######################################## ## ## Read and write generic files in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_generic_files'($*)) dnl gen_require(` type device_t; ') rw_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_generic_files'($*)) dnl ') ######################################## ## ## Delete generic files in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_generic_files'($*)) dnl gen_require(` type device_t; ') delete_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_generic_files'($*)) dnl ') ######################################## ## ## Create a file in the device directory. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_generic_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_generic_files'($*)) dnl gen_require(` type device_t; ') manage_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_generic_files'($*)) dnl ') ######################################## ## ## Dontaudit getattr on generic pipes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_generic_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_pipes'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_pipes'($*)) dnl ') ######################################## ## ## Write generic socket files in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_generic_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_generic_sockets'($*)) dnl gen_require(` type device_t; ') write_sock_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_generic_sockets'($*)) dnl ') ######################################## ## ## Allow getattr on generic block devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_blk_files'($*)) dnl gen_require(` type device_t; ') getattr_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_generic_blk_files'($*)) dnl ') ######################################## ## ## Rename generic block device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_rename_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rename_generic_blk_files'($*)) dnl gen_require(` type device_t; ') rename_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rename_generic_blk_files'($*)) dnl ') ######################################## ## ## write generic sock files in /dev. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`dev_write_generic_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_generic_sock_files'($*)) dnl refpolicywarn(`$0($*) has been replaced with dev_write_generic_sockets().') dev_write_generic_sockets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_generic_sock_files'($*)) dnl ') ######################################## ## ## Dontaudit getattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_blk_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit setattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_blk_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:blk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_blk_files'($*)) dnl ') ######################################## ## ## Create generic block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_generic_blk_files'($*)) dnl gen_require(` type device_t; ') create_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_generic_blk_files'($*)) dnl ') ######################################## ## ## Delete generic block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_generic_blk_files'($*)) dnl gen_require(` type device_t; ') delete_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_generic_blk_files'($*)) dnl ') ######################################## ## ## Allow getattr for generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_chr_files'($*)) dnl gen_require(` type device_t; ') getattr_chr_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_generic_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit getattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_generic_chr_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_generic_chr_files'($*)) dnl ') ######################################## ## ## Rename generic character device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_rename_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rename_generic_chr_files'($*)) dnl gen_require(` type device_t; ') rename_chr_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rename_generic_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit setattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_chr_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_chr_files'($*)) dnl ') ######################################## ## ## Read generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_generic_chr_files'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_generic_chr_files'($*)) dnl ') ######################################## ## ## Read and write generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_generic_chr_files'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_generic_chr_files'($*)) dnl ') ######################################## ## ## Read and write generic block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_generic_blk_files'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:blk_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_generic_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit attempts to read/write generic character device files. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_chr_files'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_chr_files'($*)) dnl ') ######################################## ## ## Create generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_generic_chr_files'($*)) dnl gen_require(` type device_t; ') create_chr_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_generic_chr_files'($*)) dnl ') ######################################## ## ## Delete generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_generic_chr_files'($*)) dnl gen_require(` type device_t; ') delete_chr_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_generic_chr_files'($*)) dnl ') ######################################## ## ## Relabel from generic character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabelfrom_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabelfrom_generic_chr_files'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:chr_file relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabelfrom_generic_chr_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of symbolic links in device directories (/dev). ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_generic_symlinks'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:lnk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_generic_symlinks'($*)) dnl ') ######################################## ## ## Create symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_generic_symlinks'($*)) dnl gen_require(` type device_t; ') create_lnk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_generic_symlinks'($*)) dnl ') ######################################## ## ## Delete symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_generic_symlinks'($*)) dnl gen_require(` type device_t; ') delete_lnk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_generic_symlinks'($*)) dnl ') ######################################## ## ## Read symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_generic_symlinks'($*)) dnl gen_require(` type device_t; ') allow $1 device_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_generic_symlinks'($*)) dnl ') ######################################## ## ## Create, delete, read, and write symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_generic_symlinks'($*)) dnl gen_require(` type device_t; ') manage_lnk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_generic_symlinks'($*)) dnl ') ######################################## ## ## Relabel symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_generic_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_symlinks'($*)) dnl gen_require(` type device_t; ') relabel_lnk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_generic_symlinks'($*)) dnl ') ######################################## ## ## Create, delete, read, and write device nodes in device directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_all_dev_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_all_dev_nodes'($*)) dnl gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; ') manage_dirs_pattern($1, device_t, device_t) manage_sock_files_pattern($1, device_t, device_t) manage_lnk_files_pattern($1, device_t, device_t) manage_chr_files_pattern($1, device_t, { device_t device_node }) manage_blk_files_pattern($1, device_t, { device_t device_node }) relabel_dirs_pattern($1, device_t, device_t) relabel_chr_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) typeattribute $1 memory_raw_read; typeattribute $1 memory_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_all_dev_nodes'($*)) dnl ') ######################################## ## ## Dontaudit getattr for generic device files. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_generic_dev_nodes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl gen_require(` type device_t; ') dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_generic_dev_nodes'($*)) dnl ') ######################################## ## ## Read block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_generic_blk_files'($*)) dnl gen_require(` type device_t; ') read_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_generic_blk_files'($*)) dnl ') ######################################## ## ## Create, delete, read, and write block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_generic_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_generic_blk_files'($*)) dnl gen_require(` type device_t; ') manage_blk_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_generic_blk_files'($*)) dnl ') ######################################## ## ## Create, delete, read, and write character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_generic_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_generic_chr_files'($*)) dnl gen_require(` type device_t; ') manage_chr_files_pattern($1, device_t, device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_generic_chr_files'($*)) dnl ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans'($*)) dnl gen_require(` type device_t; ') filetrans_pattern($1, device_t, $2, $3, $4) dev_associate($2) files_associate_tmp($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans'($*)) dnl ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. This is ## a temporary interface until devtmpfs functionality ## fixed. ## ## ## ## Domain allowed access. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_tmpfs_filetrans_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_tmpfs_filetrans_dev'($*)) dnl gen_require(` type device_t; ') fs_tmpfs_filetrans($1, device_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_tmpfs_filetrans_dev'($*)) dnl ') ######################################## ## ## Allow getattr on all device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_all'($*)) dnl gen_require(` attribute device_node; type device_t; ') allow $1 { device_t device_node }:dir_file_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_all'($*)) dnl ') ######################################## ## ## Getattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_getattr_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_all_blk_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') getattr_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_all_blk_files'($*)) dnl ') ######################################## ## ## Lock on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_lock_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_lock_all_blk_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') lock_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_lock_all_blk_files'($*)) dnl ') ######################################## ## ## Read on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_read_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_all_blk_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') read_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_all_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit getattr on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_blk_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_blk_files'($*)) dnl ') ######################################## ## ## Getattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_getattr_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_all_chr_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') getattr_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_all_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit getattr on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all_chr_files'($*)) dnl gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all_chr_files'($*)) dnl ') ######################################## ## ## Setattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_setattr_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') setattr_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_all_blk_files'($*)) dnl ') ######################################## ## ## Setattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`dev_setattr_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') setattr_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_all_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit read on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit write on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_write_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit read on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_all_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit write on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_write_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_all_chr_files'($*)) dnl ') ######################################## ## ## Create all device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_all_files'($*)) dnl gen_require(` attribute device_node; ') create_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_all_files'($*)) dnl ') ######################################## ## ## Create all block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') create_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_all_blk_files'($*)) dnl ') ######################################## ## ## Create all character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') create_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_all_chr_files'($*)) dnl ') ######################################## ## ## rw all inherited character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_all_inherited_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_all_inherited_chr_files'($*)) dnl gen_require(` attribute device_node; ') allow $1 device_node:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_all_inherited_chr_files'($*)) dnl ') ######################################## ## ## rw all inherited blk device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_all_inherited_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_all_inherited_blk_files'($*)) dnl gen_require(` attribute device_node; ') allow $1 device_node:blk_file rw_inherited_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_all_inherited_blk_files'($*)) dnl ') ######################################## ## ## Delete all block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') delete_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_all_blk_files'($*)) dnl ') ######################################## ## ## Delete all character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') delete_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_all_chr_files'($*)) dnl ') ######################################## ## ## Rename all block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rename_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rename_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') rename_blk_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rename_all_blk_files'($*)) dnl ') ######################################## ## ## Rename all character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rename_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rename_all_chr_files'($*)) dnl gen_require(` attribute device_node; ') rename_chr_files_pattern($1, device_t, device_node) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rename_all_chr_files'($*)) dnl ') ######################################## ## ## Read, write, create, and delete all block device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_all_blk_files'($*)) dnl gen_require(` attribute device_node; ') manage_blk_files_pattern($1, device_t, device_node) # these next rules are to satisfy assertions broken by the above lines. storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_all_blk_files'($*)) dnl ') ######################################## ## ## Read, write, create, and delete all character device files. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_all_chr_files'($*)) dnl gen_require(` attribute device_node, memory_raw_read, memory_raw_write; ') manage_chr_files_pattern($1, device_t, device_node) typeattribute $1 memory_raw_read, memory_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_all_chr_files'($*)) dnl ') ######################################## ## ## Getattr the agp devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_agp_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_agp_dev'($*)) dnl gen_require(` type device_t, agp_device_t; ') getattr_chr_files_pattern($1, device_t, agp_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_agp_dev'($*)) dnl ') ######################################## ## ## Read and write the agp devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_agp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_agp'($*)) dnl gen_require(` type device_t, agp_device_t; ') rw_chr_files_pattern($1, device_t, agp_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_agp'($*)) dnl ') ######################################## ## ## Get the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_apm_bios_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_apm_bios_dev'($*)) dnl gen_require(` type device_t, apm_bios_t; ') getattr_chr_files_pattern($1, device_t, apm_bios_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_apm_bios_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_apm_bios_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl gen_require(` type apm_bios_t; ') dontaudit $1 apm_bios_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_apm_bios_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_apm_bios_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_apm_bios_dev'($*)) dnl gen_require(` type device_t, apm_bios_t; ') setattr_chr_files_pattern($1, device_t, apm_bios_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_apm_bios_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_apm_bios_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl gen_require(` type apm_bios_t; ') dontaudit $1 apm_bios_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_apm_bios_dev'($*)) dnl ') ######################################## ## ## Read and write the apm bios. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_apm_bios',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_apm_bios'($*)) dnl gen_require(` type device_t, apm_bios_t; ') rw_chr_files_pattern($1, device_t, apm_bios_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_apm_bios'($*)) dnl ') ######################################## ## ## Get the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_autofs_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_autofs_dev'($*)) dnl gen_require(` type device_t, autofs_device_t; ') getattr_chr_files_pattern($1, device_t, autofs_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_autofs_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_autofs_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_autofs_dev'($*)) dnl gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_autofs_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_autofs_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_autofs_dev'($*)) dnl gen_require(` type device_t, autofs_device_t; ') setattr_chr_files_pattern($1, device_t, autofs_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_autofs_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_autofs_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_autofs_dev'($*)) dnl gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_autofs_dev'($*)) dnl ') ######################################## ## ## Read and write the autofs device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_autofs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_autofs'($*)) dnl gen_require(` type device_t, autofs_device_t; ') rw_chr_files_pattern($1, device_t, autofs_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_autofs'($*)) dnl ') ######################################## ## ## Relabel the autofs device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_autofs_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_autofs_dev'($*)) dnl gen_require(` type autofs_device_t; ') allow $1 autofs_device_t:chr_file relabel_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_autofs_dev'($*)) dnl ') ######################################## ## ## Read and write the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_cardmgr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_cardmgr'($*)) dnl gen_require(` type cardmgr_dev_t; ') rw_chr_files_pattern($1, device_t, cardmgr_dev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_cardmgr'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write the PCMCIA card manager device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_cardmgr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_cardmgr'($*)) dnl gen_require(` type cardmgr_dev_t; ') dontaudit $1 cardmgr_dev_t:chr_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_cardmgr'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device ## with the correct type. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_cardmgr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_cardmgr_dev'($*)) dnl gen_require(` type device_t, cardmgr_dev_t; ') create_chr_files_pattern($1, device_t, cardmgr_dev_t) create_blk_files_pattern($1, device_t, cardmgr_dev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_cardmgr_dev'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_cardmgr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_cardmgr_dev'($*)) dnl gen_require(` type device_t, cardmgr_dev_t; ') manage_chr_files_pattern($1, device_t, cardmgr_dev_t) manage_blk_files_pattern($1, device_t, cardmgr_dev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_cardmgr_dev'($*)) dnl ') ######################################## ## ## Automatic type transition to the type ## for PCMCIA card manager device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans_cardmgr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_cardmgr'($*)) dnl gen_require(` type device_t, cardmgr_dev_t; ') filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_cardmgr'($*)) dnl ') ######################################## ## ## Automatic type transition to the type ## for xserver misc device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## # define(`dev_filetrans_xserver_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_xserver_misc'($*)) dnl gen_require(` type device_t, xserver_misc_device_t; ') filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_xserver_misc'($*)) dnl ') ######################################## ## ## Get the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_cpu_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_cpu_dev'($*)) dnl gen_require(` type device_t, cpu_device_t; ') getattr_chr_files_pattern($1, device_t, cpu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_cpu_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_cpu_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_cpu_dev'($*)) dnl gen_require(` type device_t, cpu_device_t; ') setattr_chr_files_pattern($1, device_t, cpu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_cpu_dev'($*)) dnl ') ######################################## ## ## Read the CPU identity. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_cpuid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_cpuid'($*)) dnl gen_require(` type device_t, cpu_device_t; ') read_chr_files_pattern($1, device_t, cpu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_cpuid'($*)) dnl ') ######################################## ## ## Read and write the the CPU microcode device. This ## is required to load CPU microcode. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_cpu_microcode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_cpu_microcode'($*)) dnl gen_require(` type device_t, cpu_device_t; ') rw_chr_files_pattern($1, device_t, cpu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_cpu_microcode'($*)) dnl ') ######################################## ## ## Read the kernel crash device ## ## ## ## Domain allowed access. ## ## # define(`dev_read_crash',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_crash'($*)) dnl gen_require(` type device_t, crash_device_t; ') read_chr_files_pattern($1, device_t, crash_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_crash'($*)) dnl ') ######################################## ## ## Read and write to the cachefilesd device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_cachefiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_cachefiles'($*)) dnl gen_require(` type device_t, cachefiles_device_t; ') rw_chr_files_pattern($1, device_t, cachefiles_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_cachefiles'($*)) dnl ') ######################################## ## ## Read and write the the hardware SSL accelerator. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_crypto',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_crypto'($*)) dnl gen_require(` type device_t, crypt_device_t; ') rw_chr_files_pattern($1, device_t, crypt_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_crypto'($*)) dnl ') ######################################## ## ## Read and write the the ecrypt filesystem device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_ecryptfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_ecryptfs'($*)) dnl gen_require(` type device_t, ecryptfs_device_t; ') rw_chr_files_pattern($1, device_t, ecryptfs_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_ecryptfs'($*)) dnl ') ####################################### ## ## Set the attributes of the dlm control devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_dlm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_dlm_control'($*)) dnl gen_require(` type device_t, kvm_device_t; ') setattr_chr_files_pattern($1, device_t, dlm_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_dlm_control'($*)) dnl ') ####################################### ## ## Read and write the the dlm control device ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_dlm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_dlm_control'($*)) dnl gen_require(` type device_t, dlm_control_device_t; ') rw_chr_files_pattern($1, device_t, dlm_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_dlm_control'($*)) dnl ') ######################################## ## ## getattr the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_dri_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_dri_dev'($*)) dnl gen_require(` type device_t, dri_device_t; ') getattr_chr_files_pattern($1, device_t, dri_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_dri_dev'($*)) dnl ') ######################################## ## ## Setattr the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_dri_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_dri_dev'($*)) dnl gen_require(` type device_t, dri_device_t; ') setattr_chr_files_pattern($1, device_t, dri_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_dri_dev'($*)) dnl ') ######################################## ## ## Mmap the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_dri',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_dri'($*)) dnl gen_require(` type device_t, dri_device_t; ') allow $1 dri_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_dri'($*)) dnl ') ######################################## ## ## Read and write the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_dri',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_dri'($*)) dnl gen_require(` type device_t, dri_device_t; ') rw_chr_files_pattern($1, device_t, dri_device_t) allow $1 dri_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_dri'($*)) dnl ') ######################################## ## ## Read and write the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_inherited_dri',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_dri'($*)) dnl gen_require(` type device_t, dri_device_t; ') allow $1 device_t:dir search_dir_perms; allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_inherited_dri'($*)) dnl ') ######################################## ## ## Dontaudit read and write on the dri devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_dri',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_dri'($*)) dnl gen_require(` type dri_device_t; ') dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_dri'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the dri devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_dri_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_dri_dev'($*)) dnl gen_require(` type device_t, dri_device_t; ') manage_chr_files_pattern($1, device_t, dri_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_dri_dev'($*)) dnl ') ######################################## ## ## Automatic type transition to the type ## for DRI device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans_dri',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_dri'($*)) dnl gen_require(` type device_t, dri_device_t; ') filetrans_pattern($1, device_t, dri_device_t, chr_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_dri'($*)) dnl ') ######################################## ## ## Get the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_input_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_input_dev'($*)) dnl gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_input_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_input_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_input_dev'($*)) dnl gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_input_dev'($*)) dnl ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # define(`dev_read_input',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_input'($*)) dnl gen_require(` type device_t, event_device_t; ') read_chr_files_pattern($1, device_t, event_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_input'($*)) dnl ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_input_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_input_dev'($*)) dnl gen_require(` type device_t, event_device_t; ') rw_chr_files_pattern($1, device_t, event_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_input_dev'($*)) dnl ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_inherited_input_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_input_dev'($*)) dnl gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir search_dir_perms; allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_inherited_input_dev'($*)) dnl ') ######################################## ## ## Read ipmi devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_ipmi_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_ipmi_dev'($*)) dnl gen_require(` type device_t, ipmi_device_t; ') read_chr_files_pattern($1, device_t, ipmi_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_ipmi_dev'($*)) dnl ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_ipmi_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_ipmi_dev'($*)) dnl gen_require(` type device_t, ipmi_device_t; ') rw_chr_files_pattern($1, device_t, ipmi_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_ipmi_dev'($*)) dnl ') ######################################## ## ## Manage ipmi devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_ipmi_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_ipmi_dev'($*)) dnl gen_require(` type device_t, ipmi_device_t; ') manage_chr_files_pattern($1, device_t, ipmi_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_ipmi_dev'($*)) dnl ') ######################################## ## ## Automatic type transition to the type ## for PCMCIA card manager device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans_ipmi',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_ipmi'($*)) dnl gen_require(` type device_t, ipmi_device_t; ') filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_ipmi'($*)) dnl ') ######################################## ## ## Get attributes of infiniband devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_infiniband_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_infiniband_dev'($*)) dnl gen_require(` type device_t, infiniband_device_t; ') getattr_chr_files_pattern($1, device_t, infiniband_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_infiniband_dev'($*)) dnl ') ######################################## ## ## Read infiniband devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_infiniband_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_infiniband_dev'($*)) dnl gen_require(` type device_t, infiniband_device_t; ') read_chr_files_pattern($1, device_t, infiniband_device_t) read_blk_files_pattern($1, device_t, infiniband_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_infiniband_dev'($*)) dnl ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_infiniband_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_infiniband_dev'($*)) dnl gen_require(` type device_t, infiniband_device_t; ') rw_chr_files_pattern($1, device_t, infiniband_device_t) rw_blk_files_pattern($1, device_t, infiniband_device_t) allow $1 infiniband_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_infiniband_dev'($*)) dnl ') ######################################## ## ## Read infiniband mgmt devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_infiniband_mgmt_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_infiniband_mgmt_dev'($*)) dnl gen_require(` type device_t, infiniband_mgmt_device_t; ') read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_infiniband_mgmt_dev'($*)) dnl ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_infiniband_mgmt_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_infiniband_mgmt_dev'($*)) dnl gen_require(` type device_t, infiniband_mgmt_device_t; ') rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_infiniband_mgmt_dev'($*)) dnl ') ######################################## ## ## Get the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_framebuffer_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_framebuffer_dev'($*)) dnl gen_require(` type device_t, framebuf_device_t; ') getattr_chr_files_pattern($1, device_t, framebuf_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_framebuffer_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_framebuffer_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_framebuffer_dev'($*)) dnl gen_require(` type device_t, framebuf_device_t; ') setattr_chr_files_pattern($1, device_t, framebuf_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_framebuffer_dev'($*)) dnl ') ######################################## ## ## Dot not audit attempts to set the attributes ## of the framebuffer device node. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_framebuffer_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_framebuffer_dev'($*)) dnl ') ######################################## ## ## Read the framebuffer. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_framebuffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_framebuffer'($*)) dnl gen_require(` type framebuf_device_t; ') read_chr_files_pattern($1, device_t, framebuf_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_framebuffer'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the framebuffer. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_framebuffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_framebuffer'($*)) dnl gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_framebuffer'($*)) dnl ') ######################################## ## ## Write the framebuffer. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_framebuffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_framebuffer'($*)) dnl gen_require(` type device_t, framebuf_device_t; ') write_chr_files_pattern($1, device_t, framebuf_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_framebuffer'($*)) dnl ') ######################################## ## ## Mmap the framebuffer. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_framebuffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_framebuffer'($*)) dnl gen_require(` type framebuf_device_t; ') allow $1 framebuf_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_framebuffer'($*)) dnl ') ######################################## ## ## Read and write the framebuffer. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_framebuffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_framebuffer'($*)) dnl gen_require(` type device_t, framebuf_device_t; ') rw_chr_files_pattern($1, device_t, framebuf_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_framebuffer'($*)) dnl ') ######################################## ## ## Read the kernel messages ## ## ## ## Domain allowed access. ## ## # define(`dev_read_kmsg',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_kmsg'($*)) dnl gen_require(` type device_t, kmsg_device_t; ') read_chr_files_pattern($1, device_t, kmsg_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_kmsg'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the kernel messages ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_kmsg',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_kmsg'($*)) dnl gen_require(` type kmsg_device_t; ') dontaudit $1 kmsg_device_t:chr_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_kmsg'($*)) dnl ') ######################################## ## ## Write to the kernel messages device ## ## ## ## Domain allowed access. ## ## # define(`dev_write_kmsg',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_kmsg'($*)) dnl gen_require(` type device_t, kmsg_device_t; ') write_chr_files_pattern($1, device_t, kmsg_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_kmsg'($*)) dnl ') ######################################## ## ## Get the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_ksm_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_ksm_dev'($*)) dnl gen_require(` type device_t, ksm_device_t; ') getattr_chr_files_pattern($1, device_t, ksm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_ksm_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_ksm_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_ksm_dev'($*)) dnl gen_require(` type device_t, ksm_device_t; ') setattr_chr_files_pattern($1, device_t, ksm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_ksm_dev'($*)) dnl ') ######################################## ## ## Read the ksm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_ksm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_ksm'($*)) dnl gen_require(` type device_t, ksm_device_t; ') read_chr_files_pattern($1, device_t, ksm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_ksm'($*)) dnl ') ######################################## ## ## Read and write to ksm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_ksm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_ksm'($*)) dnl gen_require(` type device_t, ksm_device_t; ') rw_chr_files_pattern($1, device_t, ksm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_ksm'($*)) dnl ') ######################################## ## ## Get the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_kvm_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_kvm_dev'($*)) dnl gen_require(` type device_t, kvm_device_t; ') getattr_chr_files_pattern($1, device_t, kvm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_kvm_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_kvm_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_kvm_dev'($*)) dnl gen_require(` type device_t, kvm_device_t; ') setattr_chr_files_pattern($1, device_t, kvm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_kvm_dev'($*)) dnl ') ######################################## ## ## Read the kvm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_kvm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_kvm'($*)) dnl gen_require(` type device_t, kvm_device_t; ') read_chr_files_pattern($1, device_t, kvm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_kvm'($*)) dnl ') ######################################## ## ## Read and write to kvm devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_kvm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_kvm'($*)) dnl gen_require(` type device_t, kvm_device_t; ') rw_chr_files_pattern($1, device_t, kvm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_kvm'($*)) dnl ') ######################################## ## ## Read and write to sev devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_sev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_sev'($*)) dnl gen_require(` type device_t, sev_device_t; ') rw_chr_files_pattern($1, device_t, sev_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_sev'($*)) dnl ') ###################################### ## ## Read the lirc device. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_lirc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_lirc'($*)) dnl gen_require(` type device_t, lirc_device_t; ') read_chr_files_pattern($1, device_t, lirc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_lirc'($*)) dnl ') ###################################### ## ## Read and write the lirc device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_lirc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_lirc'($*)) dnl gen_require(` type device_t, lirc_device_t; ') rw_chr_files_pattern($1, device_t, lirc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_lirc'($*)) dnl ') ###################################### ## ## Automatic type transition to the type ## for lirc device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans_lirc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_lirc'($*)) dnl gen_require(` type device_t, lirc_device_t; ') filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_lirc'($*)) dnl ') ######################################## ## ## Get the attributes of the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_loop_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_loop_control'($*)) dnl gen_require(` type device_t, loop_control_device_t; ') getattr_chr_files_pattern($1, device_t, loop_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_loop_control'($*)) dnl ') ######################################## ## ## Read the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_loop_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_loop_control'($*)) dnl gen_require(` type device_t, loop_control_device_t; ') read_chr_files_pattern($1, device_t, loop_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_loop_control'($*)) dnl ') ######################################## ## ## Read and write the loop control device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_loop_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_loop_control'($*)) dnl gen_require(` type device_t, loop_control_device_t; ') rw_chr_files_pattern($1, device_t, loop_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_loop_control'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write loop control device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_loop_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_loop_control'($*)) dnl gen_require(` type loop_control_device_t; ') dontaudit $1 loop_control_device_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_loop_control'($*)) dnl ') ######################################## ## ## Delete the loop control device. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_loop_control_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_loop_control_dev'($*)) dnl gen_require(` type device_t, loop_control_device_t; ') delete_chr_files_pattern($1, device_t, loop_control_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_loop_control_dev'($*)) dnl ') ######################################## ## ## Get the attributes of the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_lvm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_lvm_control'($*)) dnl gen_require(` type device_t, lvm_control_t; ') getattr_chr_files_pattern($1, device_t, lvm_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_lvm_control'($*)) dnl ') ######################################## ## ## Read the lvm comtrol device. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_lvm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_lvm_control'($*)) dnl gen_require(` type device_t, lvm_control_t; ') read_chr_files_pattern($1, device_t, lvm_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_lvm_control'($*)) dnl ') ######################################## ## ## Read and write the lvm control device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_lvm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_lvm_control'($*)) dnl gen_require(` type device_t, lvm_control_t; ') rw_chr_files_pattern($1, device_t, lvm_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_lvm_control'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write lvm control device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_lvm_control',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_lvm_control'($*)) dnl gen_require(` type lvm_control_t; ') dontaudit $1 lvm_control_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_lvm_control'($*)) dnl ') ######################################## ## ## Delete the lvm control device. ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_lvm_control_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_lvm_control_dev'($*)) dnl gen_require(` type device_t, lvm_control_t; ') delete_chr_files_pattern($1, device_t, lvm_control_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_lvm_control_dev'($*)) dnl ') ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_memory_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_memory_dev'($*)) dnl gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_memory_dev'($*)) dnl ') ######################################## ## ## Read raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_read_raw_memory',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_raw_memory'($*)) dnl gen_require(` type device_t, memory_device_t; attribute memory_raw_read; ') read_chr_files_pattern($1, device_t, memory_device_t) allow $1 memory_device_t:chr_file map; allow $1 self:lockdown integrity; allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_raw_memory'($*)) dnl ') ######################################## ## ## Allow to be reader of raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_raw_memory_reader',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_raw_memory_reader'($*)) dnl gen_require(` attribute memory_raw_read; ') typeattribute $1 memory_raw_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_raw_memory_reader'($*)) dnl ') ######################################## ## ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_raw_memory',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_raw_memory'($*)) dnl gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_raw_memory'($*)) dnl ') ######################################## ## ## Write raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_write_raw_memory',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_raw_memory'($*)) dnl gen_require(` type device_t, memory_device_t; attribute memory_raw_write; ') write_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_raw_memory'($*)) dnl ') ######################################## ## ## Allow to be writer of raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_raw_memory_writer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_raw_memory_writer'($*)) dnl gen_require(` attribute memory_raw_write; ') typeattribute $1 memory_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_raw_memory_writer'($*)) dnl ') ######################################## ## ## Read and execute raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_rx_raw_memory',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rx_raw_memory'($*)) dnl gen_require(` type device_t, memory_device_t; ') dev_read_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rx_raw_memory'($*)) dnl ') ######################################## ## ## Write and execute raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # define(`dev_wx_raw_memory',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_wx_raw_memory'($*)) dnl gen_require(` type device_t, memory_device_t; ') dev_write_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_wx_raw_memory'($*)) dnl ') ######################################## ## ## Get the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_misc_dev'($*)) dnl gen_require(` type device_t, misc_device_t; ') getattr_chr_files_pattern($1, device_t, misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_misc_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_misc_dev'($*)) dnl gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_misc_dev'($*)) dnl ') ######################################## ## ## Set the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_misc_dev'($*)) dnl gen_require(` type device_t, misc_device_t; ') setattr_chr_files_pattern($1, device_t, misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_misc_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_misc_dev'($*)) dnl gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_misc_dev'($*)) dnl ') ######################################## ## ## Read miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_misc'($*)) dnl gen_require(` type device_t, misc_device_t; ') read_chr_files_pattern($1, device_t, misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_misc'($*)) dnl ') ######################################## ## ## Write miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_misc'($*)) dnl gen_require(` type device_t, misc_device_t; ') write_chr_files_pattern($1, device_t, misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_misc'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_rw_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_rw_misc'($*)) dnl gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_rw_misc'($*)) dnl ') ######################################## ## ## Get the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_modem_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_modem_dev'($*)) dnl gen_require(` type device_t, modem_device_t; ') getattr_chr_files_pattern($1, device_t, modem_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_modem_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_modem_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_modem_dev'($*)) dnl gen_require(` type device_t, modem_device_t; ') setattr_chr_files_pattern($1, device_t, modem_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_modem_dev'($*)) dnl ') ######################################## ## ## Read the modem devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_modem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_modem'($*)) dnl gen_require(` type device_t, modem_device_t; ') read_chr_files_pattern($1, device_t, modem_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_modem'($*)) dnl ') ######################################## ## ## Read and write to modem devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_modem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_modem'($*)) dnl gen_require(` type device_t, modem_device_t; ') rw_chr_files_pattern($1, device_t, modem_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_modem'($*)) dnl ') ######################################## ## ## Get the attributes of the monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_monitor_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_monitor_dev'($*)) dnl gen_require(` type device_t, monitor_device_t; ') getattr_chr_files_pattern($1, device_t, monitor_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_monitor_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_monitor_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_monitor_dev'($*)) dnl gen_require(` type device_t, monitor_device_t; ') setattr_chr_files_pattern($1, device_t, monitor_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_monitor_dev'($*)) dnl ') ######################################## ## ## Read the monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_monitor_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_monitor_dev'($*)) dnl gen_require(` type device_t, monitor_device_t; ') read_chr_files_pattern($1, device_t, monitor_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_monitor_dev'($*)) dnl ') ######################################## ## ## Read and write to monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_monitor_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_monitor_dev'($*)) dnl gen_require(` type device_t, monitor_device_t; ') rw_chr_files_pattern($1, device_t, monitor_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_monitor_dev'($*)) dnl ') ######################################## ## ## Get the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_mouse_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_mouse_dev'($*)) dnl gen_require(` type device_t, mouse_device_t; ') getattr_chr_files_pattern($1, device_t, mouse_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_mouse_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_mouse_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_mouse_dev'($*)) dnl gen_require(` type device_t, mouse_device_t; ') setattr_chr_files_pattern($1, device_t, mouse_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_mouse_dev'($*)) dnl ') ######################################## ## ## Read the mouse devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_mouse',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_mouse'($*)) dnl gen_require(` type device_t, mouse_device_t; ') read_chr_files_pattern($1, device_t, mouse_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_mouse'($*)) dnl ') ######################################## ## ## Read and write to mouse devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_mouse',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_mouse'($*)) dnl gen_require(` type device_t, mouse_device_t; ') rw_chr_files_pattern($1, device_t, mouse_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_mouse'($*)) dnl ') ######################################## ## ## Get the attributes of the memory type range ## registers (MTRR) device. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_mtrr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_mtrr_dev'($*)) dnl gen_require(` type device_t, mtrr_device_t; ') getattr_files_pattern($1, device_t, mtrr_device_t) getattr_chr_files_pattern($1, device_t, mtrr_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_mtrr_dev'($*)) dnl ') ######################################## ## ## Write the memory type range ## registers (MTRR). (Deprecated) ## ## ##

## Write the memory type range ## registers (MTRR). This interface has ## been deprecated, dev_rw_mtrr() should be ## used instead. ##

##

## The MTRR device ioctls can be used for ## reading and writing; thus, write access to the ## device cannot be separated from read access. ##

##
## ## ## Domain allowed access. ## ## # define(`dev_write_mtrr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_mtrr'($*)) dnl refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') dev_rw_mtrr($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_mtrr'($*)) dnl ') ######################################## ## ## Do not audit attempts to write the memory type ## range registers (MTRR). ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_write_mtrr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_mtrr'($*)) dnl gen_require(` type mtrr_device_t; ') dontaudit $1 mtrr_device_t:file write_file_perms; dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_mtrr'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the memory type ## range registers (MTRR). ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_mtrr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_mtrr'($*)) dnl gen_require(` type mtrr_device_t; ') dontaudit $1 mtrr_device_t:file { open read }; dontaudit $1 mtrr_device_t:chr_file { open read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_mtrr'($*)) dnl ') ######################################## ## ## Read the memory type range registers (MTRR). ## ## ## ## Domain allowed access. ## ## # define(`dev_read_mtrr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_mtrr'($*)) dnl gen_require(` type device_t, mtrr_device_t; ') read_files_pattern($1, device_t, mtrr_device_t) read_chr_files_pattern($1, device_t, mtrr_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_mtrr'($*)) dnl ') ######################################## ## ## Read and write the memory type range registers (MTRR). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_mtrr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_mtrr'($*)) dnl gen_require(` type device_t, mtrr_device_t; ') rw_files_pattern($1, device_t, mtrr_device_t) rw_chr_files_pattern($1, device_t, mtrr_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_mtrr'($*)) dnl ') ######################################## ## ## Get the attributes of the network control device ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_netcontrol_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_netcontrol_dev'($*)) dnl gen_require(` type device_t, netcontrol_device_t; ') getattr_chr_files_pattern($1, device_t, netcontrol_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_netcontrol_dev'($*)) dnl ') ######################################## ## ## Read the network control identity. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_netcontrol',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_netcontrol'($*)) dnl gen_require(` type device_t, netcontrol_device_t; ') read_chr_files_pattern($1, device_t, netcontrol_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_netcontrol'($*)) dnl ') ######################################## ## ## Read and write the the network control device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_netcontrol',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_netcontrol'($*)) dnl gen_require(` type device_t, netcontrol_device_t; ') rw_chr_files_pattern($1, device_t, netcontrol_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_netcontrol'($*)) dnl ') ######################################## ## ## Get the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_null_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_null_dev'($*)) dnl gen_require(` type device_t, null_device_t; ') getattr_chr_files_pattern($1, device_t, null_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_null_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_null_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_null_dev'($*)) dnl gen_require(` type device_t, null_device_t; ') setattr_chr_files_pattern($1, device_t, null_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_null_dev'($*)) dnl ') ######################################## ## ## Delete the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # define(`dev_delete_null',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_delete_null'($*)) dnl gen_require(` type device_t, null_device_t; ') delete_chr_files_pattern($1, device_t, null_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_delete_null'($*)) dnl ') ######################################## ## ## Read and write to the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_null',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_null'($*)) dnl gen_require(` type device_t, null_device_t; ') rw_chr_files_pattern($1, device_t, null_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_null'($*)) dnl ') ######################################## ## ## Create the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # define(`dev_create_null_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_null_dev'($*)) dnl gen_require(` type device_t, null_device_t; ') create_chr_files_pattern($1, device_t, null_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_null_dev'($*)) dnl ') ######################################## ## ## Get the status of a null device service. ## ## ## ## Domain allowed access. ## ## # define(`dev_service_status_null_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_service_status_null_dev'($*)) dnl gen_require(` type null_device_t; ') allow $1 null_device_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_service_status_null_dev'($*)) dnl ') ######################################## ## ## Configure null_device as a unit files. ## ## ## ## Domain allowed to transition. ## ## # define(`dev_config_null_dev_service',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_config_null_dev_service'($*)) dnl gen_require(` type null_device_t; ') allow $1 null_device_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_config_null_dev_service'($*)) dnl ') ######################################## ## ## Read Non-Volatile Memory Host Controller Interface. (Deprecated) ## ## ## Use storage_raw_read_fixed_disk() instead. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_nvme',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_nvme'($*)) dnl refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk().') storage_raw_read_fixed_disk($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_nvme'($*)) dnl ') ######################################## ## ## Read/Write Non-Volatile Memory Host Controller Interface. (Deprecated) ## ## ## Use storage_raw_read_fixed_disk() and ## storage_raw_write_fixed_disk() instead. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_nvme',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_nvme'($*)) dnl refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk() and storage_raw_write_fixed_disk().') storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_nvme'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_nvram_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_nvram_dev'($*)) dnl gen_require(` type nvram_device_t; ') dontaudit $1 nvram_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_nvram_dev'($*)) dnl ') ######################################## ## ## Read BIOS non-volatile RAM. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_nvram',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_nvram'($*)) dnl gen_require(` type nvram_device_t; ') read_chr_files_pattern($1, device_t, nvram_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_nvram'($*)) dnl ') ######################################## ## ## Read and write BIOS non-volatile RAM. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_nvram',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_nvram'($*)) dnl gen_require(` type nvram_device_t; ') rw_chr_files_pattern($1, device_t, nvram_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_nvram'($*)) dnl ') ######################################## ## ## Get the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_printer_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_printer_dev'($*)) dnl gen_require(` type device_t, printer_device_t; ') getattr_chr_files_pattern($1, device_t, printer_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_printer_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_printer_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_printer_dev'($*)) dnl gen_require(` type device_t, printer_device_t; ') setattr_chr_files_pattern($1, device_t, printer_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_printer_dev'($*)) dnl ') ######################################## ## ## Append the printer device. ## ## ## ## Domain allowed access. ## ## # # cjp: added for lpd/checkpc_t define(`dev_append_printer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_append_printer'($*)) dnl gen_require(` type device_t, printer_device_t; ') append_chr_files_pattern($1, device_t, printer_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_append_printer'($*)) dnl ') ######################################## ## ## Read and write the printer device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_printer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_printer'($*)) dnl gen_require(` type device_t, printer_device_t; ') rw_chr_files_pattern($1, device_t, printer_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_printer'($*)) dnl ') ######################################## ## ## Relabel the printer device node. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_printer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_printer'($*)) dnl gen_require(` type printer_device_t; ') allow $1 printer_device_t:chr_file relabel_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_printer'($*)) dnl ') ######################################## ## ## Read and write the printer device. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_printer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_printer'($*)) dnl gen_require(` type device_t, printer_device_t; ') manage_chr_files_pattern($1, device_t, printer_device_t) dev_filetrans_printer_named_dev($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_printer'($*)) dnl ') ######################################## ## ## Get the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_qemu_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_qemu_dev'($*)) dnl gen_require(` type device_t, qemu_device_t; ') getattr_chr_files_pattern($1, device_t, qemu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_qemu_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_qemu_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_qemu_dev'($*)) dnl gen_require(` type device_t, qemu_device_t; ') setattr_chr_files_pattern($1, device_t, qemu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_qemu_dev'($*)) dnl ') ######################################## ## ## Read the QEMU device ## ## ## ## Domain allowed access. ## ## # define(`dev_read_qemu',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_qemu'($*)) dnl gen_require(` type device_t, qemu_device_t; ') read_chr_files_pattern($1, device_t, qemu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_qemu'($*)) dnl ') ######################################## ## ## Read and write the the QEMU device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_qemu',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_qemu'($*)) dnl gen_require(` type device_t, qemu_device_t; ') rw_chr_files_pattern($1, device_t, qemu_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_qemu'($*)) dnl ') ######################################## ## ## Read from random number generator ## devices (e.g., /dev/random). ## ## ##

## Allow the specified domain to read from random number ## generator devices (e.g., /dev/random). Typically this is ## used in situations when a cryptographically secure random ## number is needed. ##

##

## Related interface: ##

##
    ##
  • dev_read_urand()
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`dev_read_rand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_rand'($*)) dnl gen_require(` type device_t, random_device_t; ') read_chr_files_pattern($1, device_t, random_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_rand'($*)) dnl ') ######################################## ## ## Do not audit attempts to read from random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_rand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_rand'($*)) dnl gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_rand'($*)) dnl ') ######################################## ## ## Do not audit attempts to append to the random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_append_rand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_append_rand'($*)) dnl gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file { append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_append_rand'($*)) dnl ') ######################################## ## ## Write to the random device (e.g., /dev/random). This adds ## entropy used to generate the random data read from the ## random device. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_rand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_rand'($*)) dnl gen_require(` type device_t, random_device_t; ') write_chr_files_pattern($1, device_t, random_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_rand'($*)) dnl ') ######################################## ## ## Read the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # define(`dev_read_realtime_clock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_realtime_clock'($*)) dnl gen_require(` type device_t, clock_device_t; ') read_chr_files_pattern($1, device_t, clock_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_realtime_clock'($*)) dnl ') ######################################## ## ## Set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # define(`dev_write_realtime_clock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_realtime_clock'($*)) dnl gen_require(` type device_t, clock_device_t; ') write_chr_files_pattern($1, device_t, clock_device_t) allow $1 clock_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_realtime_clock'($*)) dnl ') ######################################## ## ## Read and set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_realtime_clock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_realtime_clock'($*)) dnl dev_read_realtime_clock($1) dev_write_realtime_clock($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_realtime_clock'($*)) dnl ') ######################################## ## ## Get the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_scanner_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_scanner_dev'($*)) dnl gen_require(` type device_t, scanner_device_t; ') getattr_chr_files_pattern($1, device_t, scanner_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_scanner_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_scanner_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_scanner_dev'($*)) dnl gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_scanner_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_scanner_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_scanner_dev'($*)) dnl gen_require(` type device_t, scanner_device_t; ') setattr_chr_files_pattern($1, device_t, scanner_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_scanner_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_scanner_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_scanner_dev'($*)) dnl gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_scanner_dev'($*)) dnl ') ######################################## ## ## Read and write the scanner device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_scanner',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_scanner'($*)) dnl gen_require(` type device_t, scanner_device_t; ') rw_chr_files_pattern($1, device_t, scanner_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_scanner'($*)) dnl ') ######################################## ## ## Get the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_sound_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_sound_dev'($*)) dnl gen_require(` type device_t, sound_device_t; ') getattr_chr_files_pattern($1, device_t, sound_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_sound_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_sound_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_sound_dev'($*)) dnl gen_require(` type device_t, sound_device_t; ') setattr_chr_files_pattern($1, device_t, sound_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_sound_dev'($*)) dnl ') ######################################## ## ## Read the sound devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_sound',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_sound'($*)) dnl gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_sound'($*)) dnl ') ######################################## ## ## Write the sound devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_sound',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_sound'($*)) dnl gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_sound'($*)) dnl ') ######################################## ## ## Read the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_sound_mixer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_sound_mixer'($*)) dnl gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_sound_mixer'($*)) dnl ') ######################################## ## ## Write the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_sound_mixer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_sound_mixer'($*)) dnl gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_sound_mixer'($*)) dnl ') ######################################## ## ## Get the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_power_mgmt_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_power_mgmt_dev'($*)) dnl gen_require(` type device_t, power_device_t; ') getattr_chr_files_pattern($1, device_t, power_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_power_mgmt_dev'($*)) dnl ') ######################################## ## ## Set the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_power_mgmt_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_power_mgmt_dev'($*)) dnl gen_require(` type device_t, power_device_t; ') setattr_chr_files_pattern($1, device_t, power_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_power_mgmt_dev'($*)) dnl ') ######################################## ## ## Read and write the the power management device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_power_management',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_power_management'($*)) dnl gen_require(` type device_t, power_device_t; ') rw_chr_files_pattern($1, device_t, power_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_power_management'($*)) dnl ') ######################################## ## ## Getattr on smartcard devices ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_smartcard_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_smartcard_dev'($*)) dnl gen_require(` type smartcard_device_t; ') allow $1 smartcard_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_smartcard_dev'($*)) dnl ') ######################################## ## ## dontaudit getattr on smartcard devices ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_smartcard_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_smartcard_dev'($*)) dnl gen_require(` type smartcard_device_t; ') dontaudit $1 smartcard_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_smartcard_dev'($*)) dnl ') ######################################## ## ## Read and write smartcard devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_smartcard',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_smartcard'($*)) dnl gen_require(` type device_t, smartcard_device_t; ') rw_chr_files_pattern($1, device_t, smartcard_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_smartcard'($*)) dnl ') ######################################## ## ## Create, read, write, and delete smartcard devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_smartcard',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_smartcard'($*)) dnl gen_require(` type device_t, smartcard_device_t; ') manage_chr_files_pattern($1, device_t, smartcard_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_smartcard'($*)) dnl ') ######################################## ## ## Associate a file to a sysfs filesystem. ## ## ## ## The type of the file to be associated to sysfs. ## ## # define(`dev_associate_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_associate_sysfs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_associate_sysfs'($*)) dnl ') ######################################## ## ## Get the attributes of sysfs directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir getattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of sysfs directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_sysfs_dirs'($*)) dnl ') ######################################## ## ## Get attributes of sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_sysfs_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_sysfs_fs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_sysfs_fs'($*)) dnl ') ######################################## ## ## Mount a filesystem on /sys ## ## ## ## Domain allow access. ## ## # define(`dev_mounton_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_mounton_sysfs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_mounton_sysfs'($*)) dnl ') ######################################## ## ## Dontaudit attempts to mount a filesystem on /sys ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_mounton_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_mounton_sysfs'($*)) dnl gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_mounton_sysfs'($*)) dnl ') ######################################## ## ## Mount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`dev_mount_sysfs_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_mount_sysfs_fs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_mount_sysfs_fs'($*)) dnl ') ######################################## ## ## Unmount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`dev_unmount_sysfs_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_unmount_sysfs_fs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_unmount_sysfs_fs'($*)) dnl ') ######################################## ## ## Remount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`dev_remount_sysfs_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_remount_sysfs_fs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_remount_sysfs_fs'($*)) dnl ') ######################################## ## ## Search the sysfs directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_search_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_search_sysfs'($*)) dnl gen_require(` type sysfs_t; ') search_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_search_sysfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search sysfs. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_search_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_search_sysfs'($*)) dnl gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_search_sysfs'($*)) dnl ') ######################################## ## ## List the contents of the sysfs directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_list_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_list_sysfs'($*)) dnl gen_require(` type sysfs_t; ') read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_list_sysfs'($*)) dnl ') ######################################## ## ## Write in a sysfs directories. ## ## ## ## Domain allowed access. ## ## # # cjp: added for cpuspeed define(`dev_write_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_sysfs_dirs'($*)) dnl ') ######################################## ## ## Access check for a sysfs directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_access_check_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_access_check_sysfs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_access_check_sysfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write in a sysfs directory. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_write_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_sysfs_dirs'($*)) dnl ') ######################################## ## ## Read cpu online hardware state information. ## ## ##

## Allow the specified domain to read /sys/devices/system/cpu/online file. ##

##
## ## ## Domain allowed access. ## ## # define(`dev_read_cpu_online',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_cpu_online'($*)) dnl gen_require(` type cpu_online_t; ') dev_search_sysfs($1) read_files_pattern($1, cpu_online_t, cpu_online_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_cpu_online'($*)) dnl ') ######################################## ## ## Relabel cpu online hardware state information. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_cpu_online',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_cpu_online'($*)) dnl gen_require(` type cpu_online_t; type sysfs_t; ') dev_search_sysfs($1) allow $1 cpu_online_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_cpu_online'($*)) dnl ') ######################################## ## ## Read hardware state information. ## ## ##

## Allow the specified domain to read the contents of ## the sysfs filesystem. This filesystem contains ## information, parameters, and other settings on the ## hardware installed on the system. ##

##
## ## ## Domain allowed access. ## ## ## # define(`dev_read_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_sysfs'($*)) dnl gen_require(` type sysfs_t; ') read_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_sysfs'($*)) dnl ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_sysfs'($*)) dnl gen_require(` type sysfs_t; ') rw_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_sysfs'($*)) dnl ') ######################################## ## ## Allow caller create hardware state information files. ## ## ## ## Domain allowed access. ## ## # define(`dev_create_sysfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_sysfs_files'($*)) dnl gen_require(` type sysfs_t; ') create_files_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_sysfs_files'($*)) dnl ') ######################################## ## ## Relabel hardware state directories. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') relabel_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_sysfs_dirs'($*)) dnl ') ######################################## ## ## Relabel hardware state files ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_all_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_all_sysfs'($*)) dnl gen_require(` type sysfs_t; ') relabel_dirs_pattern($1, sysfs_t, sysfs_t) relabel_files_pattern($1, sysfs_t, sysfs_t) relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_all_sysfs'($*)) dnl ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_sysfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_sysfs_dirs'($*)) dnl gen_require(` type sysfs_t; ') manage_dirs_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_sysfs_dirs'($*)) dnl ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_sysfs'($*)) dnl gen_require(` type sysfs_t; ') manage_dirs_pattern($1, sysfs_t, sysfs_t) manage_files_pattern($1, sysfs_t, sysfs_t) manage_lnk_files_pattern($1, sysfs_t, sysfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_sysfs'($*)) dnl ') ######################################## ## ## Mmap the sysfs. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_sysfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_sysfs'($*)) dnl gen_require(` type sysfs_t; ') allow $1 sysfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_sysfs'($*)) dnl ') ######################################## ## ## Read and write the TPM device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_tpm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_tpm'($*)) dnl gen_require(` type device_t, tpm_device_t; ') rw_chr_files_pattern($1, device_t, tpm_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_tpm'($*)) dnl ') ######################################## ## ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## ##

## Allow the specified domain to read from pseudo random number ## generator devices (e.g., /dev/urandom). Typically this is ## used in situations when a cryptographically secure random ## number is not necessarily needed. One example is the Stack ## Smashing Protector (SSP, formerly known as ProPolice) support ## that may be compiled into programs. ##

##

## Related interface: ##

##
    ##
  • dev_read_rand()
  • ##
##

## Related tunable: ##

##
    ##
  • global_ssp
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`dev_read_urand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_urand'($*)) dnl gen_require(` type device_t, urandom_device_t; ') read_chr_files_pattern($1, device_t, urandom_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_urand'($*)) dnl ') ######################################## ## ## Do not audit attempts to read from pseudo ## random devices (e.g., /dev/urandom) ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_read_urand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_read_urand'($*)) dnl gen_require(` type urandom_device_t; ') dontaudit $1 urandom_device_t:chr_file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_read_urand'($*)) dnl ') ######################################## ## ## Write to the pseudo random device (e.g., /dev/urandom). This ## sets the random number generator seed. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_urand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_urand'($*)) dnl gen_require(` type device_t, urandom_device_t; ') write_chr_files_pattern($1, device_t, urandom_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_urand'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to pseudo ## random devices (e.g., /dev/urandom) ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_write_urand',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_write_urand'($*)) dnl gen_require(` type urandom_device_t; ') dontaudit $1 urandom_device_t:chr_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_write_urand'($*)) dnl ') ######################################## ## ## Getattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_generic_usb_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_generic_usb_dev'($*)) dnl gen_require(` type usb_device_t,device_t; ') getattr_chr_files_pattern($1, device_t, usb_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_generic_usb_dev'($*)) dnl ') ######################################## ## ## Setattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_generic_usb_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_generic_usb_dev'($*)) dnl gen_require(` type usb_device_t; ') setattr_chr_files_pattern($1, device_t, usb_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_generic_usb_dev'($*)) dnl ') ######################################## ## ## Read generic the USB devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_generic_usb_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_generic_usb_dev'($*)) dnl gen_require(` type usb_device_t; ') read_chr_files_pattern($1, device_t, usb_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_generic_usb_dev'($*)) dnl ') ######################################## ## ## Read and write generic the USB devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_generic_usb_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_generic_usb_dev'($*)) dnl gen_require(` type device_t, usb_device_t; ') rw_chr_files_pattern($1, device_t, usb_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_generic_usb_dev'($*)) dnl ') ######################################## ## ## Relabel generic the USB devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_relabel_generic_usb_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_relabel_generic_usb_dev'($*)) dnl gen_require(` type usb_device_t; ') relabel_chr_files_pattern($1, device_t, usb_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_relabel_generic_usb_dev'($*)) dnl ') ######################################## ## ## Read USB monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_usbmon_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_usbmon_dev'($*)) dnl gen_require(` type device_t, usbmon_device_t; ') read_chr_files_pattern($1, device_t, usbmon_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_usbmon_dev'($*)) dnl ') ######################################## ## ## Mmap USB monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_usbmon_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_usbmon_dev'($*)) dnl gen_require(` type usbmon_device_t; ') allow $1 usbmon_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_usbmon_dev'($*)) dnl ') ######################################## ## ## Write USB monitor devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_usbmon_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_usbmon_dev'($*)) dnl gen_require(` type device_t, usbmon_device_t; ') write_chr_files_pattern($1, device_t, usbmon_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_usbmon_dev'($*)) dnl ') ######################################## ## ## Mount a usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`dev_mount_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_mount_usbfs'($*)) dnl gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_mount_usbfs'($*)) dnl ') ######################################## ## ## Associate a file to a usbfs filesystem. ## ## ## ## The type of the file to be associated to usbfs. ## ## # define(`dev_associate_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_associate_usbfs'($*)) dnl gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_associate_usbfs'($*)) dnl ') ######################################## ## ## Get the attributes of a directory in the usb filesystem. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_usbfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_usbfs_dirs'($*)) dnl gen_require(` type usbfs_t; ') allow $1 usbfs_t:dir getattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_usbfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of a directory in the usb filesystem. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_usbfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl gen_require(` type usbfs_t; ') dontaudit $1 usbfs_t:dir getattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_usbfs_dirs'($*)) dnl ') ######################################## ## ## Search the directory containing USB hardware information. ## ## ## ## Domain allowed access. ## ## # define(`dev_search_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_search_usbfs'($*)) dnl gen_require(` type usbfs_t; ') search_dirs_pattern($1, usbfs_t, usbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_search_usbfs'($*)) dnl ') ######################################## ## ## Allow caller to get a list of usb hardware. ## ## ## ## Domain allowed access. ## ## # define(`dev_list_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_list_usbfs'($*)) dnl gen_require(` type usbfs_t; ') read_lnk_files_pattern($1, usbfs_t, usbfs_t) getattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_list_usbfs'($*)) dnl ') ######################################## ## ## Set the attributes of usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_usbfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_usbfs_files'($*)) dnl gen_require(` type usbfs_t; ') setattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_usbfs_files'($*)) dnl ') ######################################## ## ## Read USB hardware information using ## the usbfs filesystem interface. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_usbfs'($*)) dnl gen_require(` type usbfs_t; ') read_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_usbfs'($*)) dnl ') ######################################## ## ## Allow caller to modify usb hardware configuration files. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_usbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_usbfs'($*)) dnl gen_require(` type usbfs_t; ') list_dirs_pattern($1, usbfs_t, usbfs_t) rw_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_usbfs'($*)) dnl ') ###################################### ## ## Read and write userio device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_userio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_userio_dev'($*)) dnl gen_require(` type device_t, userio_device_t; ') rw_chr_files_pattern($1, device_t, userio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_userio_dev'($*)) dnl ') ######################################## ## ## Mmap the userio devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_userio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_userio_dev'($*)) dnl gen_require(` type device_t, userio_device_t; ') allow $1 userio_device_t:chr_file map; allow $1 self:lockdown integrity; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_userio_dev'($*)) dnl ') ######################################## ## ## Get the attributes of video4linux devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_video_dev'($*)) dnl gen_require(` type device_t, v4l_device_t; ') getattr_chr_files_pattern($1, device_t, v4l_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_video_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_video_dev'($*)) dnl gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_video_dev'($*)) dnl ') ######################################## ## ## Set the attributes of video4linux device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_video_dev'($*)) dnl gen_require(` type device_t, v4l_device_t; ') setattr_chr_files_pattern($1, device_t, v4l_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_video_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_video_dev'($*)) dnl gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_video_dev'($*)) dnl ') ######################################## ## ## Read the video4linux devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_video_dev'($*)) dnl gen_require(` type device_t, v4l_device_t; ') read_chr_files_pattern($1, device_t, v4l_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_video_dev'($*)) dnl ') ######################################## ## ## Mmap the video4linux devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_video_dev'($*)) dnl gen_require(` type device_t, v4l_device_t; ') allow $1 v4l_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_video_dev'($*)) dnl ') ######################################## ## ## Write the video4linux devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_video_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_video_dev'($*)) dnl gen_require(` type device_t, v4l_device_t; ') write_chr_files_pattern($1, device_t, v4l_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_video_dev'($*)) dnl ') ######################################## ## ## Get the attributes of vfio devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_vfio_dev'($*)) dnl gen_require(` type device_t, vfio_device_t; ') getattr_chr_files_pattern($1, device_t, vfio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_vfio_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of vfio device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_vfio_dev'($*)) dnl gen_require(` type vfio_device_t; ') dontaudit $1 vfio_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_vfio_dev'($*)) dnl ') ######################################## ## ## Set the attributes of vfio device nodes. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_vfio_dev'($*)) dnl gen_require(` type device_t, vfio_device_t; ') setattr_chr_files_pattern($1, device_t, vfio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_vfio_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of vfio device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_setattr_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_setattr_vfio_dev'($*)) dnl gen_require(` type vfio_device_t; ') dontaudit $1 vfio_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_setattr_vfio_dev'($*)) dnl ') ######################################## ## ## Read the vfio devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_vfio_dev'($*)) dnl gen_require(` type device_t, vfio_device_t; ') read_chr_files_pattern($1, device_t, vfio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_vfio_dev'($*)) dnl ') ######################################## ## ## Write the vfio devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_vfio_dev'($*)) dnl gen_require(` type device_t, vfio_device_t; ') write_chr_files_pattern($1, device_t, vfio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_vfio_dev'($*)) dnl ') ######################################## ## ## Read and write the VFIO devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_vfio_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_vfio_dev'($*)) dnl gen_require(` type device_t, vfio_device_t; ') rw_chr_files_pattern($1, device_t, vfio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_vfio_dev'($*)) dnl ') ######################################## ## ## Allow read/write the vhost net device ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_vhost',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_vhost'($*)) dnl gen_require(` type device_t, vhost_device_t; ') rw_chr_files_pattern($1, device_t, vhost_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_vhost'($*)) dnl ') ######################################## ## ## Allow read/write inheretid the vhost net device ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_inherited_vhost',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_inherited_vhost'($*)) dnl gen_require(` type device_t, vhost_device_t; ') allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_inherited_vhost'($*)) dnl ') ######################################## ## ## Read and write VMWare devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_vmware',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_vmware'($*)) dnl gen_require(` type device_t, vmware_device_t; ') rw_chr_files_pattern($1, device_t, vmware_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_vmware'($*)) dnl ') ######################################## ## ## Read, write, and mmap VMWare devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rwx_vmware',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rwx_vmware'($*)) dnl gen_require(` type device_t, vmware_device_t; ') dev_rw_vmware($1) allow $1 vmware_device_t:chr_file { map execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rwx_vmware'($*)) dnl ') ######################################## ## ## Read from watchdog devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_watchdog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_watchdog'($*)) dnl gen_require(` type device_t, watchdog_device_t; ') read_chr_files_pattern($1, device_t, watchdog_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_watchdog'($*)) dnl ') ######################################## ## ## Write to watchdog devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_write_watchdog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_write_watchdog'($*)) dnl gen_require(` type device_t, watchdog_device_t; ') write_chr_files_pattern($1, device_t, watchdog_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_write_watchdog'($*)) dnl ') ######################################## ## ## RW to watchdog devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_watchdog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_watchdog'($*)) dnl gen_require(` type device_t, watchdog_device_t; ') rw_chr_files_pattern($1, device_t, watchdog_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_watchdog'($*)) dnl ') ######################################## ## ## Read and write the the wireless device. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_wireless',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_wireless'($*)) dnl gen_require(` type device_t, wireless_device_t; ') rw_chr_files_pattern($1, device_t, wireless_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_wireless'($*)) dnl ') ######################################## ## ## Read and write Xen devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_xen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_xen'($*)) dnl gen_require(` type device_t, xen_device_t; ') rw_chr_files_pattern($1, device_t, xen_device_t) allow $1 xen_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_xen'($*)) dnl ') ######################################## ## ## Create, read, write, and delete Xen devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_xen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_xen'($*)) dnl gen_require(` type device_t, xen_device_t; ') manage_chr_files_pattern($1, device_t, xen_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_xen'($*)) dnl ') ######################################## ## ## Automatic type transition to the type ## for xen device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`dev_filetrans_xen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_xen'($*)) dnl gen_require(` type device_t, xen_device_t; ') filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_xen'($*)) dnl ') ######################################## ## ## Get the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_xserver_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_xserver_misc_dev'($*)) dnl gen_require(` type device_t, xserver_misc_device_t; ') getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_xserver_misc_dev'($*)) dnl ') ######################################## ## ## Set the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_setattr_xserver_misc_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_setattr_xserver_misc_dev'($*)) dnl gen_require(` type device_t, xserver_misc_device_t; ') setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_setattr_xserver_misc_dev'($*)) dnl ') ######################################## ## ## Read and write X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_xserver_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_xserver_misc'($*)) dnl gen_require(` type device_t, xserver_misc_device_t; ') rw_chr_files_pattern($1, device_t, xserver_misc_device_t) allow $1 xserver_misc_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_xserver_misc'($*)) dnl ') ######################################## ## ## Dontaudit attempts to Read and write X server miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_leaked_xserver_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_leaked_xserver_misc'($*)) dnl gen_require(` type xserver_misc_device_t; ') dontaudit $1 xserver_misc_device_t:chr_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_leaked_xserver_misc'($*)) dnl ') ######################################## ## ## Read and write X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_manage_xserver_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_manage_xserver_misc'($*)) dnl gen_require(` type device_t, xserver_misc_device_t; ') manage_chr_files_pattern($1, device_t, xserver_misc_device_t) dev_filetrans_xserver_named_dev($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_manage_xserver_misc'($*)) dnl ') ######################################## ## ## mmap X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_map_xserver_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_map_xserver_misc'($*)) dnl gen_require(` type xserver_misc_device_t; ') allow $1 xserver_misc_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_map_xserver_misc'($*)) dnl ') ######################################## ## ## Read and write to the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_zero',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_zero'($*)) dnl gen_require(` type device_t, zero_device_t; ') rw_chr_files_pattern($1, device_t, zero_device_t) allow $1 zero_device_t:chr_file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_zero'($*)) dnl ') ######################################## ## ## Read, write, and execute the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # define(`dev_rwx_zero',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rwx_zero'($*)) dnl gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file { map execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rwx_zero'($*)) dnl ') ######################################## ## ## Execmod the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # define(`dev_execmod_zero',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_execmod_zero'($*)) dnl gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_execmod_zero'($*)) dnl ') ######################################## ## ## Create the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # define(`dev_create_zero_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_create_zero_dev'($*)) dnl gen_require(` type device_t, zero_device_t; ') create_chr_files_pattern($1, device_t, zero_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_create_zero_dev'($*)) dnl ') ######################################## ## ## Unconfined access to devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_unconfined'($*)) dnl gen_require(` attribute devices_unconfined_type; ') typeattribute $1 devices_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_unconfined'($*)) dnl ') ######################################## ## ## Dontaudit getattr on all device nodes. ## ## ## ## Domain to not audit. ## ## # define(`dev_dontaudit_getattr_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_dontaudit_getattr_all'($*)) dnl gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:dir_file_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_dontaudit_getattr_all'($*)) dnl ') ######################################## ## ## Get the attributes of the mei devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_getattr_mei',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_getattr_mei'($*)) dnl gen_require(` type device_t, mei_device_t; ') getattr_chr_files_pattern($1, device_t, mei_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_getattr_mei'($*)) dnl ') ######################################## ## ## Read the mei devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_read_mei',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_mei'($*)) dnl gen_require(` type device_t, mei_device_t; ') read_chr_files_pattern($1, device_t, mei_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_mei'($*)) dnl ') ######################################## ## ## Read and write to mei devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_mei',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_mei'($*)) dnl gen_require(` type device_t, mei_device_t; ') rw_chr_files_pattern($1, device_t, mei_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_mei'($*)) dnl ') ######################################## ## ## Read and write uhid devices. ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_uhid_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_uhid_dev'($*)) dnl gen_require(` type device_t, uhid_device_t; ') rw_chr_files_pattern($1, device_t, uhid_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_uhid_dev'($*)) dnl ') ######################################## ## ## Allow read/write the hypervkvp device ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_hypervkvp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_hypervkvp'($*)) dnl gen_require(` type device_t, hypervkvp_device_t; ') rw_chr_files_pattern($1, device_t, hypervkvp_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_hypervkvp'($*)) dnl ') ######################################## ## ## Allow read/write the hypervkvp device ## ## ## ## Domain allowed access. ## ## # define(`dev_read_gpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_gpfs'($*)) dnl gen_require(` type device_t, gpfs_device_t; ') read_chr_files_pattern($1, device_t, gpfs_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_gpfs'($*)) dnl ') ######################################## ## ## Allow read/write the gpiochip device ## ## ## ## Domain allowed access. ## ## # define(`dev_read_gpio',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_read_gpio'($*)) dnl gen_require(` type device_t, gpio_device_t; ') read_chr_files_pattern($1, device_t, gpio_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_read_gpio'($*)) dnl ') ######################################## ## ## Allow read/write the hypervvssd device ## ## ## ## Domain allowed access. ## ## # define(`dev_rw_hypervvssd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_rw_hypervvssd'($*)) dnl gen_require(` type device_t, hypervvssd_device_t; ') rw_chr_files_pattern($1, device_t, hypervvssd_device_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_rw_hypervvssd'($*)) dnl ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`dev_filetrans_printer_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_printer_named_dev'($*)) dnl gen_require(` type printer_device_t; ') filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_printer_named_dev'($*)) dnl ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`dev_filetrans_all_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_all_named_dev'($*)) dnl gen_require(` type device_t; type acpi_device_t; type dma_device_t; type usb_device_t; type uhid_device_t; type sound_device_t; type apm_bios_t; type mouse_device_t; type autofs_device_t; type lvm_control_t; type crash_device_t; type dlm_control_device_t; type clock_device_t; type v4l_device_t; type vsock_device_t; type vmci_device_t; type vfio_device_t; type event_device_t; type xen_device_t; type framebuf_device_t; type null_device_t; type random_device_t; type dri_device_t; type hsa_device_t; type ipmi_device_t; type memory_device_t; type kmsg_device_t; type qemu_device_t; type ksm_device_t; type kvm_device_t; type sev_device_t; type lirc_device_t; type cpu_device_t; type scanner_device_t; type modem_device_t; type monitor_device_t; type vhost_device_t; type netcontrol_device_t; type nvram_device_t; type power_device_t; type opal_device_t; type wireless_device_t; type tpm_device_t; type userio_device_t; type urandom_device_t; type usbmon_device_t; type vmware_device_t; type watchdog_device_t; type crypt_device_t; type zero_device_t; type smartcard_device_t; type mtrr_device_t; type ecryptfs_device_t; type mptctl_device_t; type hypervkvp_device_t; type hypervvssd_device_t; type gpfs_device_t; type gpio_device_t; type cachefiles_device_t; ') dev_filetrans_printer_named_dev($1) filetrans_pattern($1, device_t, acpi_device_t, chr_file, "acpi_thermal_rel") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9") filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") filetrans_pattern($1, device_t, cachefiles_device_t, chr_file, "cachefiles") filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") filetrans_pattern($1, device_t, acpi_device_t, chr_file, "dell-smbios") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9") # Note this file path is /dev/dma_heap/system filetrans_pattern($1, device_t, dma_device_t, chr_file, "system") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci") filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") filetrans_pattern($1, device_t, event_device_t, chr_file, "event3") filetrans_pattern($1, device_t, event_device_t, chr_file, "event4") filetrans_pattern($1, device_t, event_device_t, chr_file, "event5") filetrans_pattern($1, device_t, event_device_t, chr_file, "event6") filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") filetrans_pattern($1, device_t, event_device_t, chr_file, "event21") filetrans_pattern($1, device_t, event_device_t, chr_file, "event22") filetrans_pattern($1, device_t, event_device_t, chr_file, "event23") filetrans_pattern($1, device_t, event_device_t, chr_file, "event24") filetrans_pattern($1, device_t, event_device_t, chr_file, "event25") filetrans_pattern($1, device_t, event_device_t, chr_file, "event26") filetrans_pattern($1, device_t, event_device_t, chr_file, "event27") filetrans_pattern($1, device_t, event_device_t, chr_file, "event28") filetrans_pattern($1, device_t, event_device_t, chr_file, "event29") filetrans_pattern($1, device_t, event_device_t, chr_file, "event30") filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9") filetrans_pattern($1, device_t, null_device_t, chr_file, "full") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9") filetrans_pattern($1, device_t, usb_device_t, chr_file, "000") filetrans_pattern($1, device_t, usb_device_t, chr_file, "001") filetrans_pattern($1, device_t, usb_device_t, chr_file, "002") filetrans_pattern($1, device_t, usb_device_t, chr_file, "003") filetrans_pattern($1, device_t, usb_device_t, chr_file, "004") filetrans_pattern($1, device_t, usb_device_t, chr_file, "005") filetrans_pattern($1, device_t, usb_device_t, chr_file, "006") filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9") filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet") filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "isst_interface") filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9") filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl") filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg") filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu") filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm") filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm") filetrans_pattern($1, device_t, sev_device_t, chr_file, "sev") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") filetrans_pattern($1, device_t, null_device_t, chr_file, "null") filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9") filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu") filetrans_pattern($1, device_t, opal_device_t, chr_file, "op_panel") filetrans_pattern($1, device_t, opal_device_t, chr_file, "opal-prd") filetrans_pattern($1, device_t, memory_device_t, chr_file, "port") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9") filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9") filetrans_pattern($1, device_t, random_device_t, chr_file, "random") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0") filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1") filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9") filetrans_pattern($1, device_t, power_device_t, chr_file, "smu") filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm0") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm1") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm2") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm3") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm4") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm5") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm6") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm7") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm8") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm9") filetrans_pattern($1, device_t, random_device_t, chr_file, "trng") filetrans_pattern($1, device_t, dma_device_t, chr_file, "udmabuf") filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9") filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-0") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-1") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-2") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-3") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-4") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-5") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-6") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-7") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vsock") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9") filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") filetrans_pattern($1, device_t, crypt_device_t, chr_file, "pkey") filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9") filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9") filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd") filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus") filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus_backend") filetrans_pattern($1, device_t, xen_device_t, chr_file, "hypercall") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2") dev_filetrans_xserver_named_dev($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_all_named_dev'($*)) dnl ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`dev_filetrans_xserver_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `dev_filetrans_xserver_named_dev'($*)) dnl gen_require(` type xserver_misc_device_t; ') filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia-uvm") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `dev_filetrans_xserver_named_dev'($*)) dnl ') ## Core policy for domains. ## ## Contains the concept of a domain. ## ######################################## ## ## Make the specified type usable as a basic domain. ## ## ##

## Make the specified type usable as a basic domain. ##

##

## This is primarily used for kernel threads; ## generally the domain_type() interface is ## more appropriate for userland processes. ##

##
## ## ## Type to be used as a basic domain type. ## ## # define(`domain_base_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_base_type'($*)) dnl gen_require(` attribute domain; ') typeattribute $1 domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_base_type'($*)) dnl ') ######################################## ## ## Make the specified type usable as a domain. ## ## ##

## Make the specified type usable as a domain. This, ## or an interface that calls this interface, must be ## used on all types that are used as domains. ##

##

## Related interfaces: ##

##
    ##
  • application_domain()
  • ##
  • init_daemon_domain()
  • ##
  • init_domaion()
  • ##
  • init_ranged_daemon_domain()
  • ##
  • init_ranged_domain()
  • ##
  • init_ranged_system_domain()
  • ##
  • init_script_domain()
  • ##
  • init_system_domain()
  • ##
##

## Example: ##

##

## type mydomain_t; ## domain_type(mydomain_t) ## type myfile_t; ## files_type(myfile_t) ## allow mydomain_t myfile_t:file read_file_perms; ##

##
## ## ## Type to be used as a domain type. ## ## ## # define(`domain_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_type'($*)) dnl # start with basic domain domain_base_type($1) # Only way to get corenet_unlabeled packets disabled to work corenet_all_recvfrom_unlabeled($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_type'($*)) dnl ') ######################################## ## ## Make the specified type usable as ## an entry point for the domain. ## ## ## ## Domain to be entered. ## ## ## ## ## Type of program used for entering ## the domain. ## ## # define(`domain_entry_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_entry_file'($*)) dnl gen_require(` attribute entry_type; ') allow $1 $2:file entrypoint; allow $1 $2:file { mmap_exec_file_perms ioctl lock }; typeattribute $2 entry_type; corecmd_executable_file($2) #optional_policy(` # unconfined_exec_typebounds($2) #') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_entry_file'($*)) dnl ') ######################################## ## ## Make the file descriptors of the specified ## domain for interactive use (widely inheritable) ## ## ## ## Domain allowed access. ## ## # define(`domain_interactive_fd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_interactive_fd'($*)) dnl gen_require(` attribute privfd; ') typeattribute $1 privfd; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_interactive_fd'($*)) dnl ') ######################################## ## ## Allow the specified domain to perform ## dynamic transitions. ## ## ##

## Allow the specified domain to perform ## dynamic transitions. ##

##

## This violates process tranquility, and it ## is strongly suggested that this not be used. ##

##
## ## ## Domain allowed access. ## ## # define(`domain_dyntrans_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dyntrans_type'($*)) dnl gen_require(` attribute set_curr_context; ') typeattribute $1 set_curr_context; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dyntrans_type'($*)) dnl ') ######################################## ## ## Makes caller and execption to the constraint ## preventing changing to the system user ## identity and system role. ## ## ## ## Domain allowed access. ## ## # define(`domain_system_change_exemption',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_system_change_exemption'($*)) dnl gen_require(` attribute can_system_change; ') typeattribute $1 can_system_change; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_system_change_exemption'($*)) dnl ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of user identity. ## ## ## ## The process type to make an exception to the constraint. ## ## # define(`domain_subj_id_change_exemption',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_subj_id_change_exemption'($*)) dnl gen_require(` attribute can_change_process_identity; ') typeattribute $1 can_change_process_identity; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_subj_id_change_exemption'($*)) dnl ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing of role. ## ## ## ## The process type to make an exception to the constraint. ## ## # define(`domain_role_change_exemption',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_role_change_exemption'($*)) dnl gen_require(` attribute can_change_process_role; ') typeattribute $1 can_change_process_role; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_role_change_exemption'($*)) dnl ') ######################################## ## ## Makes caller an exception to the constraint preventing ## changing the user identity in object contexts. ## ## ## ## The process type to make an exception to the constraint. ## ## ## # define(`domain_obj_id_change_exemption',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_obj_id_change_exemption'($*)) dnl gen_require(` attribute can_change_object_identity; ') typeattribute $1 can_change_object_identity; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_obj_id_change_exemption'($*)) dnl ') ######################################## ## ## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the user domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the user domains from the base module. ## It should not be used other than on ## user domains. ##

##
## ## ## Domain target for user exemption. ## ## # define(`domain_user_exemption_target',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_user_exemption_target'($*)) dnl gen_require(` attribute process_user_target; ') typeattribute $1 process_user_target; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_user_exemption_target'($*)) dnl ') ######################################## ## ## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the source of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## cron domains. ##

##
## ## ## Domain target for user exemption. ## ## # define(`domain_cron_exemption_source',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_source'($*)) dnl gen_require(` attribute cron_source_domain; ') typeattribute $1 cron_source_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_cron_exemption_source'($*)) dnl ') ######################################## ## ## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ## ## ##

## Make the specified domain the target of ## the cron domain exception of the ## SELinux role and identity change ## constraints. ##

##

## This interface is needed to decouple ## the cron domains from the base module. ## It should not be used other than on ## user cron jobs. ##

##
## ## ## Domain target for user exemption. ## ## # define(`domain_cron_exemption_target',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_cron_exemption_target'($*)) dnl gen_require(` attribute cron_job_domain; ') typeattribute $1 cron_job_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_cron_exemption_target'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from ## domains with interactive programs. ## ## ##

## Allow the specified domain to inherit and use file ## descriptors from domains with interactive programs. ## This does not allow access to the objects being referenced ## by the file descriptors. ##

##
## ## ## Domain allowed access. ## ## ## # define(`domain_use_interactive_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_use_interactive_fds'($*)) dnl gen_require(` attribute privfd; ') allow $1 privfd:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_use_interactive_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit file ## descriptors from domains with interactive ## programs. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_use_interactive_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_use_interactive_fds'($*)) dnl gen_require(` attribute privfd; ') dontaudit $1 privfd:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_use_interactive_fds'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to domains whose file ## discriptors are widely inheritable. ## ## ## ## Domain allowed access. ## ## # # cjp: this was added because of newrole define(`domain_sigchld_interactive_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_sigchld_interactive_fds'($*)) dnl gen_require(` attribute privfd; ') allow $1 privfd:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_sigchld_interactive_fds'($*)) dnl ') ######################################## ## ## Set the nice level of all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_setpriority_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_setpriority_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process setsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_setpriority_all_domains'($*)) dnl ') ######################################## ## ## Send general signals to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_signal_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_signal_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_signal_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to send general ## signals to all domains. ## ## ## ## Domain to not audit. ## ## ## # define(`domain_dontaudit_signal_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_signal_all_domains'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_signal_all_domains'($*)) dnl ') ######################################## ## ## Send a null signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_signull_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_signull_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_signull_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to send ## signulls to all domains. ## ## ## ## Domain to not audit. ## ## ## # define(`domain_dontaudit_signull_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_signull_all_domains'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_signull_all_domains'($*)) dnl ') ######################################## ## ## Send a stop signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_sigstop_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_sigstop_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process sigstop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_sigstop_all_domains'($*)) dnl ') ######################################## ## ## Send a child terminated signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_sigchld_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_sigchld_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_sigchld_all_domains'($*)) dnl ') ######################################## ## ## Send a kill signal to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_kill_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_kill_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process sigkill; allow $1 self:capability kill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_kill_all_domains'($*)) dnl ') ######################################## ## ## Destroy all domains semaphores ## ## ## ## Domain allowed access. ## ## ## # define(`domain_destroy_all_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_destroy_all_semaphores'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:sem destroy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_destroy_all_semaphores'($*)) dnl ') ######################################## ## ## Search the process state directory (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_search_all_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_search_all_domains_state'($*)) dnl gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_search_all_domains_state'($*)) dnl ') ######################################## ## ## Allow read and view of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # define(`domain_read_view_all_domains_keyrings',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_read_view_all_domains_keyrings'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:key { read view}; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_read_view_all_domains_keyrings'($*)) dnl ') ######################################## ## ## Allow read and write of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # define(`domain_rw_all_domains_keyrings',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_rw_all_domains_keyrings'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:key { read write}; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_rw_all_domains_keyrings'($*)) dnl ') ######################################## ## ## Allow manage of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # define(`domain_manage_all_domains_keyrings',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_manage_all_domains_keyrings'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:key manage_key_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_manage_all_domains_keyrings'($*)) dnl ') ######################################## ## ## Dontaudit search of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # define(`domain_dontaudit_search_all_domains_keyrings',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_keyrings'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_keyrings'($*)) dnl ') ######################################## ## ## Dontaudit link of process kernel keyrings ## ## ## ## Domain to dontaudit. ## ## # define(`domain_dontaudit_link_all_domains_keyrings',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_link_all_domains_keyrings'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:key link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_link_all_domains_keyrings'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the process ## state directory (/proc/pid) of all domains. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_search_all_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_search_all_domains_state'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_search_all_domains_state'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_read_all_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_read_all_domains_state'($*)) dnl gen_require(` attribute domain; ') kernel_search_proc($1) allow $1 domain:dir list_dir_perms; read_files_pattern($1, domain, domain) read_lnk_files_pattern($1, domain, domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_read_all_domains_state'($*)) dnl ') ######################################## ## ## Get the attributes of all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_getattr_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_domains'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:process getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_domains'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_read_confined_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_read_confined_domains_state'($*)) dnl gen_require(` attribute domain, unconfined_domain_type; ') kernel_search_proc($1) allow $1 { domain -unconfined_domain_type }:dir list_dir_perms; read_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) read_lnk_files_pattern($1, { domain -unconfined_domain_type }, { domain -unconfined_domain_type }) dontaudit $1 unconfined_domain_type:dir search_dir_perms; dontaudit $1 unconfined_domain_type:file read_file_perms; dontaudit $1 unconfined_domain_type:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_read_confined_domains_state'($*)) dnl ') ######################################## ## ## Get the attributes of all confined domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_getattr_confined_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_confined_domains'($*)) dnl gen_require(` attribute domain, unconfined_domain_type; ') allow $1 { domain -unconfined_domain_type }:process getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_confined_domains'($*)) dnl ') ######################################## ## ## Ptrace all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_ptrace_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_ptrace_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process ptrace; allow domain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_ptrace_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to ptrace all domains. ## ## ##

## Do not audit attempts to ptrace all domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_ptrace_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_all_domains'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:process ptrace; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to ptrace confined domains. ## ## ##

## Do not audit attempts to ptrace confined domains. ##

##

## Generally this needs to be suppressed because procps tries to access ## /proc/pid/environ and this now triggers a ptrace check in recent kernels ## (2.4 and 2.6). ##

##
## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_ptrace_confined_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_ptrace_confined_domains'($*)) dnl gen_require(` attribute domain, unconfined_domain_type; ') dontaudit $1 { domain -unconfined_domain_type }:process ptrace; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_ptrace_confined_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the process ## state (/proc/pid) of all domains. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_read_all_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_read_all_domains_state'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; dontaudit $1 domain:lnk_file read_lnk_file_perms; dontaudit $1 domain:file read_file_perms; # cjp: these should be removed: dontaudit $1 domain:sock_file read_sock_file_perms; dontaudit $1 domain:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_read_all_domains_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the process state ## directories of all domains. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_list_all_domains_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_list_all_domains_state'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_list_all_domains_state'($*)) dnl ') ######################################## ## ## Get the session ID of all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_getsession_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getsession_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process getsession; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getsession_all_domains'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## session ID of all domains. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getsession_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getsession_all_domains'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:process getsession; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getsession_all_domains'($*)) dnl ') ######################################## ## ## Get the process group ID of all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_getpgid_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getpgid_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getpgid_all_domains'($*)) dnl ') ######################################## ## ## Get the scheduler information of all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_getsched_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getsched_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process getsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getsched_all_domains'($*)) dnl ') ######################################## ## ## Get the capability information of all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_getcap_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getcap_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process getcap; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getcap_all_domains'($*)) dnl ') ######################################## ## ## Get the attributes of all domains ## sockets, for all socket types. ## ## ##

## Get the attributes of all domains ## sockets, for all socket types. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## ## Domain allowed access. ## ## # define(`domain_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_all_sockets'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:socket_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ## ## ##

## Do not audit attempts to get the attributes ## of all domains sockets, for all socket types. ##

##

## This interface was added for PCMCIA cardmgr ## and is probably excessive. ##

##
## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:socket_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:tcp_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_tcp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains UDP sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_udp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all domains UDP sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_rw_all_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_udp_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:udp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_udp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains IPSEC key management sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_key_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_key_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:key_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_key_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains packet sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_packet_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:packet_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_packet_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attribues of ## all domains raw sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_raw_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:rawip_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_raw_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all domains key sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_rw_all_key_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_rw_all_key_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:key_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_rw_all_key_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_dgram_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:unix_dgram_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_dgram_sockets'($*)) dnl ') ######################################## ## ## Get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # define(`domain_getattr_all_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_all_stream_sockets'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:unix_stream_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_all_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unix datagram sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:unix_stream_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_stream_sockets'($*)) dnl ') ######################################## ## ## Get the attributes of all domains ## unnamed pipes. ## ## ##

## Get the attributes of all domains ## unnamed pipes. ##

##

## This is commonly used for domains ## that can use lsof on all domains. ##

##
## ## ## Domain allowed access. ## ## # define(`domain_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_all_pipes'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all domains unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_pipes'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Allow specified type to set context of all ## domains IPSEC associations. ## ## ## ## Domain allowed access. ## ## # define(`domain_ipsec_setcontext_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_ipsec_setcontext_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:association setcontext; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_ipsec_setcontext_all_domains'($*)) dnl ') ######################################## ## ## Get the attributes of entry point ## files for all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_getattr_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_getattr_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_getattr_all_entry_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all entry point files. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_getattr_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_getattr_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') dontaudit $1 entry_type:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_getattr_all_entry_files'($*)) dnl ') ######################################## ## ## Read the entry point files for all domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_read_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_read_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') allow $1 entry_type:lnk_file read_lnk_file_perms; allow $1 entry_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_read_all_entry_files'($*)) dnl ') ######################################## ## ## Execute the entry point files for all ## domains in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_exec_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_exec_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') can_exec($1, entry_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_exec_all_entry_files'($*)) dnl ') ######################################## ## ## dontaudit checking for execute on all entry point files ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_exec_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_exec_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') dontaudit $1 entry_type:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_exec_all_entry_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all ## entrypoint files. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`domain_manage_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_manage_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') allow $1 entry_type:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_manage_all_entry_files'($*)) dnl ') ######################################## ## ## Relabel from domain types on files if a user managed to mislable ## ## ## ## Domain allowed access. ## ## # define(`domain_relabelfrom',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_relabelfrom'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:dir_file_class_set relabelfrom_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_relabelfrom'($*)) dnl ') ######################################## ## ## Relabel to and from all entry point ## file types. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`domain_relabel_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_relabel_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') allow $1 entry_type:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_relabel_all_entry_files'($*)) dnl ') ######################################## ## ## Mmap all entry point files as executable. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`domain_mmap_all_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_mmap_all_entry_files'($*)) dnl gen_require(` attribute entry_type; ') allow $1 entry_type:file mmap_exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_mmap_all_entry_files'($*)) dnl ') ######################################## ## ## Execute an entry_type in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # # cjp: added for userhelper define(`domain_entry_file_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_entry_file_spec_domtrans'($*)) dnl gen_require(` attribute entry_type; ') domain_transition_pattern($1, entry_type, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_entry_file_spec_domtrans'($*)) dnl ') ######################################## ## ## Ability to mmap a low area of the address ## space conditionally, as configured by ## /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## ## ## Domain allowed access. ## ## # define(`domain_mmap_low',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_mmap_low'($*)) dnl gen_require(` attribute mmap_low_domain_type; bool mmap_low_allowed; ') typeattribute $1 mmap_low_domain_type; if ( mmap_low_allowed ) { allow $1 self:memprotect mmap_zero; } popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_mmap_low'($*)) dnl ') ######################################## ## ## Ability to mmap a low area of the address ## space unconditionally, as configured ## by /proc/sys/vm/mmap_min_addr. ## Preventing such mappings helps protect against ## exploiting null deref bugs in the kernel. ## ## ## ## Domain allowed access. ## ## # define(`domain_mmap_low_uncond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_mmap_low_uncond'($*)) dnl gen_require(` attribute mmap_low_domain_type; ') typeattribute $1 mmap_low_domain_type; allow $1 self:memprotect mmap_zero; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_mmap_low_uncond'($*)) dnl ') ######################################## ## ## Allow specified type to receive labeled ## networking packets from all domains, over ## all protocols (TCP, UDP, etc) ## ## ## ## Domain allowed access. ## ## # define(`domain_all_recvfrom_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_all_recvfrom_all_domains'($*)) dnl gen_require(` attribute domain; ') corenet_all_recvfrom_labeled($1, domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_all_recvfrom_all_domains'($*)) dnl ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`domain_unconfined_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_unconfined_signal'($*)) dnl gen_require(` attribute unconfined_domain_type; ') allow $1 unconfined_domain_type:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_unconfined_signal'($*)) dnl ') ######################################## ## ## Named Filetrans Domain. ## ## ## ## Domain allowed access. ## ## # define(`domain_named_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_named_filetrans'($*)) dnl gen_require(` attribute named_filetrans_domain; ') typeattribute $1 named_filetrans_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_named_filetrans'($*)) dnl ') ##################################### ## ## named_filetrans_domain stub attribute interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`domain_stub_named_filetrans_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_stub_named_filetrans_domain'($*)) dnl gen_require(` attribute named_filetrans_domain; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_stub_named_filetrans_domain'($*)) dnl ') ######################################## ## ## Unconfined access to domains. ## ## ## ## Domain allowed access. ## ## # define(`domain_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_unconfined'($*)) dnl gen_require(` attribute set_curr_context; attribute can_change_object_identity; attribute unconfined_domain_type; attribute process_uncond_exempt; ') typeattribute $1 unconfined_domain_type; # pass constraints typeattribute $1 can_change_object_identity; typeattribute $1 set_curr_context; typeattribute $1 process_uncond_exempt; mcs_process_set_categories($1) userdom_filetrans_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_unconfined'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all leaked sockets. ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_leaks'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:socket_class_set { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Allow caller to transition to any domain ## ## ## ## Domain allowed access. ## ## # define(`domain_transition_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_transition_all'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_transition_all'($*)) dnl ') ######################################## ## ## Do not audit attempts to access check /proc ## ## ## ## Domain to not audit. ## ## # define(`domain_dontaudit_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dontaudit_access_check'($*)) dnl gen_require(` attribute domain; ') dontaudit $1 domain:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dontaudit_access_check'($*)) dnl ') ######################################## ## ## Allow set resource limits to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_setrlimit_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_setrlimit_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process setrlimit; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_setrlimit_all_domains'($*)) dnl ') ######################################## ## ## Allow set resource limits to all domains. ## ## ## ## Domain allowed access. ## ## ## # define(`domain_rlimitinh_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_rlimitinh_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process rlimitinh; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_rlimitinh_all_domains'($*)) dnl ') ######################################## ## ## Allow all domains noatsecure permission ## ## ## ## Domain allowed access. ## ## # define(`domain_noatsecure_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_noatsecure_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:process { noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_noatsecure_all_domains'($*)) dnl ') ###################################### ## ## Allow domain dyntransition to all domains in domain attribute. ## ## ## ## Domain allowed to transition. ## ## # define(`domain_dyntrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_dyntrans'($*)) dnl gen_require(` attribute domain; ') dyntrans_pattern($1, domain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_dyntrans'($*)) dnl ') ######################################## ## ## Allow read and write perf_event file descriptors from all domains ## ## ## ## Domain allowed access. ## ## # define(`domain_rw_perf_event_all_domains',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `domain_rw_perf_event_all_domains'($*)) dnl gen_require(` attribute domain; ') allow $1 domain:perf_event rw_inherited_perf_event_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `domain_rw_perf_event_all_domains'($*)) dnl ') ## ## Basic filesystem types and interfaces. ## ## ##

## This module contains basic filesystem types and interfaces. This ## includes: ##

    ##
  • The concept of different file types including basic ## files, mount points, tmp files, etc.
  • ##
  • Access to groups of files and all files.
  • ##
  • Types and interfaces for the basic filesystem layout ## (/, /etc, /tmp, /usr, etc.).
  • ##
##

##
## ## Contains the concept of a file. ## Comains the file initial SID. ## ##################################### ## ## files stub etc_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_etc'($*)) dnl gen_require(` type etc_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_etc'($*)) dnl ') ##################################### ## ## files stub var_lock_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var_lock'($*)) dnl gen_require(` type var_lock_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var_lock'($*)) dnl ') ##################################### ## ## files stub var_log_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var_log'($*)) dnl gen_require(` type var_log_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var_log'($*)) dnl ') ##################################### ## ## files stub var_lib_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var_lib'($*)) dnl gen_require(` type var_lib_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var_lib'($*)) dnl ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var_run'($*)) dnl gen_require(` type var_run_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var_run'($*)) dnl ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var_spool'($*)) dnl gen_require(` type var_spool_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var_spool'($*)) dnl ') ##################################### ## ## files stub var_run_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_var'($*)) dnl gen_require(` type var_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_var'($*)) dnl ') ##################################### ## ## files stub tmp_t interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`files_stub_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_stub_tmp'($*)) dnl gen_require(` type tmp_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_stub_tmp'($*)) dnl ') ######################################## ## ## Make the specified type usable for files ## in a filesystem. ## ## ##

## Make the specified type usable for files ## in a filesystem. Types used for files that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors ## while the system is running. If the type is used ## for device nodes (character or block files), then ## the dev_node() interface is more appropriate. ##

##

## Related interfaces: ##

##
    ##
  • application_domain()
  • ##
  • application_executable_file()
  • ##
  • corecmd_executable_file()
  • ##
  • init_daemon_domain()
  • ##
  • init_domaion()
  • ##
  • init_ranged_daemon_domain()
  • ##
  • init_ranged_domain()
  • ##
  • init_ranged_system_domain()
  • ##
  • init_script_file()
  • ##
  • init_script_domain()
  • ##
  • init_system_domain()
  • ##
  • files_config_files()
  • ##
  • files_lock_file()
  • ##
  • files_mountpoint()
  • ##
  • files_pid_file()
  • ##
  • files_security_file()
  • ##
  • files_security_mountpoint()
  • ##
  • files_spool_file()
  • ##
  • files_tmp_file()
  • ##
  • files_tmpfs_file()
  • ##
  • logging_log_file()
  • ##
  • userdom_user_home_content()
  • ##
##

## Example: ##

##

## type myfile_t; ## files_type(myfile_t) ## allow mydomain_t myfile_t:file read_file_perms; ##

##
## ## ## Type to be used for files. ## ## ## # define(`files_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_type'($*)) dnl gen_require(` attribute file_type, non_security_file_type, non_auth_file_type; ') typeattribute $1 file_type, non_security_file_type, non_auth_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_type'($*)) dnl ') ######################################## ## ## Mark the specified type as a file ## that is related to authentication. ## ## ## ## Type of the authentication-related ## file. ## ## # define(`files_auth_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_auth_file'($*)) dnl gen_require(` attribute file_type, security_file_type, auth_file_type; ') typeattribute $1 file_type, security_file_type, auth_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_auth_file'($*)) dnl ') ######################################## ## ## Make the specified type a file that ## should not be dontaudited from ## browsing from user domains. ## ## ## ## Type of the file to be used as a ## member directory. ## ## # define(`files_security_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_security_file'($*)) dnl gen_require(` attribute file_type, security_file_type, non_auth_file_type; ') typeattribute $1 file_type, security_file_type, non_auth_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_security_file'($*)) dnl ') ######################################## ## ## Make the specified type usable for ## filesystem mount points. ## ## ## ## Type to be used for mount points. ## ## # define(`files_mountpoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mountpoint'($*)) dnl gen_require(` attribute mountpoint; ') files_type($1) typeattribute $1 mountpoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mountpoint'($*)) dnl ') ######################################## ## ## Create a private type object in mountpoint dir ## with an automatic type transition ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_mountpoint_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mountpoint_filetrans'($*)) dnl gen_require(` attribute mountpoint; ') filetrans_pattern($1, mountpoint, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mountpoint_filetrans'($*)) dnl ') ######################################## ## ## Make the specified type usable for ## security file filesystem mount points. ## ## ## ## Type to be used for mount points. ## ## # define(`files_security_mountpoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_security_mountpoint'($*)) dnl gen_require(` attribute mountpoint; ') files_security_file($1) typeattribute $1 mountpoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_security_mountpoint'($*)) dnl ') ######################################## ## ## Make the specified type usable for ## lock files. ## ## ## ## Type to be used for lock files. ## ## # define(`files_lock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_lock_file'($*)) dnl gen_require(` attribute lockfile; ') files_type($1) typeattribute $1 lockfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_lock_file'($*)) dnl ') ######################################## ## ## Make the specified type usable for ## runtime process ID files. ## ## ##

## Make the specified type usable for runtime process ID files, ## typically found in /var/run. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a PID file type may result in problems with starting ## or stopping services. ##

##

## Related interfaces: ##

##
    ##
  • files_pid_filetrans()
  • ##
##

## Example usage with a domain that can create and ## write its PID file with a private PID file type in the ## /var/run directory: ##

##

## type mypidfile_t; ## files_pid_file(mypidfile_t) ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ## files_pid_filetrans(mydomain_t, mypidfile_t, file) ##

##
## ## ## Type to be used for PID files. ## ## ## # define(`files_pid_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_pid_file'($*)) dnl gen_require(` attribute pidfile; ') files_type($1) typeattribute $1 pidfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_pid_file'($*)) dnl ') ######################################## ## ## Make the specified type a ## configuration file. ## ## ##

## Make the specified type usable for configuration files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## configuration management tools. ##

##

## Example usage with a domain that can read ## its configuration file /etc: ##

##

## type myconffile_t; ## files_config_file(myconffile_t) ## allow mydomain_t myconffile_t:file read_file_perms; ## files_search_etc(mydomain_t) ##

##
## ## ## Type to be used as a configuration file. ## ## ## # define(`files_config_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_config_file'($*)) dnl gen_require(` attribute configfile; ') files_type($1) typeattribute $1 configfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_config_file'($*)) dnl ') ######################################## ## ## Make the specified type a ## polyinstantiated directory. ## ## ## ## Type of the file to be used as a ## polyinstantiated directory. ## ## # define(`files_poly',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_poly'($*)) dnl gen_require(` attribute polydir; ') files_type($1) typeattribute $1 polydir; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_poly'($*)) dnl ') ######################################## ## ## Make the specified type a parent ## of a polyinstantiated directory. ## ## ## ## Type of the file to be used as a ## parent directory. ## ## # define(`files_poly_parent',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_poly_parent'($*)) dnl gen_require(` attribute polyparent; ') files_type($1) typeattribute $1 polyparent; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_poly_parent'($*)) dnl ') ######################################## ## ## Make the specified type a ## polyinstantiation member directory. ## ## ## ## Type of the file to be used as a ## member directory. ## ## # define(`files_poly_member',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_poly_member'($*)) dnl gen_require(` attribute polymember; ') files_type($1) typeattribute $1 polymember; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_poly_member'($*)) dnl ') ######################################## ## ## Make the domain use the specified ## type of polyinstantiated directory. ## ## ## ## Domain using the polyinstantiated ## directory. ## ## ## ## ## Type of the file to be used as a ## member directory. ## ## # define(`files_poly_member_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_poly_member_tmp'($*)) dnl gen_require(` type tmp_t; ') type_member $1 tmp_t:dir $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_poly_member_tmp'($*)) dnl ') ######################################## ## ## Make the specified type a file ## used for temporary files. ## ## ##

## Make the specified type usable for temporary files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## purging temporary files. ##

##

## Related interfaces: ##

##
    ##
  • files_tmp_filetrans()
  • ##
##

## Example usage with a domain that can create and ## write its temporary file in the system temporary file ## directories (/tmp or /var/tmp): ##

##

## type mytmpfile_t; ## files_tmp_file(mytmpfile_t) ## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms }; ## files_tmp_filetrans(mydomain_t, mytmpfile_t, file) ##

##
## ## ## Type of the file to be used as a ## temporary file. ## ## ## # define(`files_tmp_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_tmp_file'($*)) dnl gen_require(` attribute tmpfile; type tmp_t; ') files_type($1) files_poly_member($1) typeattribute $1 tmpfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_tmp_file'($*)) dnl ') ######################################## ## ## Transform the type into a file, for use on a ## virtual memory filesystem (tmpfs). ## ## ## ## The type to be transformed. ## ## # define(`files_tmpfs_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_tmpfs_file'($*)) dnl gen_require(` attribute tmpfsfile; ') files_type($1) typeattribute $1 tmpfsfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_tmpfs_file'($*)) dnl ') ######################################## ## ## Get the attributes of all directories. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_dirs'($*)) dnl gen_require(` attribute file_type; ') getattr_dirs_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_dirs'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_dirs'($*)) dnl ') ######################################## ## ## List all non-security directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_non_security',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_non_security'($*)) dnl gen_require(` attribute non_security_file_type; ') list_dirs_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_non_security'($*)) dnl ') ######################################## ## ## Watch all non-security directories. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') watch_dirs_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_non_security_dirs'($*)) dnl ') ######################################## ## ## Watch all non-security files. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') watch_files_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_non_security_files'($*)) dnl ') ######################################## ## ## Watch all non-security lnk_files. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_non_security_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_non_security_lnk_files'($*)) dnl gen_require(` attribute non_security_file_type; ') watch_lnk_files_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_non_security_lnk_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to list all ## non-security directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_non_security',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_non_security'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_non_security'($*)) dnl ') ######################################## ## ## Mount a filesystem on all non-security ## directories and files. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_non_security',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_non_security'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { write setattr mounton }; allow $1 non_security_file_type:file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_non_security'($*)) dnl ') ######################################## ## ## Allow attempts to modify any directory ## ## ## ## Domain allowed access. ## ## # define(`files_write_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_non_security_dirs'($*)) dnl ') ######################################## ## ## Allow attempts to setattr any directory ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { read setattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_non_security_dirs'($*)) dnl ') ######################################## ## ## Allow attempts to create non-security directories ## ## ## ## Domain allowed access. ## ## # define(`files_create_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { create_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_non_security_dirs'($*)) dnl ') ######################################## ## ## Allow attempts to manage non-security directories ## ## ## ## Domain allowed access. ## ## # define(`files_manage_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_non_security_dirs'($*)) dnl ') ######################################## ## ## Allow attempts to search non-security directories ## ## ## ## Domain allowed access. ## ## # define(`files_search_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_non_security_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of all files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_files'($*)) dnl gen_require(` attribute file_type; ') getattr_files_pattern($1, file_type, file_type) getattr_lnk_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_files'($*)) dnl ') ######################################## ## ## Get the attributes of all chr files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_chr_files'($*)) dnl gen_require(` attribute file_type; ') getattr_chr_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_chr_files'($*)) dnl ') ######################################## ## ## Get the attributes of all blk files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_blk_files'($*)) dnl gen_require(` attribute file_type; ') getattr_blk_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_blk_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_files'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of proc_type files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_proc_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_proc_type_files'($*)) dnl gen_require(` attribute proc_type; ') dontaudit $1 proc_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_proc_type_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of sysctl_type files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_sysctl_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_sysctl_type_files'($*)) dnl gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_sysctl_type_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of filesystem_type files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_filesystem_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_filesystem_type_files'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_filesystem_type_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## non security dirs. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_non_security_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of non security files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_setattr_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_non_security_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of non security directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_setattr_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_non_security_dirs'($*)) dnl ') ######################################## ## ## Read all files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; read_files_pattern($1, file_type, file_type) optional_policy(` auth_read_shadow($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_files'($*)) dnl ') ######################################## ## ## Mmap all files. ## ## ## ## Domain allowed access. ## ## # define(`files_mmap_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mmap_all_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mmap_all_files'($*)) dnl ') ######################################## ## ## Allow shared library text relocations in all files. ## ## ##

## Allow shared library text relocations in all files. ##

##

## This is added to support WINE policy. ##

##
## ## ## Domain allowed access. ## ## # define(`files_execmod_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_execmod_all_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_execmod_all_files'($*)) dnl ') ######################################## ## ## Read all non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') list_dirs_pattern($1, non_security_file_type, non_security_file_type) read_files_pattern($1, non_security_file_type, non_security_file_type) read_lnk_files_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_non_security_files'($*)) dnl ') ######################################## ## ## Map all non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_map_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_non_security_files'($*)) dnl ') ######################################## ## ## Read/Write all inherited non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_rw_inherited_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_inherited_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_inherited_non_security_files'($*)) dnl ') ######################################## ## ## Allow Append to non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_append_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_append_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_append_non_security_files'($*)) dnl ') ######################################## ## ## Manage all non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') manage_files_pattern($1, non_security_file_type, non_security_file_type) manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_non_security_files'($*)) dnl ') ######################################## ## ## Relabel all non-security files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') relabel_files_pattern($1, non_security_file_type, non_security_file_type) allow $1 { non_security_file_type }:dir list_dir_perms; relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type }) relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type }) # satisfy the assertions: seutil_relabelto_bin_policy($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_non_security_files'($*)) dnl ') ######################################## ## ## Search all base file dirs. ## ## ## ## Domain allowed access. ## ## # define(`files_search_base_file_types',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_base_file_types'($*)) dnl gen_require(` attribute base_file_type; ') allow $1 base_file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_base_file_types'($*)) dnl ') ######################################## ## ## Relabel all base file types. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_base_file_types',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_base_file_types'($*)) dnl gen_require(` attribute base_file_type; ') allow $1 base_file_type:dir list_dir_perms; relabel_dirs_pattern($1, base_file_type , base_file_type ) relabel_files_pattern($1, base_file_type , base_file_type ) relabel_lnk_files_pattern($1, base_file_type , base_file_type ) relabel_fifo_files_pattern($1, base_file_type , base_file_type ) relabel_sock_files_pattern($1, base_file_type , base_file_type ) relabel_blk_files_pattern($1, base_file_type , base_file_type ) relabel_chr_files_pattern($1, base_file_type , base_file_type ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_base_file_types'($*)) dnl ') ######################################## ## ## Read all directories on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`files_read_all_dirs_except',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_dirs_except'($*)) dnl gen_require(` attribute file_type; ') allow $1 { file_type $2 }:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_dirs_except'($*)) dnl ') ######################################## ## ## Read all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`files_read_all_files_except',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_files_except'($*)) dnl gen_require(` attribute file_type; ') read_files_pattern($1, { file_type $2 }, { file_type $2 }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_files_except'($*)) dnl ') ######################################## ## ## Read all symbolic links on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`files_read_all_symlinks_except',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks_except'($*)) dnl gen_require(` attribute file_type; ') read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_symlinks_except'($*)) dnl ') ######################################## ## ## Get the attributes of all symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_symlinks'($*)) dnl gen_require(` attribute file_type; ') getattr_lnk_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all symbolic links. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_symlinks'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to read all symbolic links. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_symlinks'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:lnk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security symbolic links. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_symlinks'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security block devices. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_blk_files'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_blk_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security character devices. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_chr_files'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_chr_files'($*)) dnl ') ######################################## ## ## Read all symbolic links. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_symlinks'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; read_lnk_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_symlinks'($*)) dnl ') ######################################## ## ## Get the attributes of all named pipes. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_pipes'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; getattr_fifo_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named pipes. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pipes'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named pipes. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_pipes'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read/write ## of non security named pipes. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_inherited_pipes'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_inherited_pipes'($*)) dnl ') ######################################## ## ## Get the attributes of all named sockets. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_sockets'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; getattr_sock_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named sockets. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_sockets'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:sock_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## of all named sockets. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_sockets'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:sock_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## of all security file types. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_all_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_all_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_all_non_security_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of non security named sockets. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_non_security_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_non_security_sockets'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:sock_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_non_security_sockets'($*)) dnl ') ######################################## ## ## Read all block nodes with file types. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_blk_files'($*)) dnl gen_require(` attribute file_type; ') read_blk_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_blk_files'($*)) dnl ') ######################################## ## ## Read all character nodes with file types. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_chr_files'($*)) dnl gen_require(` attribute file_type; ') read_chr_files_pattern($1, file_type, file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_chr_files'($*)) dnl ') ######################################## ## ## Relabel all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # define(`files_relabel_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 { file_type $2 }:dir list_dir_perms; relabel_dirs_pattern($1, { file_type $2 }, { file_type $2 }) relabel_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: seutil_relabelto_bin_policy($1) auth_relabelto_shadow($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_files'($*)) dnl ') ######################################## ## ## rw all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # define(`files_rw_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_all_files'($*)) dnl gen_require(` attribute file_type; ') rw_files_pattern($1, { file_type $2 }, { file_type $2 }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_all_files'($*)) dnl ') ######################################## ## ## Manage all files on the filesystem, except ## the listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # define(`files_manage_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_all_files'($*)) dnl gen_require(` attribute file_type; ') manage_dirs_pattern($1, { file_type $2 }, { file_type $2 }) manage_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) auth_reader_shadow($1) auth_writer_shadow($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_all_files'($*)) dnl ') ######################################## ## ## Search the contents of all directories on ## extended attribute filesystems. ## ## ## ## Domain allowed access. ## ## # define(`files_search_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_all'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_all'($*)) dnl ') ######################################## ## ## List the contents of all directories on ## extended attribute filesystems. ## ## ## ## Domain allowed access. ## ## # define(`files_list_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_all'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_all'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the ## contents of any directories on extended ## attribute filesystems. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_dirs'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of all filesystems ## with the type of a file. ## ## ## ## Domain allowed access. ## ## # # dwalsh: This interface is to allow quotacheck to work on a # a filesystem mounted with the --context switch # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212957 # define(`files_getattr_all_file_type_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_file_type_fs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_file_type_fs'($*)) dnl ') ######################################## ## ## Relabel a filesystem to the type of a file. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_all_file_type_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_all_file_type_fs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:filesystem relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_all_file_type_fs'($*)) dnl ') ######################################## ## ## Relabel a filesystem to the type of a file. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_all_file_type_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_file_type_fs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:filesystem { relabelfrom relabelto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_file_type_fs'($*)) dnl ') ######################################## ## ## Mount all filesystems with the type of a file. ## ## ## ## Domain allowed access. ## ## # define(`files_mount_all_file_type_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mount_all_file_type_fs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mount_all_file_type_fs'($*)) dnl ') ######################################## ## ## Unmount all filesystems with the type of a file. ## ## ## ## Domain allowed access. ## ## # define(`files_unmount_all_file_type_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_unmount_all_file_type_fs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_unmount_all_file_type_fs'($*)) dnl ') ######################################## ## ## Read all non-authentication related ## directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_non_auth_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_non_auth_dirs'($*)) dnl gen_require(` attribute non_auth_file_type; ') allow $1 non_auth_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_non_auth_dirs'($*)) dnl ') ######################################## ## ## Watch non-authentication related directories. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_non_auth_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_non_auth_dirs'($*)) dnl gen_require(` attribute non_auth_file_type; ') watch_dirs_pattern($1, non_auth_file_type, non_auth_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_non_auth_dirs'($*)) dnl ') ######################################## ## ## Read all non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_non_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_non_auth_files'($*)) dnl gen_require(` attribute non_auth_file_type; ') read_files_pattern($1, non_auth_file_type, non_auth_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_non_auth_files'($*)) dnl ') ######################################## ## ## Read all non-authentication related ## symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`files_read_non_auth_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_non_auth_symlinks'($*)) dnl gen_require(` attribute non_auth_file_type; ') read_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_non_auth_symlinks'($*)) dnl ') ######################################## ## ## rw non-authentication related files. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_non_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_non_auth_files'($*)) dnl gen_require(` attribute non_auth_file_type; ') rw_files_pattern($1, non_auth_file_type, non_auth_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_non_auth_files'($*)) dnl ') ######################################## ## ## Manage non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_non_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_non_auth_files'($*)) dnl gen_require(` attribute non_auth_file_type; ') manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type) manage_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) # satisfy the assertions: seutil_create_bin_policy($1) files_manage_kernel_modules($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_non_auth_files'($*)) dnl ') ######################################## ## ## Relabel all non-authentication related ## files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_non_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_non_auth_files'($*)) dnl gen_require(` attribute non_auth_file_type; ') allow $1 non_auth_file_type:dir list_dir_perms; relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type) relabel_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) # this is only relabelfrom since there should be no # device nodes with file types. relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type) relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type) # satisfy the assertions: seutil_relabelto_bin_policy($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_non_auth_files'($*)) dnl ') ############################################# ## ## Manage all configuration directories on filesystem ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_config_dirs'($*)) dnl gen_require(` attribute configfile; ') manage_dirs_pattern($1, configfile, configfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_config_dirs'($*)) dnl ') ######################################### ## ## Relabel configuration directories ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_config_dirs'($*)) dnl gen_require(` attribute configfile; ') relabel_dirs_pattern($1, configfile, configfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_config_dirs'($*)) dnl ') ######################################## ## ## Read config files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_read_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_config_files'($*)) dnl gen_require(` attribute configfile; ') allow $1 configfile:dir list_dir_perms; read_files_pattern($1, configfile, configfile) read_lnk_files_pattern($1, configfile, configfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_config_files'($*)) dnl ') ########################################### ## ## Manage all configuration files on filesystem ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_config_files'($*)) dnl gen_require(` attribute configfile; ') manage_files_pattern($1, configfile, configfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_config_files'($*)) dnl ') ####################################### ## ## Relabel configuration files ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_config_files'($*)) dnl gen_require(` attribute configfile; ') relabel_files_pattern($1, configfile, configfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_config_files'($*)) dnl ') ######################################## ## ## Mount a filesystem on all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir { search_dir_perms mounton }; allow $1 mountpoint:file { getattr mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_all_mountpoints'($*)) dnl ') ######################################## ## ## Get the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_mountpoints'($*)) dnl ') ######################################## ## ## Set the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_all_mountpoints'($*)) dnl ') ######################################## ## ## Set the attributes of all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_all_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes on all mount points. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_setattr_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_all_mountpoints'($*)) dnl ') ######################################## ## ## Search all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_search_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_all_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit searching of all mount points. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_mountpoints'($*)) dnl ') ######################################## ## ## List all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_list_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_all_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit listing of all mount points. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_all_mountpoints'($*)) dnl ') ######################################## ## ## Write all mount points. ## ## ## ## Domain allowed access. ## ## # define(`files_write_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_all_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to mount points. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') dontaudit $1 self:capability { dac_read_search }; dontaudit $1 mountpoint:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit attempts to unmount all mount points. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_unmount_all_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_unmount_all_mountpoints'($*)) dnl gen_require(` attribute mountpoint; ') dontaudit $1 mountpoint:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_unmount_all_mountpoints'($*)) dnl ') ######################################## ## ## Read all mountpoint symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_mountpoint_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_mountpoint_symlinks'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_mountpoint_symlinks'($*)) dnl ') ######################################## ## ## Make all mountpoint as entrypoint. ## ## ## ## Domain allowed access. ## ## # define(`files_entrypoint_all_mountpoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_entrypoint_all_mountpoint'($*)) dnl gen_require(` attribute mountpoint; ') allow $1 mountpoint:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_entrypoint_all_mountpoint'($*)) dnl ') ######################################## ## ## Remove all file type directories. ## ## ## ## Domain allowed access. ## ## # define(`files_rmdir_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rmdir_all_dirs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir rmdir; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rmdir_all_dirs'($*)) dnl ') ######################################## ## ## Write all file type directories. ## ## ## ## Domain allowed access. ## ## # define(`files_write_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_all_dirs'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_all_dirs'($*)) dnl ') ######################################## ## ## List the contents of the root directory. ## ## ## ## Domain allowed access. ## ## # define(`files_list_root',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_root'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir list_dir_perms; allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_root'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to / dirs. ## ## ## ## Domain to not audit. ## ## # define(`files_write_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_root_dirs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_root_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to / dirs. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_root_dirs'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_root_dirs'($*)) dnl ') ################### ## ## Do not audit attempts to write ## files in the root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_root_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_dir'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_dir'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_access_check_root',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_root'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_root'($*)) dnl ') ######################################## ## ## Create an object in the root directory, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_root_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_root_filetrans'($*)) dnl gen_require(` type root_t; ') filetrans_pattern($1, root_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_root_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to read files in ## the root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_root_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_root_files'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_root_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## files in the root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_root_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_files'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## character device nodes in the root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_root_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_root_chr_files'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:chr_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_root_chr_files'($*)) dnl ') ######################################## ## ## Delete files in the root directory. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_root_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_root_files'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_root_files'($*)) dnl ') ######################################## ## ## Remove entries from the root directory. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_root_dir_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_root_dir_entry'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_root_dir_entry'($*)) dnl ') ######################################## ## ## Set attributes of the root directory. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_root_dirs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_root_dirs'($*)) dnl ') ########################################## ## ## Watch the root directory. ## ## ## ## Domain allowed access ## ## # define(`files_watch_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_root_dirs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_root_dirs'($*)) dnl ') ########################################## ## ## Watch_mount the root directory. ## ## ## ## Domain allowed access ## ## # define(`files_watch_mount_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_mount_root_dirs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir watch_mount_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_mount_root_dirs'($*)) dnl ') ########################################## ## ## Watch_with_perm the root directory. ## ## ## ## Domain allowed access ## ## # define(`files_watch_with_perm_root_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_root_dirs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir watch_with_perm_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_with_perm_root_dirs'($*)) dnl ') ######################################## ## ## Relabel a rootfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_rootfs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:filesystem relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_rootfs'($*)) dnl ') ######################################## ## ## Unmount a rootfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`files_unmount_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_unmount_rootfs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_unmount_rootfs'($*)) dnl ') ######################################## ## ## Mount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_rootfs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:dir { search_dir_perms mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_rootfs'($*)) dnl ') ######################################## ## ## Remount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # define(`files_remount_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_remount_rootfs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:filesystem { remount }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_remount_rootfs'($*)) dnl ') ######################################## ## ## Mount a filesystem on the root file system ## ## ## ## Domain allowed access. ## ## # define(`files_dontaudit_mounton_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_rootfs'($*)) dnl gen_require(` type root_t; ') dontaudit $1 root_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_rootfs'($*)) dnl ') ######################################## ## ## Get attributes of the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_boot_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attributes ## of the /boot directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_boot_dirs'($*)) dnl gen_require(` type boot_t; ') dontaudit $1 boot_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_boot_dirs'($*)) dnl ') ######################################## ## ## Search the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_search_boot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_boot'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_boot'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the /boot directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_boot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_boot'($*)) dnl gen_require(` type boot_t; ') dontaudit $1 boot_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_boot'($*)) dnl ') ######################################## ## ## List the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_list_boot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_boot'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_boot'($*)) dnl ') ####################################### ## ## Do not audit attempts to list the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_dontaudit_list_boot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_boot'($*)) dnl gen_require(` type boot_t; ') dontaudit $1 boot_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_boot'($*)) dnl ') ######################################## ## ## Create directories in /boot ## ## ## ## Domain allowed access. ## ## # define(`files_create_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir { create rw_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_boot_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## directories in /boot. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_boot_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to manage entries ## in the /boot directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_manage_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_manage_boot_dirs'($*)) dnl gen_require(` type boot_t; ') dontaudit $1 boot_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_manage_boot_dirs'($*)) dnl ') ######################################## ## ## Watch directories in /boot. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_boot_dirs'($*)) dnl ') ######################################## ## ## Watch_mount directories in /boot. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_mount_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_mount_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir watch_mount_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_mount_boot_dirs'($*)) dnl ') ######################################## ## ## Watch_with_perm directories in /boot. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_with_perm_boot_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_boot_dirs'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir watch_with_perm_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_with_perm_boot_dirs'($*)) dnl ') ######################################## ## ## Create a private type object in boot ## with an automatic type transition ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_boot_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_boot_filetrans'($*)) dnl gen_require(` type boot_t; ') filetrans_pattern($1, boot_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_boot_filetrans'($*)) dnl ') ######################################## ## ## read files in the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_boot_files'($*)) dnl gen_require(` type boot_t; ') read_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_boot_files'($*)) dnl ') ###################################### ## ## Map files in the /boot. ## ## ## ## Domain allowed access. ## ## # define(`files_map_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_boot_files'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_boot_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_boot_files'($*)) dnl gen_require(` type boot_t; ') manage_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_boot_files'($*)) dnl ') ######################################## ## ## Dontaudit Create, read, write, and delete files ## in the boot files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_dontaudit_manage_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_manage_boot_files'($*)) dnl gen_require(` type boot_t; ') dontaudit $1 boot_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_manage_boot_files'($*)) dnl ') ######################################## ## ## Relabel from files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_boot_files'($*)) dnl gen_require(` type boot_t; ') relabelfrom_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_boot_files'($*)) dnl ') ######################################## ## ## Relabel to files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_boot_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_boot_files'($*)) dnl gen_require(` type boot_t; ') relabelto_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_boot_files'($*)) dnl ') ###################################### ## ## Read symbolic links in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_read_boot_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_boot_symlinks'($*)) dnl gen_require(` type boot_t; ') read_lnk_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_boot_symlinks'($*)) dnl ') ######################################## ## ## Read and write symbolic links ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_boot_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_boot_symlinks'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; rw_lnk_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_boot_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links ## in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_boot_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_boot_symlinks'($*)) dnl gen_require(` type boot_t; ') manage_lnk_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_boot_symlinks'($*)) dnl ') ######################################## ## ## Read kernel files in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_read_kernel_img',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_kernel_img'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:dir list_dir_perms; read_files_pattern($1, boot_t, boot_t) read_lnk_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_kernel_img'($*)) dnl ') ######################################## ## ## Install a kernel into the /boot directory. ## ## ## ## Domain allowed access. ## ## ## # define(`files_create_kernel_img',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_kernel_img'($*)) dnl gen_require(` type boot_t; ') allow $1 boot_t:file { create_file_perms rw_file_perms }; manage_lnk_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_kernel_img'($*)) dnl ') ######################################## ## ## Delete a kernel from /boot. ## ## ## ## Domain allowed access. ## ## ## # define(`files_delete_kernel',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_kernel'($*)) dnl gen_require(` type boot_t; ') delete_files_pattern($1, boot_t, boot_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_kernel'($*)) dnl ') ######################################## ## ## Getattr of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_default_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_default_dirs'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_default_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## directories with the default file type. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_default_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_dirs'($*)) dnl gen_require(` type default_t; ') dontaudit $1 default_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_dirs'($*)) dnl ') ######################################## ## ## Search the contents of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_search_default',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_default'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_default'($*)) dnl ') ######################################## ## ## List contents of directories with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_list_default',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_default'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_default'($*)) dnl ') ######################################## ## ## Do not audit attempts to list contents of ## directories with the default file type. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_default',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_default'($*)) dnl gen_require(` type default_t; ') dontaudit $1 default_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_default'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories with ## the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_default_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_default_dirs'($*)) dnl gen_require(` type default_t; ') manage_dirs_pattern($1, default_t, default_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_default_dirs'($*)) dnl ') ######################################## ## ## Mount a filesystem on a directory with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_default',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_default'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:dir { search_dir_perms mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_default'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## files with the default file type. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_default_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_default_files'($*)) dnl gen_require(` type default_t; ') dontaudit $1 default_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_default_files'($*)) dnl ') ######################################## ## ## Read files with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_read_default_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_default_files'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_default_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read files ## with the default file type. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_default_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_default_files'($*)) dnl gen_require(` type default_t; ') dontaudit $1 default_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_default_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files with ## the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_default_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_default_files'($*)) dnl gen_require(` type default_t; ') manage_files_pattern($1, default_t, default_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_default_files'($*)) dnl ') ######################################## ## ## Read symbolic links with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_read_default_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_default_symlinks'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_default_symlinks'($*)) dnl ') ######################################## ## ## Read sockets with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_read_default_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_default_sockets'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:sock_file read_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_default_sockets'($*)) dnl ') ######################################## ## ## Read named pipes with the default file type. ## ## ## ## Domain allowed access. ## ## # define(`files_read_default_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_default_pipes'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_default_pipes'($*)) dnl ') ######################################## ## ## Mounton directories on filesystem /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_etc'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_etc'($*)) dnl ') ######################################## ## ## Search the contents of /etc directories. ## ## ## ## Domain allowed access. ## ## # define(`files_search_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_etc'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_etc'($*)) dnl ') ######################################## ## ## Set the attributes of the /etc directories. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_etc_dirs'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_etc_dirs'($*)) dnl ') ######################################## ## ## List the contents of /etc directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_etc'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_etc'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to /etc dirs. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_dirs'($*)) dnl gen_require(` type etc_t; ') dontaudit $1 etc_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_dirs'($*)) dnl ') ######################################## ## ## Add and remove entries from /etc directories. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_etc_dirs'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_etc_dirs'($*)) dnl ') ####################################### ## ## Dontaudit remove dir /etc directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_remove_etc_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_remove_etc_dir'($*)) dnl gen_require(` type etc_t; ') dontaudit $1 etc_t:dir rmdir; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_remove_etc_dir'($*)) dnl ') ########################################## ## ## Manage generic directories in /etc ## ## ## ## Domain allowed access ## ## ## # define(`files_manage_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_etc_dirs'($*)) dnl gen_require(` type etc_t; ') manage_dirs_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_etc_dirs'($*)) dnl ') ######################################## ## ## Read generic files in /etc. ## ## ##

## Allow the specified domain to read generic ## files in /etc. These files are typically ## general system configuration files that do ## not have more specific SELinux types. Some ## examples of these files are: ##

##
    ##
  • /etc/fstab
  • ##
  • /etc/passwd
  • ##
  • /etc/services
  • ##
  • /etc/shells
  • ##
##

## This interface does not include access to /etc/shadow. ##

##

## Generally, it is safe for many domains to have ## this access. However, since this interface provides ## access to the /etc/passwd file, caution must be ## exercised, as user account names can be leaked ## through this access. ##

##

## Related interfaces: ##

##
    ##
  • auth_read_shadow()
  • ##
  • files_read_etc_runtime_files()
  • ##
  • seutil_read_config()
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`files_read_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_etc_files'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) files_read_etc_runtime_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_etc_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write generic files in /etc. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_files'($*)) dnl gen_require(` type etc_t; ') dontaudit $1 etc_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_files'($*)) dnl ') ######################################## ## ## Read and write generic files in /etc. ## ## ## ## Domain allowed access. ## ## ## # define(`files_rw_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_etc_files'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_etc_files'($*)) dnl ') ######################################## ## ## Map and read generic files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_map_read_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_read_etc_files'($*)) dnl gen_require(` type etc_t; ') mmap_read_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_read_etc_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete generic ## files in /etc. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_etc_files'($*)) dnl gen_require(` type etc_t; ') manage_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_etc_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on etc files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_access_check_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_etc'($*)) dnl gen_require(` type etc_t; ') dontaudit $1 etc_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_etc'($*)) dnl ') ######################################## ## ## Delete system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_etc_files'($*)) dnl gen_require(` type etc_t; ') delete_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_etc_files'($*)) dnl ') ######################################## ## ## Remove entries from the etc directory. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_etc_dir_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_etc_dir_entry'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir del_entry_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_etc_dir_entry'($*)) dnl ') ######################################## ## ## Execute generic files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_exec_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_etc_files'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; read_lnk_files_pattern($1, etc_t, etc_t) exec_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_etc_files'($*)) dnl ') ####################################### ## ## Relabel from and to generic files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_etc_files'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir list_dir_perms; relabel_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_etc_files'($*)) dnl ') ######################################## ## ## Read symbolic links in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_read_etc_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_etc_symlinks'($*)) dnl gen_require(` type etc_t; ') read_lnk_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_etc_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_etc_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_etc_symlinks'($*)) dnl gen_require(` type etc_t; ') manage_lnk_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_etc_symlinks'($*)) dnl ') ######################################## ## ## Create objects in /etc with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_etc_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_etc_filetrans'($*)) dnl gen_require(` type etc_t; ') filetrans_pattern($1, etc_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_etc_filetrans'($*)) dnl ') ########################################## ## ## Watch generic directories in /etc. ## ## ## ## Domain allowed access ## ## # define(`files_watch_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_etc_dirs'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_etc_dirs'($*)) dnl ') ########################################## ## ## Watch generic files in /etc. ## ## ## ## Domain allowed access ## ## # define(`files_watch_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_etc_files'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_etc_files'($*)) dnl ') ######################################## ## ## Create a boot flag. ## ## ##

## Create a boot flag, such as ## /.autorelabel and /.autofsck. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## ## # define(`files_create_boot_flag',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_boot_flag'($*)) dnl gen_require(` type root_t, etc_runtime_t; ') allow $1 etc_runtime_t:file manage_file_perms; filetrans_pattern($1, root_t, etc_runtime_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_boot_flag'($*)) dnl ') ######################################## ## ## Delete a boot flag. ## ## ##

## Delete a boot flag, such as ## /.autorelabel and /.autofsck. ##

##
## ## ## Domain allowed access. ## ## ## # define(`files_delete_boot_flag',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_boot_flag'($*)) dnl gen_require(` type root_t, etc_runtime_t; ') delete_files_pattern($1, root_t, etc_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_boot_flag'($*)) dnl ') ######################################## ## ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## ## ##

## Allow the specified domain to read dynamically created ## configuration files in /etc. These files are typically ## general system configuration files that do ## not have more specific SELinux types. Some ## examples of these files are: ##

##
    ##
  • /etc/motd
  • ##
  • /etc/mtab
  • ##
  • /etc/nologin
  • ##
##

## This interface does not include access to /etc/shadow. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`files_read_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_etc_runtime_files'($*)) dnl gen_require(` type etc_t, etc_runtime_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_etc_runtime_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes of the etc_runtime files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_setattr_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_setattr_etc_runtime_files'($*)) dnl gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_setattr_etc_runtime_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write etc_runtime files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_etc_runtime_files'($*)) dnl gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_etc_runtime_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_etc_runtime_files'($*)) dnl gen_require(` type etc_runtime_t; ') dontaudit $1 etc_runtime_t:file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_etc_runtime_files'($*)) dnl ') ######################################## ## ## Read and write files in /etc that are dynamically ## created on boot, such as mtab. ## ## ## ## Domain allowed access. ## ## ## # define(`files_rw_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_etc_runtime_files'($*)) dnl gen_require(` type etc_t, etc_runtime_t; ') allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_etc_runtime_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files in ## /etc that are dynamically created on boot, ## such as mtab. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_etc_runtime_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_etc_runtime_files'($*)) dnl gen_require(` type etc_t, etc_runtime_t; ') manage_dirs_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) read_lnk_files_pattern($1, etc_t, etc_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_etc_runtime_files'($*)) dnl ') ######################################## ## ## Create, etc runtime objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_etc_filetrans_etc_runtime',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_etc_runtime'($*)) dnl gen_require(` type etc_t, etc_runtime_t; ') filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_etc_filetrans_etc_runtime'($*)) dnl ') ######################################## ## ## Getattr of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_isid_type_dirs'($*)) dnl ') ######################################## ## ## Getattr all file opbjects on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_isid_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_isid_type'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir_file_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_isid_type'($*)) dnl ') ######################################## ## ## Setattr of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_isid_type_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_isid_type_dirs'($*)) dnl ') ######################################## ## ## List the contents of directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_list_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_isid_type_dirs'($*)) dnl ') ######################################## ## ## Read and write directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_isid_type_dirs'($*)) dnl ') ######################################## ## ## Delete directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') delete_dirs_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_dirs'($*)) dnl ') ######################################## ## ## Execute files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_exec_isid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_isid_files'($*)) dnl gen_require(` type unlabeled_t; ') can_exec($1, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_isid_files'($*)) dnl ') ######################################## ## ## Moundon directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_isid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_isid'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_isid'($*)) dnl ') ######################################## ## ## Relabelfrom all file opbjects on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_isid_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_isid_type'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_isid_type'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_isid_type_dirs'($*)) dnl ') ######################################## ## ## Mount a filesystem on a directory on new filesystems ## that has not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_isid_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_isid_type_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir { search_dir_perms mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_isid_type_dirs'($*)) dnl ') ######################################## ## ## Mount a filesystem on a new chr_file ## that has not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_isid_type_chr_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_isid_type_chr_file'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:chr_file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_isid_type_chr_file'($*)) dnl ') ######################################## ## ## Read files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_read_isid_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_isid_type_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_isid_type_files'($*)) dnl ') ######################################## ## ## Delete files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_files'($*)) dnl gen_require(` type unlabeled_t; ') delete_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_files'($*)) dnl ') ######################################## ## ## Delete symbolic links on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_symlinks'($*)) dnl gen_require(` type unlabeled_t; ') delete_lnk_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_symlinks'($*)) dnl ') ######################################## ## ## Delete named pipes on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_fifo_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_fifo_files'($*)) dnl gen_require(` type unlabeled_t; ') delete_fifo_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_fifo_files'($*)) dnl ') ######################################## ## ## Delete named sockets on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_sock_files'($*)) dnl gen_require(` type unlabeled_t; ') delete_sock_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_sock_files'($*)) dnl ') ######################################## ## ## Delete block files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_blk_files'($*)) dnl gen_require(` type unlabeled_t; ') delete_blk_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_blk_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to character ## files that have not yet been labeled. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_isid_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_isid_chr_files'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:chr_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_isid_chr_files'($*)) dnl ') ######################################## ## ## Delete chr files on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_isid_type_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_isid_type_chr_files'($*)) dnl gen_require(` type unlabeled_t; ') delete_chr_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_isid_type_chr_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_isid_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_isid_type_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_isid_type_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_symlinks'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_isid_type_symlinks'($*)) dnl ') ######################################## ## ## Read and write block device nodes on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_isid_type_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_isid_type_blk_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file rw_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_isid_type_blk_files'($*)) dnl ') ######################################## ## ## rw any files inherited from another process ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_inherited_isid_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_inherited_isid_type_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_inherited_isid_type_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete block device nodes ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_isid_type_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_blk_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file manage_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_isid_type_blk_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete character device nodes ## on new filesystems that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_isid_type_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_isid_type_chr_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:chr_file manage_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_isid_type_chr_files'($*)) dnl ') ######################################## ## ## Dontaudit Moundon directories on new filesystems ## that have not yet been labeled. ## ## ## ## Domain allowed access. ## ## # define(`files_dontaudit_mounton_isid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_isid'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_isid'($*)) dnl ') ######################################## ## ## Get the attributes of the home directories root ## (/home). ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_home_dir'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir getattr; allow $1 home_root_t:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_home_dir'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of the home directories root ## (/home). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_home_dir'($*)) dnl gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir getattr; dontaudit $1 home_root_t:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_home_dir'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on home root directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_access_check_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_home_dir'($*)) dnl gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_home_dir'($*)) dnl ') ######################################## ## ## Create /home directories ## ## ## ## Domain allowed access ## ## # define(`files_create_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_home_dir'($*)) dnl gen_require(` type home_root_t; ') create_dirs_pattern($1, home_root_t, home_root_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_home_dir'($*)) dnl ') ######################################## ## ## Search home directories root (/home). ## ## ## ## Domain allowed access. ## ## # define(`files_search_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir search_dir_perms; allow $1 home_root_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_home'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## home directories root (/home). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_home'($*)) dnl gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir search_dir_perms; dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_home'($*)) dnl ') ######################################## ## ## Do not audit attempts to list ## home directories root (/home). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_home'($*)) dnl gen_require(` type home_root_t; ') dontaudit $1 home_root_t:dir list_dir_perms; dontaudit $1 home_root_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_home'($*)) dnl ') ######################################## ## ## Get listing of home directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir list_dir_perms; allow $1 home_root_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_home'($*)) dnl ') ######################################## ## ## Watch home directories. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_home'($*)) dnl ') ######################################## ## ## Watch_mount home directories. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_mount_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_mount_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_mount_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_mount_home'($*)) dnl ') ######################################## ## ## Watch_with_perm home directories. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_with_perm_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir watch_with_perm_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_with_perm_home'($*)) dnl ') ######################################## ## ## Relabel to user home root (/home). ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_home'($*)) dnl gen_require(` type home_root_t; ') allow $1 home_root_t:dir relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_home'($*)) dnl ') ######################################## ## ## Create objects in /home. ## ## ## ## Domain allowed access. ## ## ## ## ## The private type. ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_home_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_home_filetrans'($*)) dnl gen_require(` type home_root_t; ') filetrans_pattern($1, home_root_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_home_filetrans'($*)) dnl ') ######################################## ## ## Get the attributes of lost+found directories. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_lost_found_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_lost_found_dirs'($*)) dnl gen_require(` type lost_found_t; ') allow $1 lost_found_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_lost_found_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## lost+found directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_lost_found_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_lost_found_dirs'($*)) dnl gen_require(` type lost_found_t; ') dontaudit $1 lost_found_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_lost_found_dirs'($*)) dnl ') ####################################### ## ## List the contents of lost+found directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_lost_found',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_lost_found'($*)) dnl gen_require(` type lost_found_t; ') allow $1 lost_found_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_lost_found'($*)) dnl ') ######################################## ## ## Create, read, write, and delete objects in ## lost+found directories. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_lost_found',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_lost_found'($*)) dnl gen_require(` type lost_found_t; ') manage_dirs_pattern($1, lost_found_t, lost_found_t) manage_files_pattern($1, lost_found_t, lost_found_t) manage_lnk_files_pattern($1, lost_found_t, lost_found_t) manage_fifo_files_pattern($1, lost_found_t, lost_found_t) manage_sock_files_pattern($1, lost_found_t, lost_found_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_lost_found'($*)) dnl ') ######################################## ## ## Search the contents of /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_search_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_mnt'($*)) dnl gen_require(` type mnt_t; ') allow $1 mnt_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_mnt'($*)) dnl ') ######################################## ## ## Do not audit attempts to search /mnt. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_mnt'($*)) dnl gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_mnt'($*)) dnl ') ######################################## ## ## List the contents of /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_list_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_mnt'($*)) dnl gen_require(` type mnt_t; ') allow $1 mnt_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_mnt'($*)) dnl ') ###################################### ## ## dontaudit List the contents of /mnt. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_mnt'($*)) dnl gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_mnt'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## write access on mnt files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_access_check_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_mnt'($*)) dnl gen_require(` type mnt_t; ') dontaudit $1 mnt_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_mnt'($*)) dnl ') ######################################## ## ## Mount a filesystem on /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_mnt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_mnt'($*)) dnl gen_require(` type mnt_t; ') allow $1 mnt_t:dir { search_dir_perms mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_mnt'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories in /mnt. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_mnt_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_mnt_dirs'($*)) dnl gen_require(` type mnt_t; ') allow $1 mnt_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_mnt_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files in /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_mnt_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_mnt_files'($*)) dnl gen_require(` type mnt_t; ') manage_files_pattern($1, mnt_t, mnt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_mnt_files'($*)) dnl ') ######################################## ## ## read files in /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_read_mnt_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_mnt_files'($*)) dnl gen_require(` type mnt_t; ') read_files_pattern($1, mnt_t, mnt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_mnt_files'($*)) dnl ') ###################################### ## ## Read symbolic links in /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_read_mnt_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_mnt_symlinks'($*)) dnl gen_require(` type mnt_t; ') read_lnk_files_pattern($1, mnt_t, mnt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_mnt_symlinks'($*)) dnl ') ######################################## ## ## Load kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_load_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_load_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') files_read_kernel_modules($1) allow $1 modules_object_t:system module_load; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_load_kernel_modules'($*)) dnl ') ######################################## ## ## Mmap kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_map_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_kernel_modules'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_mnt_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_mnt_symlinks'($*)) dnl gen_require(` type mnt_t; ') manage_lnk_files_pattern($1, mnt_t, mnt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_mnt_symlinks'($*)) dnl ') ######################################## ## ## Search the contents of the kernel module directories. ## ## ## ## Domain allowed access. ## ## # define(`files_search_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir search_dir_perms; read_lnk_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_kernel_modules'($*)) dnl ') ######################################## ## ## List the contents of the kernel module directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_kernel_modules'($*)) dnl ') ######################################## ## ## Get the attributes of kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') getattr_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_kernel_modules'($*)) dnl ') ######################################## ## ## Read kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; read_files_pattern($1, modules_object_t, modules_object_t) read_lnk_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_kernel_modules'($*)) dnl ') ######################################## ## ## Write kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_write_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir list_dir_perms; write_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_kernel_modules'($*)) dnl ') ######################################## ## ## Delete kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') delete_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_kernel_modules'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## kernel module files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_manage_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') manage_files_pattern($1, modules_object_t, modules_object_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_kernel_modules'($*)) dnl ') ######################################## ## ## Relabel from and to kernel module files. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_kernel_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_kernel_modules'($*)) dnl gen_require(` type modules_object_t; ') relabel_files_pattern($1, modules_object_t, modules_object_t) allow $1 modules_object_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_kernel_modules'($*)) dnl ') ######################################## ## ## Create objects in the kernel module directories ## with a private type via an automatic type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_kernel_modules_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_kernel_modules_filetrans'($*)) dnl gen_require(` type modules_object_t; ') filetrans_pattern($1, modules_object_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_kernel_modules_filetrans'($*)) dnl ') ######################################## ## ## List world-readable directories. ## ## ## ## Domain allowed access. ## ## ## # define(`files_list_world_readable',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_world_readable'($*)) dnl gen_require(` type readable_t; ') allow $1 readable_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_world_readable'($*)) dnl ') ######################################## ## ## Read world-readable files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_world_readable_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_world_readable_files'($*)) dnl gen_require(` type readable_t; ') allow $1 readable_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_world_readable_files'($*)) dnl ') ######################################## ## ## Read world-readable symbolic links. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_world_readable_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_world_readable_symlinks'($*)) dnl gen_require(` type readable_t; ') allow $1 readable_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_world_readable_symlinks'($*)) dnl ') ######################################## ## ## Read world-readable named pipes. ## ## ## ## Domain allowed access. ## ## # define(`files_read_world_readable_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_world_readable_pipes'($*)) dnl gen_require(` type readable_t; ') allow $1 readable_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_world_readable_pipes'($*)) dnl ') ######################################## ## ## Read world-readable sockets. ## ## ## ## Domain allowed access. ## ## # define(`files_read_world_readable_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_world_readable_sockets'($*)) dnl gen_require(` type readable_t; ') allow $1 readable_t:sock_file read_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_world_readable_sockets'($*)) dnl ') ####################################### ## ## Read manageable system configuration files in /etc ## ## ## ## Domain allowed access. ## ## # define(`files_read_system_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_system_conf_files'($*)) dnl gen_require(` type etc_t, system_conf_t; ') allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, system_conf_t) read_lnk_files_pattern($1, etc_t, system_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_system_conf_files'($*)) dnl ') ###################################### ## ## Manage manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_system_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_system_conf_files'($*)) dnl gen_require(` type etc_t, system_conf_t; ') manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t) files_filetrans_system_conf_named_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_system_conf_files'($*)) dnl ') ##################################### ## ## File name transition for system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_filetrans_system_conf_named_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_filetrans_system_conf_named_files'($*)) dnl gen_require(` type etc_t, system_conf_t, usr_t; ') filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf") filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config") filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old") filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo") filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall") filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old") filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d") filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d") filetrans_pattern($1, usr_t, system_conf_t, dir, "repo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_filetrans_system_conf_named_files'($*)) dnl ') ###################################### ## ## Relabel manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_system_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_system_conf_files'($*)) dnl gen_require(` type usr_t; ') relabelto_files_pattern($1, system_conf_t, system_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_system_conf_files'($*)) dnl ') ###################################### ## ## Relabel manageable system configuration files in /etc. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_system_conf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_system_conf_files'($*)) dnl gen_require(` type usr_t; ') relabelfrom_files_pattern($1, system_conf_t, system_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_system_conf_files'($*)) dnl ') ################################### ## ## Create files in /etc with the type used for ## the manageable system config files. ## ## ## ## The type of the process performing this action. ## ## # define(`files_etc_filetrans_system_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_etc_filetrans_system_conf'($*)) dnl gen_require(` type etc_t, system_conf_t; ') filetrans_pattern($1, etc_t, system_conf_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_etc_filetrans_system_conf'($*)) dnl ') ###################################### ## ## Manage manageable system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_system_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_system_db_files'($*)) dnl gen_require(` type var_lib_t, system_db_t; ') manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t) files_filetrans_system_db_named_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_system_db_files'($*)) dnl ') ###################################### ## ## Watch manageable system db files in /var/db. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_system_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_system_db_files'($*)) dnl gen_require(` type system_db_t; ') allow $1 system_db_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_system_db_files'($*)) dnl ') ###################################### ## ## Map manageable system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # define(`files_map_system_db_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_system_db_files'($*)) dnl gen_require(` type system_db_t; ') allow $1 system_db_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_system_db_files'($*)) dnl ') ##################################### ## ## File name transition for system db files in /var/lib. ## ## ## ## Domain allowed access. ## ## # define(`files_filetrans_system_db_named_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_filetrans_system_db_named_files'($*)) dnl gen_require(` type var_lib_t, system_db_t; ') filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db") filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_filetrans_system_db_named_files'($*)) dnl ') ##################################### ## ## File name transition for tmp files in /. ## ## ## ## Domain allowed access. ## ## # define(`files_filetrans_tmp_named_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_filetrans_tmp_named_files'($*)) dnl gen_require(` type tmp_t; ') files_root_filetrans($1, tmp_t, dir, "tmp-inst") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_filetrans_tmp_named_files'($*)) dnl ') ######################################## ## ## Allow the specified type to associate ## to a filesystem with the type of the ## temporary directory (/tmp). ## ## ## ## Type of the file to associate. ## ## # define(`files_associate_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_associate_tmp'($*)) dnl gen_require(` type tmp_t; ') allow $1 tmp_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_associate_tmp'($*)) dnl ') ######################################## ## ## Allow the specified type to associate ## to a filesystem with the type of the ## / file system ## ## ## ## Type of the file to associate. ## ## # define(`files_associate_rootfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_associate_rootfs'($*)) dnl gen_require(` type root_t; ') allow $1 root_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_associate_rootfs'($*)) dnl ') ######################################## ## ## Get the attributes of the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on tmp files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_access_check_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_access_check_tmp'($*)) dnl gen_require(` type etc_t; ') dontaudit $1 tmp_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_access_check_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmp_dirs'($*)) dnl ') ######################################## ## ## Search the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_search_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_tmp'($*)) dnl gen_require(` type tmp_t; ') fs_search_tmpfs($1) read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_tmp'($*)) dnl gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_tmp'($*)) dnl ') ######################################## ## ## Read the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_list_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_tmp'($*)) dnl gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) allow $1 tmp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_tmp'($*)) dnl ') ######################################## ## ## Do not audit listing of the tmp directory (/tmp). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_tmp'($*)) dnl gen_require(` type tmp_t; ') dontaudit $1 tmp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_tmp'($*)) dnl ') ####################################### ## ## Allow read and write to the tmp directory (/tmp). ## ## ## ## Domain not to audit. ## ## # define(`files_rw_generic_tmp_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_dir'($*)) dnl gen_require(` type tmp_t; ') files_search_tmp($1) allow $1 tmp_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_dir'($*)) dnl ') ######################################## ## ## Delete generic tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_tmp_files'($*)) dnl gen_require(` type tmp_t; ') delete_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_tmp_files'($*)) dnl ') ######################################## ## ## Delete generic tmp sock files. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_tmp_sockets'($*)) dnl gen_require(` type tmp_t; ') delete_sock_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_tmp_sockets'($*)) dnl ') ######################################## ## ## Remove entries from the tmp directory. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_tmp_dir_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_tmp_dir_entry'($*)) dnl gen_require(` type tmp_t; ') files_search_tmp($1) allow $1 tmp_t:dir del_entry_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_tmp_dir_entry'($*)) dnl ') ######################################## ## ## Read files in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_read_generic_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_files'($*)) dnl gen_require(` type tmp_t; ') read_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_files'($*)) dnl ') ######################################## ## ## Manage temporary directories in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') manage_dirs_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_dirs'($*)) dnl ') ########################################## ## ## Watch generic directories in /tmp ## ## ## ## Domain allowed access ## ## # define(`files_watch_generic_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_generic_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_generic_tmp_dirs'($*)) dnl ') ########################################## ## ## Watch_mount generic directories in /tmp ## ## ## ## Domain allowed access ## ## # define(`files_watch_mount_generic_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_mount_generic_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_mount_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_mount_generic_tmp_dirs'($*)) dnl ') ########################################## ## ## Watch_with_perm generic directories in /tmp ## ## ## ## Domain allowed access ## ## # define(`files_watch_with_perm_generic_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_with_perm_generic_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') allow $1 tmp_t:dir watch_with_perm_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_with_perm_generic_tmp_dirs'($*)) dnl ') ######################################## ## ## Allow shared library text relocations in tmp files. ## ## ##

## Allow shared library text relocations in tmp files. ##

##

## This is added to support java policy. ##

##
## ## ## Domain allowed access. ## ## # define(`files_execmod_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_execmod_tmp'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_execmod_tmp'($*)) dnl ') ######################################## ## ## Manage temporary files and directories in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_tmp_files'($*)) dnl gen_require(` type tmp_t; ') manage_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_tmp_files'($*)) dnl ') ####################################### ## ## Mmap temporary files ## ## ## ## Domain allowed access. ## ## ## # define(`files_map_generic_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_generic_tmp_files'($*)) dnl gen_require(` type tmp_t; ') allow $1 tmp_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_generic_tmp_files'($*)) dnl ') ######################################## ## ## Read symbolic links in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_read_generic_tmp_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_generic_tmp_symlinks'($*)) dnl gen_require(` type tmp_t; ') read_lnk_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_generic_tmp_symlinks'($*)) dnl ') ######################################## ## ## Read and write generic named sockets in the tmp directory (/tmp). ## ## ## ## Domain allowed access. ## ## # define(`files_rw_generic_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_generic_tmp_sockets'($*)) dnl gen_require(` type tmp_t; ') rw_sock_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_generic_tmp_sockets'($*)) dnl ') ######################################## ## ## Relabel a dir from the type used in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_tmp_dirs'($*)) dnl gen_require(` type tmp_t; ') relabelfrom_dirs_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_tmp_dirs'($*)) dnl ') ######################################## ## ## Relabel a file from the type used in /tmp. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_tmp_files'($*)) dnl gen_require(` type tmp_t; ') relabelfrom_files_pattern($1, tmp_t, tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_tmp_files'($*)) dnl ') ######################################## ## ## Set the attributes of all tmp directories. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_all_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_all_tmp_dirs'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir { search_dir_perms setattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_all_tmp_dirs'($*)) dnl ') ######################################## ## ## Allow caller to read inherited tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_inherited_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_inherited_tmp_files'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file { append read_inherited_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_inherited_tmp_files'($*)) dnl ') ######################################## ## ## Allow caller to append inherited tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_append_inherited_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_append_inherited_tmp_files'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_append_inherited_tmp_files'($*)) dnl ') ######################################## ## ## Allow caller to read and write inherited tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_inherited_tmp_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_inherited_tmp_file'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_inherited_tmp_file'($*)) dnl ') ######################################## ## ## List all tmp directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_all_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_all_tmp'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_all_tmp'($*)) dnl ') ######################################## ## ## Relabel to and from all temporary ## directory types. ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_all_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_dirs'($*)) dnl gen_require(` attribute tmpfile; type var_t; ') allow $1 var_t:dir search_dir_perms; relabel_dirs_pattern($1, tmpfile, tmpfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all tmp files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_files'($*)) dnl gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_files'($*)) dnl ') ######################################## ## ## Allow attempts to get the attributes ## of all tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_all_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_all_tmp_files'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_all_tmp_files'($*)) dnl ') ######################################## ## ## Relabel to and from all temporary ## file types. ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_all_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_tmp_files'($*)) dnl gen_require(` attribute tmpfile; type var_t; ') allow $1 var_t:dir search_dir_perms; relabel_files_pattern($1, tmpfile, tmpfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all tmp sock_file. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:sock_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_tmp_sockets'($*)) dnl ') ######################################## ## ## Read all tmp files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_tmp_files'($*)) dnl gen_require(` attribute tmpfile; ') read_files_pattern($1, tmpfile, tmpfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all leaked tmpfiles files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_tmp_file_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_tmp_file_leaks'($*)) dnl gen_require(` attribute tmpfile; ') dontaudit $1 tmpfile:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_tmp_file_leaks'($*)) dnl ') ######################################## ## ## Do allow attempts to read or write ## all leaked tmpfiles files. ## ## ## ## Domain to not audit. ## ## # define(`files_rw_tmp_file_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_tmp_file_leaks'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_tmp_file_leaks'($*)) dnl ') ######################################## ## ## Create an object in the tmp directories, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_tmp_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_tmp_filetrans'($*)) dnl gen_require(` type tmp_t; ') filetrans_pattern($1, tmp_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_tmp_filetrans'($*)) dnl ') ######################################## ## ## Delete the contents of /tmp. ## ## ## ## Domain allowed access. ## ## # define(`files_purge_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_purge_tmp'($*)) dnl gen_require(` attribute tmpfile; ') allow $1 tmpfile:dir list_dir_perms; delete_dirs_pattern($1, tmpfile, tmpfile) delete_files_pattern($1, tmpfile, tmpfile) delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) delete_chr_files_pattern($1, tmpfile, tmpfile) delete_blk_files_pattern($1, tmpfile, tmpfile) files_list_isid_type_dirs($1) files_delete_isid_type_dirs($1) files_delete_isid_type_files($1) files_delete_isid_type_symlinks($1) files_delete_isid_type_fifo_files($1) files_delete_isid_type_sock_files($1) files_delete_isid_type_blk_files($1) files_delete_isid_type_chr_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_purge_tmp'($*)) dnl ') ######################################## ## ## Set the attributes of the /usr directory. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_usr_dirs'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_usr_dirs'($*)) dnl ') ######################################## ## ## Search the content of /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_search_usr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_usr'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_usr'($*)) dnl ') ######################################## ## ## List the contents of generic ## directories in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_list_usr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_usr'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_usr'($*)) dnl ') ######################################## ## ## Do not audit write of /usr dirs ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_dirs'($*)) dnl gen_require(` type usr_t; ') dontaudit $1 usr_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_dirs'($*)) dnl ') ######################################## ## ## Add and remove entries from /usr directories. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_usr_dirs'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_usr_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to add and remove ## entries from /usr directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_usr_dirs'($*)) dnl gen_require(` type usr_t; ') dontaudit $1 usr_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_usr_dirs'($*)) dnl ') ######################################## ## ## Delete generic directories in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_usr_dirs'($*)) dnl gen_require(` type usr_t; ') delete_dirs_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_usr_dirs'($*)) dnl ') ######################################## ## ## Manage generic directories in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_usr_dirs'($*)) dnl gen_require(` type usr_t; ') manage_dirs_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_usr_dirs'($*)) dnl ') ######################################## ## ## Delete generic files in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_usr_files'($*)) dnl gen_require(` type usr_t; ') delete_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_usr_files'($*)) dnl ') ######################################## ## ## Map files in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_mmap_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mmap_usr_files'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mmap_usr_files'($*)) dnl ') ######################################## ## ## Get the attributes of files in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_usr_files'($*)) dnl gen_require(` type usr_t; ') getattr_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_usr_files'($*)) dnl ') ######################################## ## ## Read generic files in /usr. ## ## ##

## Allow the specified domain to read generic ## files in /usr. These files are various program ## files that do not have more specific SELinux types. ## Some examples of these files are: ##

##
    ##
  • /usr/include/*
  • ##
  • /usr/share/doc/*
  • ##
  • /usr/share/info/*
  • ##
##

## Generally, it is safe for many domains to have ## this access. ##

##
## ## ## Domain allowed access. ## ## ## # define(`files_read_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_usr_files'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; read_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_usr_files'($*)) dnl ') ######################################## ## ## Execute generic programs in /usr in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_exec_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_usr_files'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir list_dir_perms; exec_files_pattern($1, usr_t, usr_t) read_lnk_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_usr_files'($*)) dnl ') ######################################## ## ## dontaudit write of /usr files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_usr_files'($*)) dnl gen_require(` type usr_t; ') dontaudit $1 usr_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_usr_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files in the /usr directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_usr_files'($*)) dnl gen_require(` type usr_t; ') manage_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_usr_files'($*)) dnl ') ######################################## ## ## Relabel a file to the type used in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_usr_files'($*)) dnl gen_require(` type usr_t; ') relabelto_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_usr_files'($*)) dnl ') ######################################## ## ## Relabel a file from the type used in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelfrom_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelfrom_usr_files'($*)) dnl gen_require(` type usr_t; ') relabelfrom_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelfrom_usr_files'($*)) dnl ') ######################################## ## ## Read symbolic links in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_read_usr_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_usr_symlinks'($*)) dnl gen_require(` type usr_t; ') read_lnk_files_pattern($1, usr_t, usr_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_usr_symlinks'($*)) dnl ') ######################################## ## ## Create objects in the /usr directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`files_usr_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_usr_filetrans'($*)) dnl gen_require(` type usr_t; ') filetrans_pattern($1, usr_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_usr_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to search /usr/src. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_src',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_src'($*)) dnl gen_require(` type src_t; ') dontaudit $1 src_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_src'($*)) dnl ') ######################################## ## ## Get the attributes of files in /usr/src. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_usr_src_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_usr_src_files'($*)) dnl gen_require(` type usr_t, src_t; ') getattr_files_pattern($1, src_t, src_t) # /usr/src/linux symlink: read_lnk_files_pattern($1, usr_t, src_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_usr_src_files'($*)) dnl ') ######################################## ## ## Read files in /usr/src. ## ## ## ## Domain allowed access. ## ## # define(`files_read_usr_src_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_usr_src_files'($*)) dnl gen_require(` type usr_t, src_t; ') allow $1 usr_t:dir search_dir_perms; read_files_pattern($1, { usr_t src_t }, src_t) read_lnk_files_pattern($1, { usr_t src_t }, src_t) allow $1 src_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_usr_src_files'($*)) dnl ') ######################################## ## ## Execute programs in /usr/src in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_exec_usr_src_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_usr_src_files'($*)) dnl gen_require(` type usr_t, src_t; ') list_dirs_pattern($1, usr_t, src_t) exec_files_pattern($1, src_t, src_t) read_lnk_files_pattern($1, src_t, src_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_usr_src_files'($*)) dnl ') ######################################## ## ## Watch generic directories in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_usr_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_usr_dirs'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_usr_dirs'($*)) dnl ') ######################################## ## ## Watch generic files in /usr. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_usr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_usr_files'($*)) dnl gen_require(` type usr_t; ') allow $1 usr_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_usr_files'($*)) dnl ') ######################################## ## ## Install a system.map into the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_create_kernel_symbol_table',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_kernel_symbol_table'($*)) dnl gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms }; allow $1 system_map_t:file { create_file_perms rw_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_kernel_symbol_table'($*)) dnl ') ######################################## ## ## Dontaudit getattr attempts on the system.map file ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_kernel_symbol_table',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_kernel_symbol_table'($*)) dnl gen_require(` type system_map_t; ') dontaudit $1 system_map_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_kernel_symbol_table'($*)) dnl ') ######################################## ## ## Read system.map in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_read_kernel_symbol_table',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_kernel_symbol_table'($*)) dnl gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir list_dir_perms; read_files_pattern($1, boot_t, system_map_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_kernel_symbol_table'($*)) dnl ') ######################################## ## ## Delete a system.map in the /boot directory. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_kernel_symbol_table',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_kernel_symbol_table'($*)) dnl gen_require(` type boot_t, system_map_t; ') allow $1 boot_t:dir list_dir_perms; delete_files_pattern($1, boot_t, system_map_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_kernel_symbol_table'($*)) dnl ') ######################################## ## ## Mounton system_map directory. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_kernel_symbol_table',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_kernel_symbol_table'($*)) dnl gen_require(` type system_map_t; ') allow $1 system_map_t:dir { mounton getattr }; allow $1 system_map_t:file { mounton getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_kernel_symbol_table'($*)) dnl ') ######################################## ## ## Search the contents of /var. ## ## ## ## Domain allowed access. ## ## # define(`files_search_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_var'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_var'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to /var. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_var_dirs'($*)) dnl gen_require(` type var_t; ') dontaudit $1 var_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_var_dirs'($*)) dnl ') ######################################## ## ## Allow attempts to write to /var.dirs ## ## ## ## Domain allowed access. ## ## # define(`files_write_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_var_dirs'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_var_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_var_dirs'($*)) dnl gen_require(` type usr_t; ') allow $1 var_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_var_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## the contents of /var. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var'($*)) dnl gen_require(` type var_t; ') dontaudit $1 var_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var'($*)) dnl ') ######################################## ## ## List the contents of /var. ## ## ## ## Domain allowed access. ## ## # define(`files_list_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_var'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_var'($*)) dnl ') ######################################## ## ## Do not audit listing of the var directory (/var). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_var',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_var'($*)) dnl gen_require(` type var_t; ') dontaudit $1 var_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_var'($*)) dnl ') ######################################## ## ## Create directories ## in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_create_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_var_dirs'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_var_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_var_dirs'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_var_dirs'($*)) dnl ') ######################################## ## ## Watch generic directories in /var. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_var_dirs'($*)) dnl gen_require(` type var_t; ') watch_dirs_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_var_dirs'($*)) dnl ') ######################################## ## ## Read files in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_read_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_var_files'($*)) dnl gen_require(` type var_t; ') read_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_var_files'($*)) dnl ') ######################################## ## ## Append files in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_append_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_append_var_files'($*)) dnl gen_require(` type var_t; ') append_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_append_var_files'($*)) dnl ') ######################################## ## ## Read and write files in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_var_files'($*)) dnl gen_require(` type var_t; ') rw_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_var_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## files in the /var directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_var_files'($*)) dnl gen_require(` type var_t; ') dontaudit $1 var_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_var_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_var_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_var_files'($*)) dnl gen_require(` type var_t; ') manage_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_var_files'($*)) dnl ') ######################################## ## ## Read symbolic links in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_read_var_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_var_symlinks'($*)) dnl gen_require(` type var_t; ') read_lnk_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_var_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic ## links in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_var_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_var_symlinks'($*)) dnl gen_require(` type var_t; ') manage_lnk_files_pattern($1, var_t, var_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_var_symlinks'($*)) dnl ') ######################################## ## ## Create objects in the /var directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`files_var_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_var_filetrans'($*)) dnl gen_require(` type var_t; ') filetrans_pattern($1, var_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_var_filetrans'($*)) dnl ') ######################################## ## ## Relabel dirs in the /var directory. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_var_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_var_dirs'($*)) dnl gen_require(` type var_t; ') allow $1 var_t:dir relabel_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_var_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_var_lib_dirs'($*)) dnl gen_require(` type var_t, var_lib_t; ') getattr_dirs_pattern($1, var_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_var_lib_dirs'($*)) dnl ') ######################################## ## ## Search the /var/lib directory. ## ## ##

## Search the /var/lib directory. This is ## necessary to access files or directories under ## /var/lib that have a private type. For example, a ## domain accessing a private library file in the ## /var/lib directory: ##

##

## allow mydomain_t mylibfile_t:file read_file_perms; ## files_search_var_lib(mydomain_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`files_search_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_var_lib'($*)) dnl gen_require(` type var_t, var_lib_t; ') search_dirs_pattern($1, var_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_var_lib'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the ## contents of /var/lib. ## ## ## ## Domain to not audit. ## ## ## # define(`files_dontaudit_search_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_var_lib'($*)) dnl gen_require(` type var_lib_t; ') dontaudit $1 var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_var_lib'($*)) dnl ') ######################################## ## ## List the contents of the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # define(`files_list_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_var_lib'($*)) dnl gen_require(` type var_t, var_lib_t; ') list_dirs_pattern($1, var_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_var_lib'($*)) dnl ') ########################################### ## ## Read-write /var/lib directories ## ## ## ## Domain allowed access. ## ## # define(`files_rw_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_var_lib_dirs'($*)) dnl gen_require(` type var_lib_t; ') rw_dirs_pattern($1, var_lib_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_var_lib_dirs'($*)) dnl ') ########################################### ## ## Map /var/lib directories ## ## ## ## Domain allowed access. ## ## # define(`files_map_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_var_lib_files'($*)) dnl gen_require(` type var_lib_t; ') allow $1 var_lib_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_var_lib_files'($*)) dnl ') ######################################## ## ## Create directories in /var/lib ## ## ## ## Domain allowed access. ## ## # define(`files_create_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_var_lib_dirs'($*)) dnl gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir { create rw_dir_perms setattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_var_lib_dirs'($*)) dnl ') ######################################## ## ## Create symlinks in /var/lib ## ## ## ## Domain allowed access. ## ## # define(`files_create_var_lib_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_var_lib_symlinks'($*)) dnl gen_require(` type var_lib_t; ') allow $1 var_lib_t:lnk_file { create write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_var_lib_symlinks'($*)) dnl ') ######################################## ## ## Create objects in the /var/lib directory ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`files_var_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_var_lib_filetrans'($*)) dnl gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_var_lib_filetrans'($*)) dnl ') ######################################## ## ## Read generic files in /var/lib. ## ## ## ## Domain allowed access. ## ## # define(`files_read_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_var_lib_files'($*)) dnl gen_require(` type var_t, var_lib_t; ') allow $1 var_lib_t:dir list_dir_perms; read_files_pattern($1, { var_t var_lib_t }, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_var_lib_files'($*)) dnl ') ######################################## ## ## Read generic symbolic links in /var/lib ## ## ## ## Domain allowed access. ## ## # define(`files_read_var_lib_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_var_lib_symlinks'($*)) dnl gen_require(` type var_t, var_lib_t; ') read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_var_lib_symlinks'($*)) dnl ') ######################################## ## ## manage generic symbolic links ## in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_var_lib_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_var_lib_symlinks'($*)) dnl gen_require(` type var_lib_t; ') manage_lnk_files_pattern($1,var_lib_t,var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_var_lib_symlinks'($*)) dnl ') ######################################## ## ## Watch generic directories in /var/lib. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_var_lib_dirs'($*)) dnl gen_require(` type var_lib_t; ') watch_dirs_pattern($1, var_lib_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_var_lib_dirs'($*)) dnl ') # cjp: the next two interfaces really need to be fixed # in some way. They really neeed their own types. ######################################## ## ## Create, read, write, and delete the ## pseudorandom number generator seed. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_urandom_seed',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_urandom_seed'($*)) dnl gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_lib_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_urandom_seed'($*)) dnl ') ######################################## ## ## Relabel to dirs in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # define(`files_relabelto_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabelto_var_lib_dirs'($*)) dnl gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabelto_var_lib_dirs'($*)) dnl ') ######################################## ## ## Relabel dirs in the /var/lib directory. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_var_lib_dirs'($*)) dnl gen_require(` type var_lib_t; ') allow $1 var_lib_t:dir relabel_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_var_lib_dirs'($*)) dnl ') ######################################## ## ## Allow domain to manage mount tables ## necessary for rpcd, nfsd, etc. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_mounttab',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_mounttab'($*)) dnl gen_require(` type var_t, var_lib_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_lib_t, var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_mounttab'($*)) dnl ') ######################################## ## ## List generic lock directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_locks'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) list_dirs_pattern($1, var_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_locks'($*)) dnl ') ######################################## ## ## Search the locks directory (/var/lock). ## ## ## ## Domain allowed access. ## ## # define(`files_search_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_locks'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_pids($1) allow $1 var_lock_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_locks'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the ## locks directory (/var/lock). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_locks'($*)) dnl gen_require(` type var_lock_t; ') dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms; dontaudit $1 var_lock_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_locks'($*)) dnl ') ######################################## ## ## Do not audit attempts to read/write inherited ## locks (/var/lock). ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_rw_inherited_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_rw_inherited_locks'($*)) dnl gen_require(` type var_lock_t; ') dontaudit $1 var_lock_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_rw_inherited_locks'($*)) dnl ') ######################################## ## ## Set the attributes of the /var/lock directory. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_lock_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_lock_dirs'($*)) dnl gen_require(` type var_lock_t; ') allow $1 var_lock_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_lock_dirs'($*)) dnl ') ######################################## ## ## Add and remove entries in the /var/lock ## directories. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_lock_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_lock_dirs'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) rw_dirs_pattern($1, var_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_lock_dirs'($*)) dnl ') ######################################## ## ## Create lock directories ## ## ## ## Domain allowed access ## ## # define(`files_create_lock_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_lock_dirs'($*)) dnl gen_require(` type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; create_dirs_pattern($1, var_lock_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_lock_dirs'($*)) dnl ') ######################################## ## ## Relabel to and from all lock directory types. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_all_lock_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_lock_dirs'($*)) dnl gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($1, lockfile, lockfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_lock_dirs'($*)) dnl ') ######################################## ## ## Relabel to and from all lock file types. ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_all_lock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_lock_files'($*)) dnl gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; relabel_files_pattern($1, lockfile, lockfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_lock_files'($*)) dnl ') ######################################## ## ## Get the attributes of generic lock files. ## ## ## ## Domain allowed access. ## ## # define(`files_getattr_generic_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_getattr_generic_locks'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_getattr_generic_locks'($*)) dnl ') ######################################## ## ## Delete generic lock files. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_generic_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_generic_locks'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) delete_files_pattern($1, var_lock_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_generic_locks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete generic ## lock files. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_locks'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) manage_files_pattern($1, var_lock_t, var_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_locks'($*)) dnl ') ######################################## ## ## Delete all lock files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_delete_all_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_locks'($*)) dnl gen_require(` attribute lockfile; type var_t, var_lock_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_lock_t:lnk_file read_lnk_file_perms; delete_files_pattern($1, lockfile, lockfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_locks'($*)) dnl ') ######################################## ## ## Read all lock files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_all_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_locks'($*)) dnl gen_require(` attribute lockfile; type var_t, var_lock_t; ') files_search_locks($1) allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_locks'($*)) dnl ') ######################################## ## ## manage all lock files. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_all_locks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_all_locks'($*)) dnl gen_require(` attribute lockfile; type var_t, var_lock_t; ') files_search_locks($1) manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_all_locks'($*)) dnl ') ######################################## ## ## Create an object in the locks directory, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_lock_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_lock_filetrans'($*)) dnl gen_require(` type var_t, var_lock_t; ') files_search_locks($1) filetrans_pattern($1, var_lock_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_lock_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of the /var/run directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_pid_dirs'($*)) dnl gen_require(` type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 var_run_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_pid_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of the /var/run directory. ## ## ## ## Domain allowed access. ## ## # define(`files_setattr_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_setattr_pid_dirs'($*)) dnl gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_setattr_pid_dirs'($*)) dnl ') ######################################## ## ## Search the contents of runtime process ## ID directories (/var/run). ## ## ## ## Domain allowed access. ## ## # define(`files_search_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_pids'($*)) dnl gen_require(` type var_t, var_run_t; ') allow $1 var_t:lnk_file read_lnk_file_perms; allow $1 var_run_t:lnk_file read_lnk_file_perms; search_dirs_pattern($1, var_t, var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_pids'($*)) dnl ') ###################################### ## ## Add and remove entries from pid directories. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_pid_dirs'($*)) dnl gen_require(` type var_run_t; ') allow $1 var_run_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_pid_dirs'($*)) dnl ') ####################################### ## ## Create generic pid directory. ## ## ## ## Domain allowed access. ## ## # define(`files_create_var_run_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_var_run_dirs'($*)) dnl gen_require(` type var_t, var_run_t; ') allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_var_run_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## the /var/run directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_pids'($*)) dnl gen_require(` type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_pids'($*)) dnl ') ######################################## ## ## Do not audit attempts to search ## the all /var/run directory. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_all_pids'($*)) dnl gen_require(` attribute pidfile; ') dontaudit $1 pidfile:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_all_pids'($*)) dnl ') ######################################## ## ## Allow search the all /var/run directory. ## ## ## ## Domain to not audit. ## ## # define(`files_search_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_all_pids'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_all_pids'($*)) dnl ') ####################################### ## ## Watch generic pid directory. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_var_run_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_var_run_dirs'($*)) dnl gen_require(` type var_run_t; ') allow $1 var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_var_run_dirs'($*)) dnl ') ####################################### ## ## Watch generic pid directory and its parents. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_var_run_path',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_var_run_path'($*)) dnl gen_require(` type var_run_t; ') files_watch_root_dirs($1) files_watch_var_run_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_var_run_path'($*)) dnl ') ######################################## ## ## List the contents of the runtime process ## ID directories (/var/run). ## ## ## ## Domain allowed access. ## ## # define(`files_list_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_pids'($*)) dnl gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_pids'($*)) dnl ') ######################################## ## ## Read generic process ID files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_generic_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_generic_pids'($*)) dnl gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) read_files_pattern($1, var_run_t, var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_generic_pids'($*)) dnl ') ######################################## ## ## Write named generic process ID pipes ## ## ## ## Domain allowed access. ## ## # define(`files_write_generic_pid_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_generic_pid_pipes'($*)) dnl gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_generic_pid_pipes'($*)) dnl ') ######################################## ## ## Write named generic process ID sockets ## ## ## ## Domain allowed access. ## ## # define(`files_write_generic_pid_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_generic_pid_sockets'($*)) dnl gen_require(` type var_run_t; ') files_search_pids($1) allow $1 var_run_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_generic_pid_sockets'($*)) dnl ') ######################################## ## ## Create an object in the process ID directory, with a private type. ## ## ##

## Create an object in the process ID directory (e.g., /var/run) ## with a private type. Typically this is used for creating ## private PID files in /var/run with the private type instead ## of the general PID file type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • files_pid_file()
  • ##
##

## Example usage with a domain that can create and ## write its PID file with a private PID file type in the ## /var/run directory: ##

##

## type mypidfile_t; ## files_pid_file(mypidfile_t) ## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms }; ## files_pid_filetrans(mydomain_t, mypidfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # define(`files_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_pid_filetrans'($*)) dnl gen_require(` type var_t, var_run_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_pid_filetrans'($*)) dnl ') ######################################## ## ## Create a generic lock directory within the run directories ## ## ## ## Domain allowed access ## ## ## ## ## The name of the object being created. ## ## # define(`files_pid_filetrans_lock_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_pid_filetrans_lock_dir'($*)) dnl gen_require(` type var_lock_t; ') files_pid_filetrans($1, var_lock_t, dir, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_pid_filetrans_lock_dir'($*)) dnl ') ######################################## ## ## rw generic pid files inherited from another process ## ## ## ## Domain allowed access. ## ## # define(`files_rw_inherited_generic_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_inherited_generic_pid_files'($*)) dnl gen_require(` type var_run_t; ') allow $1 var_run_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_inherited_generic_pid_files'($*)) dnl ') ######################################## ## ## Read and write generic process ID files. ## ## ## ## Domain allowed access. ## ## # define(`files_rw_generic_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_generic_pids'($*)) dnl gen_require(` type var_t, var_run_t; ') files_search_pids($1) list_dirs_pattern($1, var_t, var_run_t) rw_files_pattern($1, var_run_t, var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_generic_pids'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_all_pids'($*)) dnl gen_require(` attribute pidfile; type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_all_pids'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_pids'($*)) dnl gen_require(` attribute pidfile; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_pids'($*)) dnl ') ######################################## ## ## Do not audit attempts to ioctl daemon runtime data files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_ioctl_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_ioctl_all_pids'($*)) dnl gen_require(` attribute pidfile; type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; dontaudit $1 pidfile:file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_ioctl_all_pids'($*)) dnl ') ######################################## ## ## Relable all pid directories ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_all_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_dirs'($*)) dnl gen_require(` attribute pidfile; ') relabel_dirs_pattern($1, pidfile, pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_dirs'($*)) dnl ') ######################################## ## ## Delete all pid sockets ## ## ## ## Domain allowed access. ## ## # define(`files_delete_all_pid_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_sockets'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file delete_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_pid_sockets'($*)) dnl ') ######################################## ## ## Create all pid sockets ## ## ## ## Domain allowed access. ## ## # define(`files_create_all_pid_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_all_pid_sockets'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file create_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_all_pid_sockets'($*)) dnl ') ######################################## ## ## Create all pid named pipes ## ## ## ## Domain allowed access. ## ## # define(`files_create_all_pid_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_all_pid_pipes'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:fifo_file create_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_all_pid_pipes'($*)) dnl ') ######################################## ## ## Delete all pid named pipes ## ## ## ## Domain allowed access. ## ## # define(`files_delete_all_pid_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_pipes'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:fifo_file delete_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_pid_pipes'($*)) dnl ') ######################################## ## ## manage all pidfile directories ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_all_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_all_pid_dirs'($*)) dnl gen_require(` attribute pidfile; ') manage_dirs_pattern($1,pidfile,pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_all_pid_dirs'($*)) dnl ') ######################################## ## ## Read all process ID files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_pids'($*)) dnl gen_require(` attribute pidfile; type var_t; ') list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) read_lnk_files_pattern($1, pidfile, pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_pids'($*)) dnl ') ######################################## ## ## mmap all process ID files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_map_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_map_all_pids'($*)) dnl gen_require(` attribute pidfile; type var_t; ') allow $1 pidfile:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_map_all_pids'($*)) dnl ') ######################################## ## ## Relable all pid files ## ## ## ## Domain allowed access. ## ## # define(`files_relabel_all_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_pid_files'($*)) dnl gen_require(` attribute pidfile; ') relabel_files_pattern($1, pidfile, pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_pid_files'($*)) dnl ') ######################################## ## ## Execute generic programs in /var/run in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`files_exec_generic_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_generic_pid_files'($*)) dnl gen_require(` type var_run_t; ') exec_files_pattern($1, var_run_t, var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_generic_pid_files'($*)) dnl ') ######################################## ## ## Write all sockets ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # define(`files_write_all_pid_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_write_all_pid_sockets'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:sock_file write_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_write_all_pid_sockets'($*)) dnl ') ######################################## ## ## manage all pidfiles ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_all_pids'($*)) dnl gen_require(` attribute pidfile; ') manage_files_pattern($1,pidfile,pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_all_pids'($*)) dnl ') ######################################## ## ## Mount filesystems on all polyinstantiation ## member directories. ## ## ## ## Domain allowed access. ## ## # define(`files_mounton_all_poly_members',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_mounton_all_poly_members'($*)) dnl gen_require(` attribute polymember; ') allow $1 polymember:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_mounton_all_poly_members'($*)) dnl ') ######################################## ## ## Delete all process IDs. ## ## ## ## Domain allowed access. ## ## ## # define(`files_delete_all_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_pids'($*)) dnl gen_require(` attribute pidfile; type var_t, var_run_t; ') files_search_pids($1) allow $1 var_t:dir search_dir_perms; allow $1 var_run_t:dir rmdir; allow $1 var_run_t:lnk_file delete_lnk_file_perms; delete_files_pattern($1, pidfile, pidfile) delete_fifo_files_pattern($1, pidfile, pidfile) delete_sock_files_pattern($1, pidfile, { pidfile var_run_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_pids'($*)) dnl ') ######################################## ## ## Delete all process ID directories. ## ## ## ## Domain allowed access. ## ## # define(`files_delete_all_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_pid_dirs'($*)) dnl gen_require(` attribute pidfile; type var_t, var_run_t; ') files_search_pids($1) allow $1 var_t:dir search_dir_perms; delete_dirs_pattern($1, pidfile, pidfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_pid_dirs'($*)) dnl ') ######################################## ## ## Make the specified type a file ## used for spool files. ## ## ##

## Make the specified type usable for spool files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a spool file may result in problems with ## purging spool files. ##

##

## Related interfaces: ##

##
    ##
  • files_spool_filetrans()
  • ##
##

## Example usage with a domain that can create and ## write its spool file in the system spool file ## directories (/var/spool): ##

##

## type myspoolfile_t; ## files_spool_file(myfile_spool_t) ## allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms }; ## files_spool_filetrans(mydomain_t, myfile_spool_t, file) ##

##
## ## ## Type of the file to be used as a ## spool file. ## ## ## # define(`files_spool_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_spool_file'($*)) dnl gen_require(` attribute spoolfile; ') files_type($1) typeattribute $1 spoolfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_spool_file'($*)) dnl ') ######################################## ## ## Create all spool sockets ## ## ## ## Domain allowed access. ## ## # define(`files_create_all_spool_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_all_spool_sockets'($*)) dnl gen_require(` attribute spoolfile; ') allow $1 spoolfile:sock_file create_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_all_spool_sockets'($*)) dnl ') ######################################## ## ## Delete all spool sockets ## ## ## ## Domain allowed access. ## ## # define(`files_delete_all_spool_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_spool_sockets'($*)) dnl gen_require(` attribute spoolfile; ') allow $1 spoolfile:sock_file delete_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_spool_sockets'($*)) dnl ') ######################################## ## ## Relabel to and from all spool ## directory types. ## ## ## ## Domain allowed access. ## ## ## # define(`files_relabel_all_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_relabel_all_spool_dirs'($*)) dnl gen_require(` attribute spoolfile; type var_t; ') relabel_dirs_pattern($1, spoolfile, spoolfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_relabel_all_spool_dirs'($*)) dnl ') ######################################## ## ## Search the contents of generic spool ## directories (/var/spool). ## ## ## ## Domain allowed access. ## ## # define(`files_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_search_spool'($*)) dnl gen_require(` type var_t, var_spool_t; ') search_dirs_pattern($1, var_t, var_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_search_spool'($*)) dnl ') ######################################## ## ## Do not audit attempts to search generic ## spool directories. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_spool'($*)) dnl gen_require(` type var_spool_t; ') dontaudit $1 var_spool_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_spool'($*)) dnl ') ######################################## ## ## List the contents of generic spool ## (/var/spool) directories. ## ## ## ## Domain allowed access. ## ## # define(`files_list_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_list_spool'($*)) dnl gen_require(` type var_t, var_spool_t; ') list_dirs_pattern($1, var_t, var_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_list_spool'($*)) dnl ') ######################################## ## ## Create, read, write, and delete generic ## spool directories (/var/spool). ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_spool_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool_dirs'($*)) dnl gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; manage_dirs_pattern($1, var_spool_t, var_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_spool_dirs'($*)) dnl ') ######################################## ## ## Read generic spool files. ## ## ## ## Domain allowed access. ## ## # define(`files_read_generic_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_generic_spool'($*)) dnl gen_require(` type var_t, var_spool_t; ') list_dirs_pattern($1, var_t, var_spool_t) read_files_pattern($1, var_spool_t, var_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_generic_spool'($*)) dnl ') ######################################## ## ## Create, read, write, and delete generic ## spool files. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_spool'($*)) dnl gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; manage_files_pattern($1, var_spool_t, var_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_spool'($*)) dnl ') ######################################## ## ## Create objects in the spool directory ## with a private type with a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # define(`files_spool_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_spool_filetrans'($*)) dnl gen_require(` type var_t, var_spool_t; ') allow $1 var_t:dir search_dir_perms; filetrans_pattern($1, var_spool_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_spool_filetrans'($*)) dnl ') ######################################## ## ## Allow access to manage all polyinstantiated ## directories on the system. ## ## ## ## Domain allowed access. ## ## # define(`files_polyinstantiate_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_polyinstantiate_all'($*)) dnl gen_require(` attribute polydir, polymember, polyparent; type poly_t; ') # Need to give access to /selinux/member selinux_compute_member($1) # Need sys_admin capability for mounting allow $1 self:capability { chown fsetid sys_admin fowner }; # Need to give access to the directories to be polyinstantiated allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; # Need to give access to the polyinstantiated subdirectories allow $1 polymember:dir search_dir_perms; # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) allow $1 polyparent:dir { getattr mounton }; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; allow $1 polymember: dir { create setattr relabelto }; allow $1 polydir: dir { write add_name open }; allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; # Default type for mountpoints allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) fs_mount_tmpfs($1) fs_unmount_tmpfs($1) ifdef(`distro_redhat',` # namespace.init files_search_tmp($1) files_search_home($1) corecmd_exec_bin($1) seutil_domtrans_setfiles($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_polyinstantiate_all'($*)) dnl ') ######################################## ## ## Unconfined access to files. ## ## ## ## Domain allowed access. ## ## # define(`files_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_unconfined'($*)) dnl gen_require(` attribute files_unconfined_type; ') typeattribute $1 files_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_unconfined'($*)) dnl ') ######################################## ## ## Create a core files in / ## ## ##

## Create a core file in /, ##

##
## ## ## Domain allowed access. ## ## ## # define(`files_manage_root_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_root_files'($*)) dnl gen_require(` type root_t; ') manage_files_pattern($1, root_t, root_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_root_files'($*)) dnl ') ######################################## ## ## Create a default directory ## ## ##

## Create a default_t direcrory ##

##
## ## ## Domain allowed access. ## ## ## # define(`files_create_default_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_default_dir'($*)) dnl gen_require(` type default_t; ') allow $1 default_t:dir create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_default_dir'($*)) dnl ') ######################################## ## ## Create, default_t objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object being created. ## ## # define(`files_root_filetrans_default',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_root_filetrans_default'($*)) dnl gen_require(` type root_t, default_t; ') filetrans_pattern($1, root_t, default_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_root_filetrans_default'($*)) dnl ') ######################################## ## ## Create, lib_t objects with an automatic ## type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Type of the directory to be transitioned from ## ## ## ## ## The class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`files_filetrans_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_filetrans_lib'($*)) dnl gen_require(` type lib_t, lib_t; ') filetrans_pattern($1, $2, lib_t, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_filetrans_lib'($*)) dnl ') ######################################## ## ## Watch generic directories in /lib. ## ## ## ## Domain allowed access. ## ## # define(`files_watch_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_lib_dirs'($*)) dnl gen_require(` type lib_t; ') allow $1 lib_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_lib_dirs'($*)) dnl ') ######################################## ## ## manage generic symbolic links ## in the /var/run directory. ## ## ## ## Domain allowed access. ## ## # define(`files_manage_generic_pids_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_manage_generic_pids_symlinks'($*)) dnl gen_require(` type var_run_t; ') manage_lnk_files_pattern($1,var_run_t,var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_manage_generic_pids_symlinks'($*)) dnl ') ########################################## ## ## Watch the pidfile files and directories ## ## ## ## Domain allowed access ## ## # define(`files_watch_all_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_watch_all_pid'($*)) dnl gen_require(` attribute pidfile; ') allow $1 pidfile:dir watch_dir_perms; allow $1 pidfile:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_watch_all_pid'($*)) dnl ') ######################################## ## ## Do not audit attempts to getattr ## all tmpfs files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_getattr_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_getattr_tmpfs_files'($*)) dnl gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_getattr_tmpfs_files'($*)) dnl ') ######################################## ## ## Allow delete all tmpfs files. ## ## ## ## Domain to not audit. ## ## # define(`files_delete_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_tmpfs_files'($*)) dnl gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_tmpfs_files'($*)) dnl ') ######################################## ## ## Allow read write all tmpfs files ## ## ## ## Domain to not audit. ## ## # define(`files_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_tmpfs_files'($*)) dnl gen_require(` attribute tmpfsfile; ') allow $1 tmpfsfile:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read security files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_read_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_read_security_files'($*)) dnl gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_read_security_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to search security files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_search_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_search_security_files'($*)) dnl gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_search_security_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read security dirs ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_list_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_list_security_dirs'($*)) dnl gen_require(` attribute security_file_type; ') dontaudit $1 security_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_list_security_dirs'($*)) dnl ') ######################################## ## ## rw any files inherited from another process ## ## ## ## Domain allowed access. ## ## ## ## ## Object type. ## ## # define(`files_rw_all_inherited_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_rw_all_inherited_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 { file_type $2 }:file rw_inherited_file_perms; allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms; allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms; allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_rw_all_inherited_files'($*)) dnl ') ######################################## ## ## Allow any file point to be the entrypoint of this domain ## ## ## ## Domain allowed access. ## ## ## # define(`files_entrypoint_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_entrypoint_all_files'($*)) dnl gen_require(` attribute file_type; type unlabeled_t; ') allow $1 {file_type -unlabeled_t} :file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_entrypoint_all_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to rw inherited file perms ## of non security files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_all_non_security_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_all_non_security_leaks'($*)) dnl gen_require(` attribute non_security_file_type; ') dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_all_non_security_leaks'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all leaked files. ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_leaks'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:file rw_inherited_file_perms; dontaudit $1 file_type:lnk_file { read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Allow domain to create_file_ass all types ## ## ## ## Domain allowed access. ## ## # define(`files_create_as_is_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_create_as_is_all_files'($*)) dnl gen_require(` attribute file_type; class kernel_service create_files_as; ') allow $1 file_type:kernel_service create_files_as; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_create_as_is_all_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on all files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_all_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_all_access_check'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_all_access_check'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to all files ## ## ## ## Domain to not audit. ## ## # define(`files_dontaudit_write_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_write_all_files'($*)) dnl gen_require(` attribute file_type; ') dontaudit $1 file_type:dir_file_class_set write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_write_all_files'($*)) dnl ') ######################################## ## ## Allow domain to delete to all files ## ## ## ## Domain to not audit. ## ## # define(`files_delete_all_non_security_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_non_security_files'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir del_entry_dir_perms; allow $1 non_security_file_type:file_class_set delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_non_security_files'($*)) dnl ') ######################################## ## ## Allow domain to delete to all dirs ## ## ## ## Domain to not audit. ## ## # define(`files_delete_all_non_security_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_delete_all_non_security_dirs'($*)) dnl gen_require(` attribute non_security_file_type; ') allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_delete_all_non_security_dirs'($*)) dnl ') ######################################## ## ## Transition named content in the var_run_t directory ## ## ## ## Domain allowed access. ## ## # define(`files_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_filetrans_named_content'($*)) dnl gen_require(` type etc_t; type mnt_t; type usr_t; type tmp_t; type var_t; type var_run_t; type var_lock_t; type tmp_t; type system_conf_t; ') files_pid_filetrans($1, mnt_t, dir, "media") files_root_filetrans($1, etc_runtime_t, file, ".readahead") files_root_filetrans($1, etc_runtime_t, file, ".autorelabel") files_root_filetrans($1, etc_runtime_t, dir, "oldroot") files_root_filetrans($1, etc_runtime_t, file, ".profile") files_root_filetrans($1, mnt_t, dir, "afs") files_root_filetrans($1, mnt_t, dir, "misc") files_root_filetrans($1, mnt_t, dir, "net") files_root_filetrans($1, usr_t, dir, "export") files_root_filetrans($1, usr_t, dir, "opt") files_root_filetrans($1, usr_t, dir, "ostree") files_root_filetrans($1, usr_t, dir, "emul") files_root_filetrans($1, var_t, dir, "srv") files_root_filetrans($1, var_run_t, dir, "run") files_root_filetrans($1, var_run_t, lnk_file, "run") files_root_filetrans($1, var_lock_t, lnk_file, "lock") files_root_filetrans($1, tmp_t, dir, "sandbox") files_root_filetrans($1, tmp_t, dir, "tmp") files_root_filetrans($1, var_t, dir, "nsr") files_etc_filetrans($1, etc_t, file, "system-auth-ac") files_etc_filetrans($1, etc_t, file, "postlogin-ac") files_etc_filetrans($1, etc_t, file, "password-auth-ac") files_etc_filetrans($1, etc_t, file, "fingerprint-auth-ac") files_etc_filetrans($1, etc_t, file, "smartcard-auth-ac") files_etc_filetrans($1, etc_t, file, "hwdb.bin") files_etc_filetrans_etc_runtime($1, file, ".updated") files_etc_filetrans_etc_runtime($1, file, "runtime") files_etc_filetrans_etc_runtime($1, dir, "blkid") files_etc_filetrans_etc_runtime($1, dir, "cmtab") files_etc_filetrans_etc_runtime($1, file, "fstab.REVOKE") files_etc_filetrans_etc_runtime($1, file, "ioctl.save") files_etc_filetrans_etc_runtime($1, file, "nologin") files_etc_filetrans_etc_runtime($1, file, "securetty") files_etc_filetrans_etc_runtime($1, file, "ifstate") files_etc_filetrans_etc_runtime($1, file, "ptal-printd-like") files_etc_filetrans_etc_runtime($1, file, "hwconf") filetrans_pattern($1, etc_t, system_conf_t, file, "iptables.save") files_tmp_filetrans($1, tmp_t, dir, "tmp-inst") files_var_filetrans($1, tmp_t, dir, "tmp") files_var_filetrans($1, var_run_t, dir, "run") files_var_filetrans($1, etc_runtime_t, file, ".updated") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_filetrans_named_content'($*)) dnl ') ######################################## ## ## Make the specified type a ## base file. ## ## ##

## Identify file type as base file type. Tools will use this attribute, ## to help users diagnose problems. ##

##
## ## ## Type to be used as a base files. ## ## ## # define(`files_base_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_base_file'($*)) dnl gen_require(` attribute base_file_type; ') files_type($1) typeattribute $1 base_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_base_file'($*)) dnl ') ######################################## ## ## Make the specified type a ## base read only file. ## ## ##

## Make the specified type readable for all domains. ##

##
## ## ## Type to be used as a base read only files. ## ## ## # define(`files_ro_base_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_ro_base_file'($*)) dnl gen_require(` attribute base_ro_file_type; ') files_base_file($1) typeattribute $1 base_ro_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_ro_base_file'($*)) dnl ') ######################################## ## ## Read all ro base files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_read_all_base_ro_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_read_all_base_ro_files'($*)) dnl gen_require(` attribute base_ro_file_type; ') list_dirs_pattern($1, base_ro_file_type, base_ro_file_type) read_files_pattern($1, base_ro_file_type, base_ro_file_type) read_lnk_files_pattern($1, base_ro_file_type, base_ro_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_read_all_base_ro_files'($*)) dnl ') ######################################## ## ## Execute all base ro files. ## ## ## ## Domain allowed access. ## ## ## # define(`files_exec_all_base_ro_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_exec_all_base_ro_files'($*)) dnl gen_require(` attribute base_ro_file_type; ') can_exec($1, base_ro_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_exec_all_base_ro_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## any file. ## ## ## ## Domain allowed access. ## ## # define(`files_config_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_config_all_files'($*)) dnl gen_require(` attribute file_type; ') allow $1 file_type:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_config_all_files'($*)) dnl ') ######################################## ## ## Get the status of etc_t files ## ## ## ## Domain allowed access. ## ## # define(`files_status_etc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_status_etc'($*)) dnl gen_require(` type etc_t; ') allow $1 etc_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_status_etc'($*)) dnl ') ######################################## ## ## Dontaudit Mount a modules_object_t ## ## ## ## Domain allowed access. ## ## # define(`files_dontaudit_mounton_modules_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_dontaudit_mounton_modules_object'($*)) dnl gen_require(` type modules_object_t; ') allow $1 modules_object_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_dontaudit_mounton_modules_object'($*)) dnl ') ## Policy for filesystems. ## ## Contains the initial SID for the filesystems. ## ######################################## ## ## Transform specified type into a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_type'($*)) dnl gen_require(` attribute filesystem_type; ') typeattribute $1 filesystem_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_type'($*)) dnl ') ######################################## ## ## Transform specified type into a filesystem ## type which does not have extended attribute ## support. ## ## ## ## Domain allowed access. ## ## # define(`fs_noxattr_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_noxattr_type'($*)) dnl gen_require(` attribute noxattrfs; ') fs_type($1) typeattribute $1 noxattrfs; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_noxattr_type'($*)) dnl ') ######################################## ## ## Associate the specified file type to persistent ## filesystems with extended attributes. This ## allows a file of this type to be created on ## a filesystem such as ext3, JFS, and XFS. ## ## ## ## The type of the to be associated. ## ## # define(`fs_associate',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate'($*)) dnl ') ######################################## ## ## Associate the specified file type to ## filesystems which lack extended attributes ## support. This allows a file of this type ## to be created on a filesystem such as ## FAT32, and NFS. ## ## ## ## The type of the to be associated. ## ## # define(`fs_associate_noxattr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_noxattr'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_noxattr'($*)) dnl ') ######################################## ## ## Execute files on a filesystem that does ## not support extended attributes. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_exec_noxattr',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_noxattr'($*)) dnl gen_require(` attribute noxattrfs; ') can_exec($1, noxattrfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_noxattr'($*)) dnl ') ######################################## ## ## Mount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_xattr_fs'($*)) dnl ') ######################################## ## ## Remount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_xattr_fs'($*)) dnl ') ######################################## ## ## Unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_xattr_fs'($*)) dnl ') ######################################## ## ## Mount, remount, unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # define(`fs_all_mount_fs_perms_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_all_mount_fs_perms_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem mount_fs_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_all_mount_fs_perms_xattr_fs'($*)) dnl ') ######################################## ## ## Get the attributes of persistent ## filesystems which have extended ## attributes, such as ext3, JFS, or XFS. ## ## ##

## Allow the specified domain to ## get the attributes of a persistent ## filesystems which have extended ## attributes, such as ext3, JFS, or XFS. ## Example attributes: ##

##
    ##
  • Type of the file system (e.g., ext3)
  • ##
  • Size of the file system
  • ##
  • Available space on the file system
  • ##
##
## ## ## Domain allowed access. ## ## ## ## # define(`fs_getattr_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_xattr_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_xattr_fs'($*)) dnl gen_require(` type fs_t; ') dontaudit $1 fs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_xattr_fs'($*)) dnl ') ######################################## ## ## Allow changing of the label of a ## filesystem with extended attributes ## using the context= mount option. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_xattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_xattr_fs'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_xattr_fs'($*)) dnl ') ######################################## ## ## Get the filesystem quotas of a filesystem ## with extended attributes. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_get_xattr_fs_quotas',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_get_xattr_fs_quotas'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem quotaget; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_get_xattr_fs_quotas'($*)) dnl ') ######################################## ## ## Set the filesystem quotas of a filesystem ## with extended attributes. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_set_xattr_fs_quotas',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_set_xattr_fs_quotas'($*)) dnl gen_require(` type fs_t; ') allow $1 fs_t:filesystem quotamod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_set_xattr_fs_quotas'($*)) dnl ') ######################################## ## ## Read files on anon_inodefs file systems. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`fs_read_anon_inodefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_anon_inodefs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_anon_inodefs_files'($*)) dnl ') ######################################## ## ## Read and write files on anon_inodefs ## file systems. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_anon_inodefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_anon_inodefs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_anon_inodefs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write files on ## anon_inodefs file systems. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_rw_anon_inodefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_anon_inodefs_files'($*)) dnl ') ######################################## ## ## Mount an automount pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_autofs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_autofs'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_autofs'($*)) dnl ') ######################################## ## ## Remount an automount pseudo filesystem ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_autofs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_autofs'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_autofs'($*)) dnl ') ######################################## ## ## Unmount an automount pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_autofs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_autofs'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_autofs'($*)) dnl ') ######################################## ## ## Get the attributes of an automount ## pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_autofs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_autofs'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_autofs'($*)) dnl ') ######################################## ## ## Search automount filesystem to use automatically ## mounted filesystems. ## ## ## Allow the specified domain to search mount points ## that have filesystems that are mounted by ## the automount service. Generally this will ## be required for any domain that accesses objects ## on these filesystems. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_search_auto_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_auto_mountpoints'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_auto_mountpoints'($*)) dnl ') ######################################## ## ## Read directories of automatically ## mounted filesystems. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_list_auto_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_auto_mountpoints'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_auto_mountpoints'($*)) dnl ') ######################################## ## ## Do not audit attempts to list directories of automatically ## mounted filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_auto_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_auto_mountpoints'($*)) dnl gen_require(` type autofs_t; ') dontaudit $1 autofs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_auto_mountpoints'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links ## on an autofs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_autofs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_autofs_symlinks'($*)) dnl gen_require(` type autofs_t; ') manage_lnk_files_pattern($1, autofs_t, autofs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_autofs_symlinks'($*)) dnl ') ######################################## ## ## Get the attributes of directories on ## binfmt_misc filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_binfmt_misc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_binfmt_misc_dirs'($*)) dnl gen_require(` type binfmt_misc_fs_t; ') allow $1 binfmt_misc_fs_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_binfmt_misc_dirs'($*)) dnl ') ######################################## ## ## Read binfmt_misc filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_binfmt_misc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_binfmt_misc'($*)) dnl gen_require(` type binfmt_misc_fs_t; ') read_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_binfmt_misc'($*)) dnl ') ######################################## ## ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. ## ## ##

## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. ##

##

## A common use for this is to ## register a JVM as an interpreter for ## Java byte code. Registered binaries ## can be directly executed on a command line ## without specifying the interpreter. ##

##
## ## ## Domain allowed access. ## ## ## # define(`fs_register_binary_executable_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_register_binary_executable_type'($*)) dnl gen_require(` type binfmt_misc_fs_t; ') rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_register_binary_executable_type'($*)) dnl ') ######################################## ## ## Manage bpf directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_bpf_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_bpf_dirs'($*)) dnl gen_require(` type bpf_t; ') manage_dirs_pattern($1, bpf_t, bpf_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_bpf_dirs'($*)) dnl ') ######################################## ## ## Read bpf files. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_bpf_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_bpf_files'($*)) dnl gen_require(` type bpf_t; ') manage_files_pattern($1, bpf_t, bpf_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_bpf_files'($*)) dnl ') ######################################## ## ## Mount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_cgroup',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_cgroup'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_cgroup'($*)) dnl ') ######################################## ## ## Allow the type to associate to cgroup filesystems. ## ## ## ## The type of the object to be associated. ## ## # define(`fs_associate_cgroupfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_cgroupfs'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_cgroupfs'($*)) dnl ') ######################################## ## ## Remount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_cgroup',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_cgroup'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_cgroup'($*)) dnl ') ######################################## ## ## Unmount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_cgroup',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_cgroup'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_cgroup'($*)) dnl ') ######################################## ## ## Get attributes of cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_cgroup',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup'($*)) dnl ') ######################################## ## ## Get attributes of cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') getattr_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_cgroup_files'($*)) dnl ') ######################################## ## ## Search cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') search_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_cgroup_dirs'($*)) dnl ') ######################################## ## ## Relabel cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') relabel_dirs_pattern($1, cgroup_t, cgroup_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_dirs'($*)) dnl ') ######################################## ## ## list cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') list_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_cgroup_dirs'($*)) dnl ') ####################################### ## ## Do not audit attempts to search cgroup directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_search_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') dontaudit $1 cgroup_t:dir search_dir_perms; dev_dontaudit_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_cgroup_dirs'($*)) dnl ') ######################################## ## ## Delete cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_delete_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_delete_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') delete_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_delete_cgroup_dirs'($*)) dnl ') ######################################## ## ## Manage cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') manage_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_dirs'($*)) dnl ') ######################################## ## ## Watch cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_cgroup_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_cgroup_dirs'($*)) dnl gen_require(` type cgroup_t; ') watch_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_cgroup_dirs'($*)) dnl ') ######################################## ## ## Read cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') read_files_pattern($1, cgroup_t, cgroup_t) read_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_cgroup_files'($*)) dnl ') ######################################## ## ## Write cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_write_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_write_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') write_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_write_cgroup_files'($*)) dnl ') ######################################## ## ## Read and write cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') read_lnk_files_pattern($1, cgroup_t, cgroup_t) rw_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_cgroup_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to open, ## get attributes, read and write ## cgroup files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_rw_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') dontaudit $1 cgroup_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cgroup_files'($*)) dnl ') ######################################## ## ## Relabel cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') relabel_files_pattern($1, cgroup_t, cgroup_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_cgroup_files'($*)) dnl ') ######################################## ## ## Create cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_create_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_create_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') dev_search_sysfs($1) create_files_pattern($1, cgroup_t, cgroup_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_create_cgroup_files'($*)) dnl ') ######################################## ## ## Manage cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') manage_files_pattern($1, cgroup_t, cgroup_t) manage_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cgroup_files'($*)) dnl ') ######################################## ## ## Watch cgroup files. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_cgroup_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_cgroup_files'($*)) dnl gen_require(` type cgroup_t; ') watch_files_pattern($1, cgroup_t, cgroup_t) watch_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_cgroup_files'($*)) dnl ') ######################################## ## ## Mount on cgroup directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_cgroup',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_cgroup'($*)) dnl gen_require(` type cgroup_t; ') allow $1 cgroup_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_cgroup'($*)) dnl ') ######################################## ## ## Read and write ceph files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_cephfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_cephfs_files'($*)) dnl gen_require(` type cephfs_t; ') rw_files_pattern($1, cephfs_t, cephfs_t) rw_lnk_files_pattern($1, cephfs_t, cephfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_cephfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## dirs on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_cifs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs_dirs'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs_dirs'($*)) dnl ') ######################################## ## ## Mount a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_cifs'($*)) dnl ') ######################################## ## ## Remount a CIFS or SMB network filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_cifs'($*)) dnl ') ######################################## ## ## Unmount a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_cifs'($*)) dnl ') ######################################## ## ## Get the attributes of a CIFS or ## SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_cifs'($*)) dnl ') ######################################## ## ## Set the attributes of cifs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_cifs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_cifs_dirs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_cifs_dirs'($*)) dnl ') ######################################## ## ## Search directories on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_cifs'($*)) dnl ') ######################################## ## ## List the contents of directories on a ## CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_cifs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_cifs'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_cifs'($*)) dnl ') ######################################## ## ## Mounton a CIFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_cifs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_cifs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_cifs'($*)) dnl ') ######################################## ## ## Read files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_cifs_files'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir list_dir_perms; read_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_cifs_files'($*)) dnl ') ######################################## ## ## Get the attributes of filesystems that ## do not have extended attribute support. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_noxattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_noxattr_fs'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_noxattr_fs'($*)) dnl ') ######################################## ## ## Read all noxattrfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_noxattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_noxattr_fs'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_noxattr_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list all ## noxattrfs directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_noxattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_noxattr_fs'($*)) dnl gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_noxattr_fs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all noxattrfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_noxattr_fs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_dirs'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_dirs'($*)) dnl ') ######################################## ## ## Read all noxattrfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_noxattr_fs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_files'($*)) dnl gen_require(` attribute noxattrfs; ') read_files_pattern($1, noxattrfs, noxattrfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_files'($*)) dnl ') ######################################## ## ## Read/Write all inherited noxattrfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_inherited_noxattr_fs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_noxattr_fs_files'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_inherited_noxattr_fs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read all ## noxattrfs files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_noxattr_fs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_noxattr_fs_files'($*)) dnl gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_noxattr_fs_files'($*)) dnl ') ######################################## ## ## Dont audit attempts to write to noxattrfs files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_write_noxattr_fs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_noxattr_fs_files'($*)) dnl gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_noxattr_fs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all noxattrfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_noxattr_fs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_noxattr_fs_files'($*)) dnl gen_require(` attribute noxattrfs; ') manage_files_pattern($1, noxattrfs, noxattrfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_noxattr_fs_files'($*)) dnl ') ######################################## ## ## Read all noxattrfs symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_noxattr_fs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_noxattr_fs_symlinks'($*)) dnl gen_require(` attribute noxattrfs; ') read_lnk_files_pattern($1, noxattrfs, noxattrfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_noxattr_fs_symlinks'($*)) dnl ') ######################################## ## ## Relabel all objets from filesystems that ## do not support extended attributes. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_noxattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_noxattr_fs'($*)) dnl gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir list_dir_perms; relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs) relabelfrom_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_noxattr_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## files on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_cifs_files'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_cifs_files'($*)) dnl ') ######################################## ## ## Append files ## on a CIFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_append_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_append_cifs_files'($*)) dnl gen_require(` type cifs_t; ') append_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_append_cifs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to append files ## on a CIFS filesystem. ## ## ## ## Domain to not audit. ## ## ## # define(`fs_dontaudit_append_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_cifs_files'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_cifs_files'($*)) dnl ') ######################################## ## ## Read inherited files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_inherited_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_inherited_cifs_files'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_inherited_cifs_files'($*)) dnl ') ######################################## ## ## Read/Write inherited files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_inherited_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_cifs_files'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_inherited_cifs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_rw_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_cifs_files'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_cifs_files'($*)) dnl ') ######################################## ## ## Read symbolic links on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_cifs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_cifs_symlinks'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir list_dir_perms; read_lnk_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_cifs_symlinks'($*)) dnl ') ######################################## ## ## Read named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_cifs_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_pipes'($*)) dnl gen_require(` type cifs_t; ') read_fifo_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_pipes'($*)) dnl ') ######################################## ## ## Read named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_cifs_named_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_cifs_named_sockets'($*)) dnl gen_require(` type cifs_t; ') read_sock_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_cifs_named_sockets'($*)) dnl ') ######################################## ## ## Execute files on a CIFS or SMB ## network filesystem, in the caller ## domain. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_exec_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_cifs_files'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir list_dir_perms; exec_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_cifs_files'($*)) dnl ') ######################################## ## ## Mmap files on a CIFS or SMB ## network filesystem, in the caller ## domain. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_map_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_map_cifs_files'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_map_cifs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_cifs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_dirs'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cifs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a CIFS or SMB network filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_cifs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_dirs'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_files'($*)) dnl gen_require(` type cifs_t; ') manage_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cifs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete files ## on a CIFS or SMB network filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_cifs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_cifs_files'($*)) dnl gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_cifs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_cifs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_symlinks'($*)) dnl gen_require(` type cifs_t; ') manage_lnk_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cifs_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_cifs_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_pipes'($*)) dnl gen_require(` type cifs_t; ') manage_fifo_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete named sockets ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_cifs_named_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_cifs_named_sockets'($*)) dnl gen_require(` type cifs_t; ') manage_sock_files_pattern($1, cifs_t, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_cifs_named_sockets'($*)) dnl ') ######################################## ## ## Execute a file on a CIFS or SMB filesystem ## in the specified domain. ## ## ##

## Execute a file on a CIFS or SMB filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on CIFS/SMB filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`fs_cifs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_cifs_domtrans'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:dir search_dir_perms; domain_auto_transition_pattern($1, cifs_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_cifs_domtrans'($*)) dnl ') ######################################## ## ## Make general progams in cifs an entrypoint for ## the specified domain. ## ## ## ## The domain for which cifs_t is an entrypoint. ## ## # define(`fs_cifs_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_cifs_entry_type'($*)) dnl gen_require(` type cifs_t; ') domain_entry_file($1, cifs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_cifs_entry_type'($*)) dnl ') ######################################## ## ## Make general progams in CIFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which cifs_t is an entrypoint. ## ## # define(`fs_cifs_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_cifs_entrypoint'($*)) dnl gen_require(` type cifs_t; ') allow $1 cifs_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_cifs_entrypoint'($*)) dnl ') ####################################### ## ## dontaudit write dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_dontaudit_write_configfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_configfs_dirs'($*)) dnl gen_require(` type configfs_t; ') dontaudit $1 configfs_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_configfs_dirs'($*)) dnl ') ####################################### ## ## Read dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_configfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_configfs_dirs'($*)) dnl gen_require(` type configfs_t; ') list_dirs_pattern($1, configfs_t, configfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_configfs_dirs'($*)) dnl ') ####################################### ## ## Create, read, write, and delete dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_configfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_dirs'($*)) dnl gen_require(` type configfs_t; ') manage_dirs_pattern($1, configfs_t, configfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_configfs_dirs'($*)) dnl ') ####################################### ## ## Read files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_configfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_configfs_files'($*)) dnl gen_require(` type configfs_t; ') read_files_pattern($1, configfs_t, configfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_configfs_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_configfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_files'($*)) dnl gen_require(` type configfs_t; ') manage_files_pattern($1, configfs_t, configfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_configfs_files'($*)) dnl ') ####################################### ## ## Create, read, write, and delete files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_configfs_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_configfs_lnk_files'($*)) dnl gen_require(` type configfs_t; ') manage_lnk_files_pattern($1, configfs_t, configfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_configfs_lnk_files'($*)) dnl ') ######################################## ## ## Unmount a configfs filesystem ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_configfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_configfs'($*)) dnl gen_require(` type configfs_t; ') allow $1 configfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_configfs'($*)) dnl ') ######################################## ## ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_dos_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_dos_fs'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_dos_fs'($*)) dnl ') ######################################## ## ## Remount a DOS filesystem, such as ## FAT32 or NTFS. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_dos_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_dos_fs'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_dos_fs'($*)) dnl ') ######################################## ## ## Unmount a DOS filesystem, such as ## FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_dos_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_dos_fs'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_dos_fs'($*)) dnl ') ######################################## ## ## Get the attributes of a DOS ## filesystem, such as FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_dos_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_dos_fs'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_dos_fs'($*)) dnl ') ######################################## ## ## Allow changing of the label of a ## DOS filesystem using the context= mount option. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_dos_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_dos_fs'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_dos_fs'($*)) dnl ') ######################################## ## ## Search dosfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_dos',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_dos'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_dos'($*)) dnl ') ######################################## ## ## List dirs DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_dos',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_dos'($*)) dnl gen_require(` type dosfs_t; ') list_dirs_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_dos'($*)) dnl ') ######################################## ## ## Create, read, write, and delete dirs ## on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_dos_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_dos_dirs'($*)) dnl gen_require(` type dosfs_t; ') manage_dirs_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_dos_dirs'($*)) dnl ') ######################################## ## ## Watch_mount dirs on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_mount_dos_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_mount_dos_dirs'($*)) dnl gen_require(` type dosfs_t; ') watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_mount_dos_dirs'($*)) dnl ') ######################################## ## ## Watch_with_perm dirs on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_with_perm_dos_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_with_perm_dos_dirs'($*)) dnl gen_require(` type dosfs_t; ') watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_with_perm_dos_dirs'($*)) dnl ') ######################################## ## ## Mmap files on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_map_dos_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_map_dos_files'($*)) dnl gen_require(` type dosfs_t; ') allow $1 dosfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_map_dos_files'($*)) dnl ') ######################################## ## ## Read files on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_dos_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_dos_files'($*)) dnl gen_require(` type dosfs_t; ') read_files_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_dos_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_dos_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_dos_files'($*)) dnl gen_require(` type dosfs_t; ') manage_files_pattern($1, dosfs_t, dosfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_dos_files'($*)) dnl ') ######################################## ## ## Read eventpollfs files. ## ## ##

## Read eventpollfs files ##

##

## This interface has been deprecated, and will ## be removed in the future. ##

##
## ## ## Domain allowed access. ## ## # # eventpollfs was changed to task SID 20060628 define(`fs_read_eventpollfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_eventpollfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_eventpollfs'($*)) dnl ') ####################################### ## ## Search directories ## on a ecrypt filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_ecryptfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_ecryptfs'($*)) dnl gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_ecryptfs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_ecryptfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_dirs'($*)) dnl gen_require(` type ecryptfs_t; ') manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) allow $1 ecryptfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_dirs'($*)) dnl ') ####################################### ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_ecryptfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_ecryptfs_files'($*)) dnl gen_require(` type ecryptfs_t; ') read_files_pattern($1, ecryptfs_t, ecryptfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_ecryptfs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_ecryptfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_files'($*)) dnl gen_require(` type ecryptfs_t; ') manage_files_pattern($1, ecryptfs_t, ecryptfs_t) allow $1 ecryptfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_ecryptfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_ecryptfs_files'($*)) dnl gen_require(` type ecryptfs_t; ') dontaudit $1 ecryptfs_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_ecryptfs_files'($*)) dnl ') ######################################## ## ## Read symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_ecryptfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_ecryptfs_symlinks'($*)) dnl gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir list_dir_perms; read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_ecryptfs_symlinks'($*)) dnl ') ####################################### ## ## Dontaudit append files on ecrypt filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_dontaudit_append_ecryptfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_ecryptfs_files'($*)) dnl gen_require(` type ecryptfs_t; ') dontaudit $1 ecryptfs_t:file append; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_ecryptfs_files'($*)) dnl ') ######################################## ## ## Manage symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_ecryptfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ecryptfs_symlinks'($*)) dnl gen_require(` type ecryptfs_t; ') manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ecryptfs_symlinks'($*)) dnl ') ######################################## ## ## Execute a file on a FUSE filesystem ## in the specified domain. ## ## ##

## Execute a file on a FUSE filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on FUSE filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`fs_ecryptfs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_ecryptfs_domtrans'($*)) dnl gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir search_dir_perms; domain_auto_transition_pattern($1, ecryptfs_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_ecryptfs_domtrans'($*)) dnl ') ######################################## ## ## Mount a FUSE filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_fusefs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_fusefs'($*)) dnl ') ######################################## ## ## Unmount a FUSE filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_fusefs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_fusefs'($*)) dnl ') ######################################## ## ## Mounton a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_fusefs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_fusefs'($*)) dnl ') ######################################## ## ## Search directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_search_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_fusefs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_fusefs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_fusefs'($*)) dnl gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_fusefs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_fusefs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_dirs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_fusefs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_dirs'($*)) dnl gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_dirs'($*)) dnl ') ######################################## ## ## Read, a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_fusefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_files'($*)) dnl gen_require(` type fusefs_t; ') read_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_fusefs_files'($*)) dnl ') ######################################## ## ## Execute files on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_exec_fusefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_fusefs_files'($*)) dnl gen_require(` type fusefs_t; ') exec_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_fusefs_files'($*)) dnl ') ######################################## ## ## mmap files on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_mmap_fusefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mmap_fusefs_files'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mmap_fusefs_files'($*)) dnl ') ######################################### ## ## Create, read, write, and delete named sockets ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_fusefs_named_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_named_sockets'($*)) dnl gen_require(` type fusefs_t; ') manage_sock_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_named_sockets'($*)) dnl ') ######################################### ## ## Create, read, write, and delete named pipes ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## define(`fs_manage_fusefs_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_named_pipes'($*)) dnl gen_require(` type fusefs_t; ') manage_fifo_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_named_pipes'($*)) dnl ') ######################################## ## ## Make general progams in FUSEFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which fusefs_t is an entrypoint. ## ## # define(`fs_fusefs_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_fusefs_entry_type'($*)) dnl gen_require(` type fusefs_t; ') domain_entry_file($1, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_fusefs_entry_type'($*)) dnl ') ######################################## ## ## Make general progams in FUSEFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which fusefs_t is an entrypoint. ## ## # define(`fs_fusefs_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_fusefs_entrypoint'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_fusefs_entrypoint'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_fusefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_files'($*)) dnl gen_require(` type fusefs_t; ') manage_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_fusefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_fusefs_files'($*)) dnl gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_fusefs_files'($*)) dnl ') ######################################## ## ## Read symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_fusefs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_fusefs_symlinks'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir list_dir_perms; read_lnk_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_fusefs_symlinks'($*)) dnl ') ######################################## ## ## Manage symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_fusefs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_fusefs_symlinks'($*)) dnl gen_require(` type fusefs_t; ') manage_lnk_files_pattern($1, fusefs_t, fusefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_fusefs_symlinks'($*)) dnl ') ######################################## ## ## Execute a file on a FUSE filesystem ## in the specified domain. ## ## ##

## Execute a file on a FUSE filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on FUSE filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`fs_fusefs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_fusefs_domtrans'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir search_dir_perms; domain_auto_transition_pattern($1, fusefs_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_fusefs_domtrans'($*)) dnl ') ######################################## ## ## Get the attributes of a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_fusefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_fusefs'($*)) dnl gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_fusefs'($*)) dnl ') ######################################## ## ## Get the attributes of an hugetlbfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_hugetlbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_hugetlbfs'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_hugetlbfs'($*)) dnl ') ######################################## ## ## List hugetlbfs. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_hugetlbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_hugetlbfs'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_hugetlbfs'($*)) dnl ') ######################################## ## ## Manage hugetlbfs dirs. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_hugetlbfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_hugetlbfs_dirs'($*)) dnl gen_require(` type hugetlbfs_t; ') manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_hugetlbfs_dirs'($*)) dnl ') ######################################## ## ## Read hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_hugetlbfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_hugetlbfs_files'($*)) dnl gen_require(` type hugetlbfs_t; ') read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_hugetlbfs_files'($*)) dnl ') ######################################## ## ## Read and write hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_hugetlbfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_hugetlbfs_files'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:file map; rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_hugetlbfs_files'($*)) dnl ') ######################################## ## ## Manage hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_hugetlbfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_hugetlbfs_files'($*)) dnl gen_require(` type hugetlbfs_t; ') manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_hugetlbfs_files'($*)) dnl ') ######################################## ## ## Execute hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_exec_hugetlbfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_hugetlbfs_files'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:dir list_dir_perms; exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_hugetlbfs_files'($*)) dnl ') ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. ## ## ## ## The type of the object to be associated. ## ## # define(`fs_associate_hugetlbfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_hugetlbfs'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_hugetlbfs'($*)) dnl ') ######################################## ## ## List oracleasmfs. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_oracleasmfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_oracleasmfs'($*)) dnl gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_oracleasmfs'($*)) dnl ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_oracleasmfs_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_oracleasmfs_fs'($*)) dnl gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_oracleasmfs_fs'($*)) dnl ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_oracleasmfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_oracleasmfs'($*)) dnl gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_oracleasmfs'($*)) dnl ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_oracleasmfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_oracleasmfs'($*)) dnl gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_oracleasmfs'($*)) dnl ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_oracleasmfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_oracleasmfs_dirs'($*)) dnl gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_oracleasmfs_dirs'($*)) dnl ') ######################################## ## ## Read and write the oracleasm device. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_oracleasm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_oracleasm'($*)) dnl gen_require(` type oracleasmfs_t; ') manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_oracleasm'($*)) dnl ') ######################################## ## ## Search inotifyfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`fs_search_inotifyfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_inotifyfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_inotifyfs'($*)) dnl ') ######################################## ## ## List inotifyfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`fs_list_inotifyfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_inotifyfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_inotifyfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list inotifyfs filesystem. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_inotifyfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_inotifyfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_inotifyfs'($*)) dnl ') ######################################## ## ## Create an object in a hugetlbfs filesystem, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`fs_hugetlbfs_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_hugetlbfs_filetrans'($*)) dnl gen_require(` type hugetlbfs_t; ') allow $2 hugetlbfs_t:filesystem associate; filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_hugetlbfs_filetrans'($*)) dnl ') ######################################## ## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_iso9660_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_iso9660_fs'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_iso9660_fs'($*)) dnl ') ######################################## ## ## Remount an iso9660 filesystem, which ## is usually used on CDs. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_iso9660_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_iso9660_fs'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_iso9660_fs'($*)) dnl ') ######################################## ## ## Unmount an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_iso9660_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_iso9660_fs'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_iso9660_fs'($*)) dnl ') ######################################## ## ## Get the attributes of an iso9660 ## filesystem, which is usually used on CDs. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_iso9660_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_fs'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_fs'($*)) dnl ') ######################################## ## ## Read files on an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_iso9660_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_iso9660_files'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:dir list_dir_perms; allow $1 iso9660_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_iso9660_files'($*)) dnl ') ######################################## ## ## Read files on an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_iso9660_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_iso9660_files'($*)) dnl gen_require(` type iso9660_t; ') allow $1 iso9660_t:dir list_dir_perms; read_files_pattern($1, iso9660_t, iso9660_t) read_lnk_files_pattern($1, iso9660_t, iso9660_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_iso9660_files'($*)) dnl ') ######################################## ## ## Mount a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_nfs'($*)) dnl ') ######################################## ## ## Remount a NFS filesystem. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_nfs'($*)) dnl ') ######################################## ## ## Unmount a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_nfs'($*)) dnl ') ######################################## ## ## Get the attributes of a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_nfs'($*)) dnl ') ######################################## ## ## Set the attributes of nfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_nfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_nfs_dirs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_nfs_dirs'($*)) dnl ') ######################################## ## ## Search directories on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_nfs'($*)) dnl ') ######################################## ## ## List NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_nfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_nfs'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_nfs'($*)) dnl ') ######################################## ## ## Mounton a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_nfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_nfs'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_nfs'($*)) dnl ') ######################################## ## ## Read files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nfs_files'($*)) dnl gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## files on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_files'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_files'($*)) dnl ') ######################################## ## ## Read files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_write_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_write_nfs_files'($*)) dnl gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_write_nfs_files'($*)) dnl ') ######################################## ## ## Execute files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_exec_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_nfs_files'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; exec_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_nfs_files'($*)) dnl ') ######################################## ## ## Make general progams in nfs an entrypoint for ## the specified domain. ## ## ## ## The domain for which nfs_t is an entrypoint. ## ## # define(`fs_nfs_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_nfs_entry_type'($*)) dnl gen_require(` type nfs_t; ') domain_entry_file($1, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_nfs_entry_type'($*)) dnl ') ######################################## ## ## Make general progams in NFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which nfs_t is an entrypoint. ## ## # define(`fs_nfs_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_nfs_entrypoint'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_nfs_entrypoint'($*)) dnl ') ######################################## ## ## Append files ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_append_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_append_nfs_files'($*)) dnl gen_require(` type nfs_t; ') append_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_append_nfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to append files ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## ## # define(`fs_dontaudit_append_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_append_nfs_files'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_append_nfs_files'($*)) dnl ') ######################################## ## ## Read inherited files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_inherited_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_inherited_nfs_files'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_inherited_nfs_files'($*)) dnl ') ######################################## ## ## Read/write inherited files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_inherited_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_nfs_files'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_inherited_nfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or ## write files on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_rw_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_nfs_files'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_nfs_files'($*)) dnl ') ######################################## ## ## Read symbolic links on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_nfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nfs_symlinks'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; read_lnk_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nfs_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to read symbolic links on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_nfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_nfs_symlinks'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_nfs_symlinks'($*)) dnl ') ######################################### ## ## Read named sockets on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_nfs_named_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_sockets'($*)) dnl gen_require(` type nfs_t; ') read_sock_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_sockets'($*)) dnl ') ######################################### ## ## Read named pipes on a NFS network filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_nfs_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nfs_named_pipes'($*)) dnl gen_require(` type nfs_t; ') read_fifo_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nfs_named_pipes'($*)) dnl ') ######################################## ## ## Read directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_rpc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_dirs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_dirs'($*)) dnl ') ######################################## ## ## Watch directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_rpc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_rpc_dirs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_rpc_dirs'($*)) dnl ') ######################################## ## ## Search directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_rpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_rpc'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_rpc'($*)) dnl ') ######################################## ## ## Do not audit attempts to list removable storage directories. ## ## ##

## Do not audit attempts to list removable storage directories ##

##

## This interface has been deprecated, and will ## be removed in the future. ##

##
## ## ## Domain allowed access. ## ## # define(`fs_list_pstorefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_pstorefs'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_pstorefs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list removable storage directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_list_pstore',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_pstore'($*)) dnl gen_require(` type pstore_t; ') allow $1 pstore_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_pstore'($*)) dnl ') ######################################## ## ## Relabel directory on removable storage. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_pstore_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_pstore_dirs'($*)) dnl gen_require(` type pstore_t; ') relabel_dirs_pattern($1, pstore_t, pstore_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_pstore_dirs'($*)) dnl ') ######################################## ## ## Search removable storage directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_removable',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_removable'($*)) dnl gen_require(` type removable_t; ') allow $1 removable_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_removable'($*)) dnl ') ######################################## ## ## Do not audit attempts to list removable storage directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_removable',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_removable'($*)) dnl gen_require(` type removable_t; ') dontaudit $1 removable_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_removable'($*)) dnl ') ######################################## ## ## Read removable storage files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_removable_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_removable_files'($*)) dnl gen_require(` type removable_t; ') read_files_pattern($1, removable_t, removable_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_removable_files'($*)) dnl ') ######################################## ## ## mmap files on a removable files. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_mmap_removable_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mmap_removable_files'($*)) dnl gen_require(` type removable_t; ') allow $1 removable_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mmap_removable_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read removable storage files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_removable_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_removable_files'($*)) dnl gen_require(` type removable_t; ') dontaudit $1 removable_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_removable_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write removable storage files. ## ## ## ## Domain not to audit. ## ## # define(`fs_dontaudit_write_removable_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_removable_files'($*)) dnl gen_require(` type removable_t; ') dontaudit $1 removable_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_removable_files'($*)) dnl ') ######################################## ## ## Read removable storage symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_removable_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_removable_symlinks'($*)) dnl gen_require(` type removable_t; ') read_lnk_files_pattern($1, removable_t, removable_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_removable_symlinks'($*)) dnl ') ###################################### ## ## Read block nodes on removable filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_removable_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_removable_blk_files'($*)) dnl gen_require(` type removable_t; ') allow $1 removable_t:dir list_dir_perms; read_blk_files_pattern($1, removable_t, removable_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_removable_blk_files'($*)) dnl ') ######################################## ## ## Read and write block nodes on removable filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_removable_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_removable_blk_files'($*)) dnl gen_require(` type removable_t; ') allow $1 removable_t:dir list_dir_perms; rw_blk_files_pattern($1, removable_t, removable_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_removable_blk_files'($*)) dnl ') ######################################## ## ## Read directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_rpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_rpc'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_rpc'($*)) dnl ') ######################################## ## ## Read files of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_rpc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_rpc_files'($*)) dnl gen_require(` type rpc_pipefs_t; ') read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_rpc_files'($*)) dnl ') ######################################## ## ## Read symbolic links of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_rpc_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_rpc_symlinks'($*)) dnl gen_require(` type rpc_pipefs_t; ') read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_rpc_symlinks'($*)) dnl ') ######################################## ## ## Read sockets of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_rpc_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_rpc_sockets'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:sock_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_rpc_sockets'($*)) dnl ') ######################################## ## ## Read and write sockets of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_rpc_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_sockets'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:sock_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_rpc_sockets'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_nfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_dirs'($*)) dnl gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_nfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_dirs'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_files'($*)) dnl gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) manage_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfs_files'($*)) dnl ') ######################################## ## ## mmap files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_mmap_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mmap_nfs_files'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mmap_nfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_nfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_nfs_files'($*)) dnl gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_nfs_files'($*)) dnl ') ######################################### ## ## Create, read, write, and delete symbolic links ## on a NFS network filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_nfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_symlinks'($*)) dnl gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfs_symlinks'($*)) dnl ') ######################################### ## ## Create, read, write, and delete named pipes ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_nfs_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_pipes'($*)) dnl gen_require(` type nfs_t; ') manage_fifo_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_pipes'($*)) dnl ') ######################################### ## ## Create, read, write, and delete named sockets ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_nfs_named_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfs_named_sockets'($*)) dnl gen_require(` type nfs_t; ') manage_sock_files_pattern($1, nfs_t, nfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfs_named_sockets'($*)) dnl ') ######################################## ## ## Execute a file on a NFS filesystem ## in the specified domain. ## ## ##

## Execute a file on a NFS filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on a NFS filesystem in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on NFS filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`fs_nfs_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_nfs_domtrans'($*)) dnl gen_require(` type nfs_t; ') allow $1 nfs_t:dir search_dir_perms; domain_auto_transition_pattern($1, nfs_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_nfs_domtrans'($*)) dnl ') ######################################## ## ## Mount on nfsd_fs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_nfsd_fs'($*)) dnl ') ######################################## ## ## Mount a NFS server pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_nfsd_fs'($*)) dnl ') ######################################## ## ## Mount a NFS server pseudo filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_nfsd_fs'($*)) dnl ') ######################################## ## ## Unmount a NFS server pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_nfsd_fs'($*)) dnl ') ######################################## ## ## Get the attributes of a NFS server ## pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_fs'($*)) dnl ') ######################################## ## ## Search NFS server directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_nfsd_fs'($*)) dnl ') ######################################## ## ## List NFS server directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_nfsd_fs'($*)) dnl ') ######################################## ## ## Getattr files on an nfsd filesystem ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_nfsd_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_nfsd_files'($*)) dnl gen_require(` type nfsd_fs_t; ') getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_nfsd_files'($*)) dnl ') ####################################### ## ## read files on an nfsd filesystem ## ## ## ## Domain allowed access. ## ## # define(`fs_read_nfsd_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nfsd_files'($*)) dnl gen_require(` type nfsd_fs_t; ') read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nfsd_files'($*)) dnl ') ####################################### ## ## Read and write NFS server files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_nfsd_fs'($*)) dnl ') ######################################## ## ## Getattr files on an nsfs filesystem ## ## ## ## Domain allowed access. ## ## # define(`fs_dontaudit_getattr_nsfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_nsfs_files'($*)) dnl gen_require(` type nsfs_t; ') dontaudit $1 nsfs_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_nsfs_files'($*)) dnl ') ######################################## ## ## Getattr files on an nsfs filesystem ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_nsfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_nsfs_files'($*)) dnl gen_require(` type nsfs_t; ') getattr_files_pattern($1, nsfs_t, nsfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_nsfs_files'($*)) dnl ') ####################################### ## ## Read nsfs inodes (e.g. /proc/pid/ns/uts) ## ## ## ## Domain allowed access. ## ## # define(`fs_read_nsfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_nsfs_files'($*)) dnl gen_require(` type nsfs_t; ') allow $1 nsfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_nsfs_files'($*)) dnl ') ####################################### ## ## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_nsfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_nsfs_files'($*)) dnl gen_require(` type nsfs_t; ') rw_files_pattern($1, nsfs_t, nsfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_nsfs_files'($*)) dnl ') ######################################## ## ## Mount a nsfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_nsfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_nsfs'($*)) dnl gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_nsfs'($*)) dnl ') ######################################## ## ## Remount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_nsfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_nsfs'($*)) dnl gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_nsfs'($*)) dnl ') ######################################## ## ## Unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_nsfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_nsfs'($*)) dnl gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_nsfs'($*)) dnl ') ######################################## ## ## Manage NFS server files and directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_nfsd_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_nfsd_fs'($*)) dnl gen_require(` type nfsd_fs_t; ') manage_dirs_pattern($1, nfsd_fs_t, nfsd_fs_t) manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_nfsd_fs'($*)) dnl ') ######################################## ## ## Allow the type to associate to ramfs filesystems. ## ## ## ## The type of the object to be associated. ## ## # define(`fs_associate_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_ramfs'($*)) dnl ') ######################################## ## ## Allow the type to associate to proc filesystems. ## ## ## ## The type of the object to be associated. ## ## # define(`fs_associate_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_proc'($*)) dnl gen_require(` type proc_t; ') allow $1 proc_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_proc'($*)) dnl ') ######################################## ## ## Mount a RAM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_ramfs'($*)) dnl ') ######################################## ## ## Remount a RAM filesystem. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_ramfs'($*)) dnl ') ######################################## ## ## Unmount a RAM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_ramfs'($*)) dnl ') ######################################## ## ## Get the attributes of a RAM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_ramfs'($*)) dnl ') ######################################## ## ## Search directories on a ramfs ## ## ## ## Domain allowed access. ## ## # define(`fs_search_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_ramfs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_ramfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search directories on a ramfs ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_search_ramfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_search_ramfs'($*)) dnl gen_require(` type ramfs_t; ') dontaudit $1 ramfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_search_ramfs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## directories on a ramfs. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_ramfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_dirs'($*)) dnl gen_require(` type ramfs_t; ') allow $1 ramfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to read on a ramfs files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_ramfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_files'($*)) dnl gen_require(` type ramfs_t; ') dontaudit $1 ramfs_t:file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read on a ramfs fifo_files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_ramfs_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_ramfs_pipes'($*)) dnl gen_require(` type ramfs_t; ') dontaudit $1 ramfs_t:fifo_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_ramfs_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## files on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_ramfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_files'($*)) dnl gen_require(` type ramfs_t; ') manage_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_files'($*)) dnl ') ######################################## ## ## Write to named pipe on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_write_ramfs_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_pipes'($*)) dnl gen_require(` type ramfs_t; ') write_fifo_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_write_ramfs_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to named ## pipes on a ramfs filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_write_ramfs_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_ramfs_pipes'($*)) dnl gen_require(` type ramfs_t; ') dontaudit $1 ramfs_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_ramfs_pipes'($*)) dnl ') ######################################## ## ## Read and write a named pipe on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_ramfs_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_ramfs_pipes'($*)) dnl gen_require(` type ramfs_t; ') rw_fifo_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_ramfs_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## named pipes on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_ramfs_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_pipes'($*)) dnl gen_require(` type ramfs_t; ') manage_fifo_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_pipes'($*)) dnl ') ######################################## ## ## Write to named socket on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_write_ramfs_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_write_ramfs_sockets'($*)) dnl gen_require(` type ramfs_t; ') write_sock_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_write_ramfs_sockets'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## named sockets on a ramfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_ramfs_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_ramfs_sockets'($*)) dnl gen_require(` type ramfs_t; ') manage_sock_files_pattern($1, ramfs_t, ramfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_ramfs_sockets'($*)) dnl ') ######################################## ## ## Mount a ROM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_romfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_romfs'($*)) dnl gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_romfs'($*)) dnl ') ######################################## ## ## Remount a ROM filesystem. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_romfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_romfs'($*)) dnl gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_romfs'($*)) dnl ') ######################################## ## ## Unmount a ROM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_romfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_romfs'($*)) dnl gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_romfs'($*)) dnl ') ######################################## ## ## Get the attributes of a ROM ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_romfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_romfs'($*)) dnl gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_romfs'($*)) dnl ') ######################################## ## ## Mount a RPC pipe filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_rpc_pipefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_rpc_pipefs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_rpc_pipefs'($*)) dnl ') ######################################## ## ## Remount a RPC pipe filesystem. This ## allows some mount option to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_rpc_pipefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_rpc_pipefs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_rpc_pipefs'($*)) dnl ') ######################################## ## ## Unmount a RPC pipe filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_rpc_pipefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_rpc_pipefs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_rpc_pipefs'($*)) dnl ') ######################################## ## ## Get the attributes of a RPC pipe ## filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_rpc_pipefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_rpc_pipefs'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_rpc_pipefs'($*)) dnl ') ######################################### ## ## Read and write RPC pipe filesystem named pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_rpc_named_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_rpc_named_pipes'($*)) dnl gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_rpc_named_pipes'($*)) dnl ') ######################################## ## ## Mount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_tmpfs'($*)) dnl ') ######################################## ## ## Dontaudit remount a tmpfs filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_remount_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_remount_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_remount_tmpfs'($*)) dnl ') ######################################## ## ## Remount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_tmpfs'($*)) dnl ') ######################################## ## ## Unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_tmpfs'($*)) dnl ') ######################################## ## ## Mount, remount, unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_all_mount_fs_perms_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_all_mount_fs_perms_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem mount_fs_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_all_mount_fs_perms_tmpfs'($*)) dnl ') ######################################## ## ## Mount on tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_mounton_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mounton_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mounton_tmpfs'($*)) dnl ') ######################################## ## ## Get the attributes of a tmpfs ## filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_getattr_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs'($*)) dnl ') ######################################## ## ## Allow the type to associate to tmpfs filesystems. ## ## ## ## The type of the object to be associated. ## ## # define(`fs_associate_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_associate_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem associate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_associate_tmpfs'($*)) dnl ') ######################################## ## ## Relabel from tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs'($*)) dnl ') ######################################## ## ## Get the attributes of tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of tmpfs directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Search tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_tmpfs'($*)) dnl ') ######################################## ## ## List the contents of generic tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_tmpfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list the ## contents of generic tmpfs directories. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_list_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_list_tmpfs'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_list_tmpfs'($*)) dnl ') ######################################## ## ## Relabel directory on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Watch_mount directory on the tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_mount_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_mount_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') fs_search_tmpfs($1) allow $1 tmpfs_t:dir watch_mount_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_mount_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Watch_with_perm directory on the tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_watch_with_perm_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_watch_with_perm_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') fs_search_tmpfs($1) allow $1 tmpfs_t:dir watch_with_perm_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_watch_with_perm_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Relabel fifo_file on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_fifo_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_fifo_files'($*)) dnl gen_require(` type tmpfs_t; ') relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_fifo_files'($*)) dnl ') ######################################## ## ## Relabel files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') relabel_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_files'($*)) dnl ') ######################################## ## ## Delete tmpfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_delete_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_delete_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') delete_dirs_pattern($1, tmpfs_t, tmpfs_t) fs_search_tmpfs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_delete_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## tmpfs directories ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write ## tmpfs directories ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_write_tmpfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_write_tmpfs_dirs'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_write_tmpfs_dirs'($*)) dnl ') ######################################## ## ## Create an object in a tmpfs filesystem, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`fs_tmpfs_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans'($*)) dnl gen_require(` type tmpfs_t; ') allow $2 tmpfs_t:filesystem associate; filetrans_pattern($1, tmpfs_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to getattr ## generic tmpfs files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_tmpfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## generic tmpfs files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_rw_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## auto moutpoints. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_auto_mountpoints',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_auto_mountpoints'($*)) dnl gen_require(` type autofs_t; ') allow $1 autofs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_auto_mountpoints'($*)) dnl ') ######################################## ## ## Read generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') read_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') rw_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_inherited_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_inherited_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_inherited_tmpfs_files'($*)) dnl ') ######################################## ## ## Read tmpfs link files. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_tmpfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_tmpfs_symlinks'($*)) dnl gen_require(` type tmpfs_t; ') read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_tmpfs_symlinks'($*)) dnl ') ######################################## ## ## Relabel from tmpfs lnk files. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_tmpfs_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_tmpfs_lnk_files'($*)) dnl gen_require(` type tmpfs_t; ') relabelfrom_lnk_files_pattern($1,tmpfs_t,tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_tmpfs_lnk_files'($*)) dnl ') ######################################## ## ## Read and write character nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_tmpfs_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_chr_files'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_chr_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write character nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_use_tmpfs_chr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir list_dir_perms; dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_use_tmpfs_chr_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to create character nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_create_tmpfs_chr_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_create_tmpfs_chr_dev'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:chr_file create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_create_tmpfs_chr_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_tmpfs_blk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_tmpfs_blk_dev'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_tmpfs_blk_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to read files on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_read_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_read_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:blk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_read_tmpfs_files'($*)) dnl ') ######################################## ## ## Relabel character nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_chr_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_chr_file'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_chr_file'($*)) dnl ') ######################################## ## ## Read and write block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_tmpfs_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_tmpfs_blk_files'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_tmpfs_blk_files'($*)) dnl ') ######################################## ## ## Relabel block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_tmpfs_blk_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_tmpfs_blk_file'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_tmpfs_blk_file'($*)) dnl ') ######################################## ## ## Relabel block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_blk_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_blk_file'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_blk_file'($*)) dnl ') ######################################## ## ## Relabel sock nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabel_tmpfs_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabel_tmpfs_sock_file'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabel_tmpfs_sock_file'($*)) dnl ') ######################################## ## ## Delete generic files in tmpfs directory. ## ## ## ## Domain allowed access. ## ## # define(`fs_delete_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_delete_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir del_entry_dir_perms; allow $1 tmpfs_t:file_class_set delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_delete_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write, create and delete generic ## files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') manage_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_files'($*)) dnl ') ######################################## ## ## Execute files on a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_exec_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_exec_tmpfs_files'($*)) dnl gen_require(` type tmpfs_t; ') exec_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_exec_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_symlinks'($*)) dnl gen_require(` type tmpfs_t; ') manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_symlinks'($*)) dnl ') ######################################## ## ## Read and write, create and delete socket ## files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_sockets'($*)) dnl gen_require(` type tmpfs_t; ') manage_sock_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_sockets'($*)) dnl ') ######################################## ## ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_chr_files'($*)) dnl gen_require(` type tmpfs_t; ') manage_chr_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_chr_files'($*)) dnl ') ######################################## ## ## Read and write, create and delete block nodes ## on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_manage_tmpfs_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tmpfs_blk_files'($*)) dnl gen_require(` type tmpfs_t; ') manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tmpfs_blk_files'($*)) dnl ') ######################################## ## ## Mount a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_xenfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_xenfs'($*)) dnl gen_require(` type xenfs_t; ') allow $1 xenfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_xenfs'($*)) dnl ') ######################################## ## ## Search the XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_xenfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_xenfs'($*)) dnl gen_require(` type xenfs_t; ') allow $1 xenfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_xenfs'($*)) dnl ') ######################################## ## ## Read files on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # define(`fs_read_xenfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_xenfs_files'($*)) dnl gen_require(` type xenfs_t; ') allow $1 xenfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_xenfs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_xenfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_dirs'($*)) dnl gen_require(` type xenfs_t; ') allow $1 xenfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a XENFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_xenfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_dirs'($*)) dnl gen_require(` type xenfs_t; ') dontaudit $1 xenfs_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_xenfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_xenfs_files'($*)) dnl gen_require(` type xenfs_t; ') manage_files_pattern($1, xenfs_t, xenfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_xenfs_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a XENFS filesystem. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_manage_xenfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_manage_xenfs_files'($*)) dnl gen_require(` type xenfs_t; ') dontaudit $1 xenfs_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_manage_xenfs_files'($*)) dnl ') ######################################## ## ## Mount all filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem mount; # Mount checks write access on the dir allow $1 filesystem_type:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_all_fs'($*)) dnl ') ######################################## ## ## Remount all filesystems. This ## allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_all_fs'($*)) dnl ') ######################################## ## ## Unmount all filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_all_fs'($*)) dnl ') ######################################## ## ## Get the attributes of all filesystems. ## ## ##

## Allow the specified domain to ## get the attributes of all filesystems. ## Example attributes: ##

##
    ##
  • Type of the file system (e.g., ext3)
  • ##
  • Size of the file system
  • ##
  • Available space on the file system
  • ##
##
## ## ## Domain allowed access. ## ## ## ## # define(`fs_getattr_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem getattr; files_getattr_all_file_type_fs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## all filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on all filesystems. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_all_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_all_access_check'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_all_access_check'($*)) dnl ') ######################################## ## ## Get the quotas of all filesystems. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_get_all_fs_quotas',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_get_all_fs_quotas'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem quotaget; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_get_all_fs_quotas'($*)) dnl ') ######################################## ## ## Set the quotas of all filesystems. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_set_all_quotas',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_set_all_quotas'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem quotamod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_set_all_quotas'($*)) dnl ') ######################################## ## ## Relabelfrom all filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_relabelfrom_all_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_relabelfrom_all_fs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_relabelfrom_all_fs'($*)) dnl ') ######################################## ## ## Get the attributes of all directories ## with a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_dirs'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_dirs'($*)) dnl ') ######################################## ## ## Dontaudit Get the attributes of all directories ## with a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_dontaudit_getattr_all_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_dirs'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_dirs'($*)) dnl ') ######################################## ## ## Search all directories with a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_all'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_all'($*)) dnl ') ######################################## ## ## List all directories with a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_list_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_list_all'($*)) dnl gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_list_all'($*)) dnl ') ######################################## ## ## Get the attributes of all files with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_files'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_all_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_files'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_files'($*)) dnl ') ######################################## ## ## Get the attributes of all symbolic links with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_symlinks'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_lnk_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all symbolic links with a filesystem type. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_all_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_symlinks'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_symlinks'($*)) dnl ') ######################################## ## ## Get the attributes of all named pipes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_pipes'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_fifo_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named pipes with a filesystem type. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_all_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_pipes'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_pipes'($*)) dnl ') ######################################## ## ## Get the attributes of all named sockets with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_sockets'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_sock_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named sockets with a filesystem type. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_getattr_all_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_getattr_all_sockets'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:sock_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_getattr_all_sockets'($*)) dnl ') ######################################## ## ## Get the attributes of all block device nodes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_blk_files'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_blk_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_blk_files'($*)) dnl ') ######################################## ## ## Get the attributes of all character device nodes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # define(`fs_getattr_all_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_getattr_all_chr_files'($*)) dnl gen_require(` attribute filesystem_type; ') getattr_chr_files_pattern($1, filesystem_type, filesystem_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_getattr_all_chr_files'($*)) dnl ') ######################################## ## ## Unconfined access to filesystems ## ## ## ## Domain allowed access. ## ## # define(`fs_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unconfined'($*)) dnl gen_require(` attribute filesystem_unconfined_type; ') typeattribute $1 filesystem_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unconfined'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## all leaked filesystems files. ## ## ## ## Domain to not audit. ## ## # define(`fs_dontaudit_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_dontaudit_leaks'($*)) dnl gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file rw_inherited_file_perms; dontaudit $1 filesystem_type:lnk_file { read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_dontaudit_leaks'($*)) dnl ') ######################################## ## ## Transition named content in tmpfs_t directory ## ## ## ## Domain allowed access. ## ## # define(`fs_tmpfs_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_tmpfs_filetrans_named_content'($*)) dnl gen_require(` type cgroup_t; type devlog_t; ') fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_tmpfs_filetrans_named_content'($*)) dnl ') ####################################### ## ## Read files in efivarfs ## - contains Linux Kernel configuration options for UEFI systems ## ## ## ## Domain allowed access. ## ## ## # define(`fs_read_efivarfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_read_efivarfs_files'($*)) dnl gen_require(` type efivarfs_t; ') read_files_pattern($1, efivarfs_t, efivarfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_read_efivarfs_files'($*)) dnl ') ####################################### ## ## Manage efivarfs files ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_efivarfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_efivarfs_files'($*)) dnl gen_require(` type efivarfs_t; ') manage_files_pattern($1, efivarfs_t, efivarfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_efivarfs_files'($*)) dnl ') ######################################## ## ## Search efivarfs directories. ## ## ## ## Domain allowed access. ## ## # define(`fs_search_efivarfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_search_efivarfs_dirs'($*)) dnl gen_require(` type efivarfs_t; ') search_dirs_pattern($1, efivarfs_t, efivarfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_search_efivarfs_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of efivarfs files. ## ## ## ## Domain allowed access. ## ## # define(`fs_setattr_efivarfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_setattr_efivarfs_files'($*)) dnl gen_require(` type efivarfs_t; ') allow $1 efivarfs_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_setattr_efivarfs_files'($*)) dnl ') ######################################## ## ## Read and write sockets of ONLOAD file system pipes. ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_onload_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_onload_sockets'($*)) dnl gen_require(` type onload_fs_t; ') rw_files_pattern($1, onload_fs_t, onload_fs_t) rw_fifo_files_pattern($1, onload_fs_t, onload_fs_t) rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) allow $1 onload_fs_t:sock_file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_onload_sockets'($*)) dnl ') ######################################## ## ## Read and write tracefs_t files ## ## ## ## Domain allowed access. ## ## # define(`fs_rw_tracefs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_rw_tracefs_files'($*)) dnl gen_require(` type tracefs_t; ') rw_files_pattern($1, tracefs_t, tracefs_t) allow $1 self:lockdown confidentiality; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_rw_tracefs_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete dirs ## labeled as tracefs_t. ## ## ## ## Domain allowed access. ## ## ## # define(`fs_manage_tracefs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_manage_tracefs_dirs'($*)) dnl gen_require(` type tracefs_t; ') manage_dirs_pattern($1, tracefs_t, tracefs_t) allow $1 self:lockdown confidentiality; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_manage_tracefs_dirs'($*)) dnl ') ######################################## ## ## Mount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_mount_tracefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_mount_tracefs'($*)) dnl gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_mount_tracefs'($*)) dnl ') ######################################## ## ## Remount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_remount_tracefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_remount_tracefs'($*)) dnl gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_remount_tracefs'($*)) dnl ') ######################################## ## ## Unmount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # define(`fs_unmount_tracefs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fs_unmount_tracefs'($*)) dnl gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fs_unmount_tracefs'($*)) dnl ') ## ## Policy for kernel threads, proc filesystem, ## and unlabeled processes and objects. ## ## ## This module has initial SIDs. ## ######################################## ## ## Allows to start userland processes ## by transitioning to the specified domain. ## ## ## ## The process type entered by kernel. ## ## ## ## ## The executable type for the entrypoint. ## ## # define(`kernel_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_domtrans_to'($*)) dnl gen_require(` type kernel_t; ') domtrans_pattern(kernel_t, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_domtrans_to'($*)) dnl ') ######################################## ## ## Allows to start userland processes ## by transitioning to the specified domain, ## with a range transition. ## ## ## ## The process type entered by kernel. ## ## ## ## ## The executable type for the entrypoint. ## ## ## ## ## Range for the domain. ## ## # define(`kernel_ranged_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_ranged_domtrans_to'($*)) dnl gen_require(` type kernel_t; ') kernel_domtrans_to($1, $2) ifdef(`enable_mcs',` range_transition kernel_t $2:process $3; ') ifdef(`enable_mls',` range_transition kernel_t $2:process $3; mls_rangetrans_target($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_ranged_domtrans_to'($*)) dnl ') ######################################## ## ## Allows the kernel to mount filesystems on ## the specified directory type. ## ## ## ## The type of the directory to use as a mountpoint. ## ## # define(`kernel_rootfs_mountpoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rootfs_mountpoint'($*)) dnl gen_require(` type kernel_t; ') allow kernel_t $1:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rootfs_mountpoint'($*)) dnl ') ######################################## ## ## Set the process group of kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_setpgid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_setpgid'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process setpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_setpgid'($*)) dnl ') ######################################## ## ## Set the priority of kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_setsched',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_setsched'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process setsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_setsched'($*)) dnl ') ######################################## ## ## Dontaudit attempts to set the priority of kernel threads. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_setsched',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setsched'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:process setsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setsched'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_sigchld'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_sigchld'($*)) dnl ') ######################################## ## ## Send a kill signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_kill'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_kill'($*)) dnl ') ######################################## ## ## Send a generic signal to kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_signal'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_signal'($*)) dnl ') ######################################## ## ## Send signull to kernel threads. ## ## ## ## Domain allowed access. ## ## # define(`kernel_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_signull'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_signull'($*)) dnl ') ######################################## ## ## Allows the kernel to share state information with ## the caller. ## ## ## ## The type of the process with which to share state information. ## ## # define(`kernel_share_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_share_state'($*)) dnl gen_require(` type kernel_t; ') allow kernel_t $1:process share; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_share_state'($*)) dnl ') ######################################## ## ## Permits caller to use kernel file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`kernel_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_use_fds'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## kernel file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_use_fds'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Read and write kernel unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_pipes'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_pipes'($*)) dnl ') ######################################## ## ## Connect to kernel using a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`kernel_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_stream_connect'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { getattr connectto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_stream_connect'($*)) dnl ') ######################################## ## ## Read and write kernel unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_unix_dgram_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_dgram_sockets'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_dgram_socket { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unix_dgram_sockets'($*)) dnl ') ######################################## ## ## Send messages to kernel unix datagram sockets. ## ## ## ## Domain allowed access. ## ## # define(`kernel_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dgram_send'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dgram_send'($*)) dnl ') ######################################## ## ## Receive messages from kernel TCP sockets. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`kernel_tcp_recvfrom',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom'($*)) dnl ') ######################################## ## ## Send UDP network traffic to the kernel. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`kernel_udp_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_udp_send'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_udp_send'($*)) dnl ') ######################################## ## ## Receive messages from kernel UDP sockets. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`kernel_udp_recvfrom',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom'($*)) dnl ') ######################################## ## ## Allows caller to load kernel modules ## ## ## ## Domain allowed access. ## ## # define(`kernel_load_module',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_load_module'($*)) dnl gen_require(` attribute can_load_kernmodule; ') typeattribute $1 can_load_kernmodule; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_load_module'($*)) dnl ') ######################################## ## ## Allows caller to load unsigned kernel modules ## ## ## ## Domain allowed access. ## ## # define(`kernel_load_unsigned_module',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_load_unsigned_module'($*)) dnl allow $1 self:lockdown integrity; kernel_load_module($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_load_unsigned_module'($*)) dnl ') ######################################## ## ## Allow search the kernel key ring. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_key'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_key'($*)) dnl ') ######################################## ## ## dontaudit search the kernel key ring. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_search_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_key'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_key'($*)) dnl ') ######################################## ## ## Allow link to the kernel key ring. ## ## ## ## Domain allowed access. ## ## # define(`kernel_link_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_link_key'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:key link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_link_key'($*)) dnl ') ######################################## ## ## dontaudit link to the kernel key ring. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_link_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_link_key'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_link_key'($*)) dnl ') ######################################## ## ## Allow read, view, and write the kernel key ring. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_key'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:key { read view write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_key'($*)) dnl ') ######################################## ## ## Allow view the kernel key ring. ## ## ## ## Domain allowed access. ## ## # define(`kernel_view_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_view_key'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:key view; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_view_key'($*)) dnl ') ######################################## ## ## dontaudit view the kernel key ring. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_view_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_view_key'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:key view; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_view_key'($*)) dnl ') ######################################## ## ## Allows caller to read the ring buffer. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_ring_buffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_ring_buffer'($*)) dnl gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_ring_buffer'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the ring buffer. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_read_ring_buffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_ring_buffer'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:system syslog_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_ring_buffer'($*)) dnl ') ######################################## ## ## Change the level of kernel messages logged to the console. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_change_ring_buffer_level',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_change_ring_buffer_level'($*)) dnl gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_console; ifdef(`distro_rhel4',` allow $1 self:capability sys_admin; ') ifdef(`distro_rhel5',` allow $1 self:capability sys_admin; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_change_ring_buffer_level'($*)) dnl ') ######################################## ## ## Allows the caller to clear the ring buffer. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_clear_ring_buffer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_clear_ring_buffer'($*)) dnl gen_require(` type kernel_t; ') allow $1 self:capability2 syslog; allow $1 kernel_t:system syslog_mod; ifdef(`distro_rhel4',` allow $1 self:capability sys_admin; ') ifdef(`distro_rhel5',` allow $1 self:capability sys_admin; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_clear_ring_buffer'($*)) dnl ') ######################################## ## ## Allows caller to request the kernel to load a module ## ## ##

## Allow the specified domain to request that the kernel ## load a kernel module. An example of this is the ## auto-loading of network drivers when doing an ## ioctl() on a network interface. ##

##

## In the specific case of a module loading request ## on a network interface, the domain will also ## need the net_admin capability. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_request_load_module',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_request_load_module'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:system module_request; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_request_load_module'($*)) dnl ') ######################################## ## ## Do not audit requests to the kernel to load a module. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_request_load_module',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_request_load_module'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:system module_request; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_request_load_module'($*)) dnl ') ######################################## ## ## Get information on all System V IPC objects. ## ## ## ## Domain allowed access. ## ## # define(`kernel_get_sysvipc_info',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_get_sysvipc_info'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:system ipc_info; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_get_sysvipc_info'($*)) dnl ') ######################################## ## ## Get the attributes of a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_getattr_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_getattr_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_getattr_debugfs'($*)) dnl ') ######################################## ## ## Mount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mount_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mount_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mount_debugfs'($*)) dnl ') ######################################## ## ## Unmount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_unmount_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unmount_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unmount_debugfs'($*)) dnl ') ######################################## ## ## Remount a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_remount_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_remount_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 debugfs_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_remount_debugfs'($*)) dnl ') ######################################## ## ## Search the contents of a kernel debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_debugfs'($*)) dnl gen_require(` type debugfs_t; ') search_dirs_pattern($1, debugfs_t, debugfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_debugfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the kernel debugging filesystem. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_search_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_debugfs'($*)) dnl gen_require(` type debugfs_t; ') dontaudit $1 debugfs_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_debugfs'($*)) dnl ') ######################################## ## ## Read information from the debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 self:lockdown integrity; read_files_pattern($1, debugfs_t, debugfs_t) read_lnk_files_pattern($1, debugfs_t, debugfs_t) list_dirs_pattern($1, debugfs_t, debugfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_debugfs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write kernel debugging filesystem dirs. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_write_debugfs_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_debugfs_dirs'($*)) dnl gen_require(` type debugfs_t; ') dontaudit $1 debugfs_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_debugfs_dirs'($*)) dnl ') ######################################## ## ## Manage information from the debugging filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_manage_debugfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_manage_debugfs'($*)) dnl gen_require(` type debugfs_t; ') allow $1 self:lockdown integrity; manage_files_pattern($1, debugfs_t, debugfs_t) manage_dirs_pattern($1,debugfs_t, debugfs_t) read_lnk_files_pattern($1, debugfs_t, debugfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_manage_debugfs'($*)) dnl ') ######################################## ## ## Mount a kernel VM filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mount_kvmfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mount_kvmfs'($*)) dnl gen_require(` type kvmfs_t; ') allow $1 kvmfs_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mount_kvmfs'($*)) dnl ') ######################################## ## ## Mount the proc filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mount_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mount_proc'($*)) dnl gen_require(` type proc_t; ') allow $1 proc_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mount_proc'($*)) dnl ') ######################################## ## ## Unmount the proc filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_unmount_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unmount_proc'($*)) dnl gen_require(` type proc_t; ') allow $1 proc_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unmount_proc'($*)) dnl ') ######################################## ## ## Mounton a proc filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_proc'($*)) dnl gen_require(` type proc_t; ') allow $1 proc_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_proc'($*)) dnl ') ######################################## ## ## Get the attributes of the proc filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_getattr_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc'($*)) dnl gen_require(` type proc_t; ') allow $1 proc_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_getattr_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the ## attributes of directories in /proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_setattr_proc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setattr_proc_dirs'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setattr_proc_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the ## attributes of files in /proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_setattr_proc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_setattr_proc_files'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_setattr_proc_files'($*)) dnl ') ######################################## ## ## Search directories in /proc. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_proc'($*)) dnl gen_require(` type proc_t; ') search_dirs_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_proc'($*)) dnl ') ######################################## ## ## List the contents of directories in /proc. ## ## ## ## Domain allowed access. ## ## # define(`kernel_list_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_list_proc'($*)) dnl gen_require(` type proc_t; ') list_dirs_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_list_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts to list the ## contents of directories in /proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_list_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_proc'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts to write the ## directories in /proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_write_proc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_proc_dirs'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_proc_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of files in /proc. ## ## ## ## Domain allowed access. ## ## # define(`kernel_getattr_proc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_getattr_proc_files'($*)) dnl gen_require(` type proc_t; ') getattr_files_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_getattr_proc_files'($*)) dnl ') ######################################## ## ## Read generic symbolic links in /proc. ## ## ##

## Allow the specified domain to read (follow) generic ## symbolic links (symlinks) in the proc filesystem (/proc). ## This interface does not include access to the targets of ## these links. An example symlink is /proc/self. ##

##
## ## ## Domain allowed access. ## ## ## # define(`kernel_read_proc_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_proc_symlinks'($*)) dnl gen_require(` type proc_t; ') read_lnk_files_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_proc_symlinks'($*)) dnl ') ######################################## ## ## Allows caller to read system state information in /proc. ## ## ##

## Allow the specified domain to read general system ## state information from the proc filesystem (/proc). ##

##

## Generally it should be safe to allow this access. Some ## example files that can be read based on this interface: ##

##
    ##
  • /proc/cpuinfo
  • ##
  • /proc/meminfo
  • ##
  • /proc/uptime
  • ##
##

## This does not allow access to sysctl entries (/proc/sys/*) ## nor process state information (/proc/pid). ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`kernel_read_system_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_system_state'($*)) dnl gen_require(` attribute kernel_system_state_reader; ') typeattribute $1 kernel_system_state_reader; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_system_state'($*)) dnl ') ######################################## ## ## Write to generic proc entries. ## ## ## ## Domain allowed access. ## ## ## # # cjp: this should probably go away. any # file thats writable in proc should really # have its own label. # define(`kernel_write_proc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_write_proc_files'($*)) dnl gen_require(` type proc_t; ') write_files_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_write_proc_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write the ## file in /proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_write_proc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_proc_files'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_proc_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on generic proc entries. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_access_check_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_access_check_proc'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_access_check_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to ## read system state information in proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_read_system_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_system_state'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_system_state'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to ## read system state information in proc. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_read_proc_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_proc_symlinks'($*)) dnl gen_require(` type proc_t; ') dontaudit $1 proc_t:lnk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_proc_symlinks'($*)) dnl ') ####################################### ## ## Allow caller to read state information for AFS. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_afs_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_afs_state'($*)) dnl gen_require(` type proc_t, proc_afs_t; ') list_dirs_pattern($1, proc_t, proc_t) read_files_pattern($1, proc_afs_t, proc_afs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_afs_state'($*)) dnl ') ####################################### ## ## Allow caller to read and write state information for AFS. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_afs_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_afs_state'($*)) dnl gen_require(` type proc_t, proc_afs_t; ') list_dirs_pattern($1, proc_t, proc_t) rw_files_pattern($1, proc_afs_t, proc_afs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_afs_state'($*)) dnl ') ####################################### ## ## Allow caller to read the state information for software raid. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_software_raid_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_software_raid_state'($*)) dnl gen_require(` type proc_t, proc_mdstat_t; ') read_files_pattern($1, proc_t, proc_mdstat_t) list_dirs_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_software_raid_state'($*)) dnl ') ####################################### ## ## Allow caller to read and set the state information for software raid. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_software_raid_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_software_raid_state'($*)) dnl gen_require(` type proc_t, proc_mdstat_t; ') rw_files_pattern($1, proc_t, proc_mdstat_t) list_dirs_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_software_raid_state'($*)) dnl ') ######################################## ## ## Allows caller to get attribues of core kernel interface. ## ## ## ## Domain allowed access. ## ## # define(`kernel_getattr_core_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_getattr_core_if'($*)) dnl gen_require(` type proc_t, proc_kcore_t; ') getattr_files_pattern($1, proc_t, proc_kcore_t) list_dirs_pattern($1, proc_t, proc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_getattr_core_if'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## core kernel interfaces. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_core_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_core_if'($*)) dnl gen_require(` type proc_kcore_t; ') dontaudit $1 proc_kcore_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_core_if'($*)) dnl ') ######################################## ## ## Allows caller to read the core kernel interface. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_core_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_core_if'($*)) dnl gen_require(` type proc_t, proc_kcore_t; attribute can_dump_kernel; ') allow $1 self:capability sys_rawio; allow $1 self:lockdown confidentiality; read_files_pattern($1, proc_t, proc_kcore_t) list_dirs_pattern($1, proc_t, proc_t) typeattribute $1 can_dump_kernel; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_core_if'($*)) dnl ') ######################################## ## ## Allow caller to mounton the kernel messages file ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_core_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_core_if'($*)) dnl gen_require(` type proc_kcore_t; ') allow $1 proc_kcore_t:file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_core_if'($*)) dnl ') ######################################## ## ## Allow caller to read kernel messages ## using the /proc/kmsg interface. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_messages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_messages'($*)) dnl gen_require(` attribute can_receive_kernel_messages; type proc_kmsg_t, proc_t; ') read_files_pattern($1, proc_t, proc_kmsg_t) typeattribute $1 can_receive_kernel_messages; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_messages'($*)) dnl ') ######################################## ## ## Allow caller to mounton the kernel messages file ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_messages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_messages'($*)) dnl gen_require(` type proc_kmsg_t; ') allow $1 proc_kmsg_t:file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_messages'($*)) dnl ') ######################################## ## ## Allow caller to get the attributes of kernel message ## interface (/proc/kmsg). ## ## ## ## Domain allowed access. ## ## # define(`kernel_getattr_message_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_getattr_message_if'($*)) dnl gen_require(` type proc_kmsg_t, proc_t; ') getattr_files_pattern($1, proc_t, proc_kmsg_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_getattr_message_if'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get the attributes of kernel ## message interfaces. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_message_if',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_message_if'($*)) dnl gen_require(` type proc_kmsg_t, proc_t; ') dontaudit $1 proc_kmsg_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_message_if'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the network ## state directory. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_network_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_state'($*)) dnl gen_require(` type proc_net_t; ') dontaudit $1 proc_net_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_state'($*)) dnl ') ######################################## ## ## Allow searching of network state directory. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_search_network_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_network_state'($*)) dnl gen_require(` type proc_net_t; ') search_dirs_pattern($1, proc_t, proc_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_network_state'($*)) dnl ') ######################################## ## ## Read the network state information. ## ## ##

## Allow the specified domain to read the networking ## state information. This includes several pieces ## of networking information, such as network interface ## names, netfilter (iptables) statistics, protocol ## information, routes, and remote procedure call (RPC) ## information. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`kernel_read_network_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_network_state'($*)) dnl gen_require(` type proc_t, proc_net_t; ') read_files_pattern($1, { proc_t proc_net_t }, proc_net_t) read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) list_dirs_pattern($1, proc_t, proc_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_network_state'($*)) dnl ') ######################################## ## ## Allow caller to read the network state symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_network_state_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_network_state_symlinks'($*)) dnl gen_require(` type proc_t, proc_net_t; ') read_lnk_files_pattern($1, { proc_t proc_net_t }, proc_net_t) list_dirs_pattern($1, proc_t, proc_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_network_state_symlinks'($*)) dnl ') ######################################## ## ## Allow searching of xen state directory. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_search_xen_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_xen_state'($*)) dnl gen_require(` type proc_t, proc_xen_t; ') search_dirs_pattern($1, proc_t, proc_xen_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_xen_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the xen ## state directory. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_xen_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_xen_state'($*)) dnl gen_require(` type proc_xen_t; ') dontaudit $1 proc_xen_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_xen_state'($*)) dnl ') ######################################## ## ## Allow caller to read the xen state information. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_xen_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state'($*)) dnl gen_require(` type proc_t, proc_xen_t; ') read_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) list_dirs_pattern($1, proc_t, proc_xen_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_xen_state'($*)) dnl ') ######################################## ## ## Allow caller to read the xen state symbolic links. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_xen_state_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_xen_state_symlinks'($*)) dnl gen_require(` type proc_t, proc_xen_t; ') read_lnk_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) list_dirs_pattern($1, proc_t, proc_xen_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_xen_state_symlinks'($*)) dnl ') ######################################## ## ## Allow caller to write xen state information. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_write_xen_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_write_xen_state'($*)) dnl gen_require(` type proc_t, proc_xen_t; ') write_files_pattern($1, { proc_t proc_xen_t }, proc_xen_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_write_xen_state'($*)) dnl ') ######################################## ## ## Allow attempts to list all proc directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_list_all_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_list_all_proc'($*)) dnl gen_require(` attribute proc_type; ') allow $1 proc_type:dir list_dir_perms; allow $1 proc_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_list_all_proc'($*)) dnl ') ######################################## ## ## Allow attempts to mounton all proc directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_all_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_all_proc'($*)) dnl gen_require(` attribute proc_type; ') allow $1 proc_type:dir mounton; allow $1 proc_type:file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_all_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts to list all proc directories. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_list_all_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_proc'($*)) dnl gen_require(` attribute proc_type; ') dontaudit $1 proc_type:dir list_dir_perms; dontaudit $1 proc_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_proc'($*)) dnl ') ######################################## ## ## Allow attempts to read all proc types. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_all_proc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_all_proc'($*)) dnl gen_require(` attribute proc_type; attribute can_dump_kernel; attribute can_receive_kernel_messages; ') read_files_pattern($1, proc_type, proc_type) typeattribute $1 can_dump_kernel; typeattribute $1 can_receive_kernel_messages; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_all_proc'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to search ## the base directory of sysctls. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_sysctl'($*)) dnl gen_require(` type sysctl_t; ') dontaudit $1 sysctl_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_sysctl'($*)) dnl ') ######################################## ## ## Allow access to read sysctl directories. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_sysctl'($*)) dnl gen_require(` type sysctl_t, proc_t; ') list_dirs_pattern($1, proc_t, sysctl_t) read_files_pattern($1, sysctl_t, sysctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_sysctl'($*)) dnl ') ######################################## ## ## Allow caller to read the device sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_device_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_device_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_device_sysctls'($*)) dnl ') ######################################## ## ## Read and write device sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_device_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_device_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_dev_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_dev_t }, sysctl_dev_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_dev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_device_sysctls'($*)) dnl ') ######################################## ## ## Allow caller to search virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_vm_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_vm_sysctl'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_vm_sysctl'($*)) dnl ') ######################################## ## ## Allow caller to read virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_vm_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_vm_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_vm_sysctls'($*)) dnl ') ######################################## ## ## Read and write virtual memory sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_vm_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_vm_t; ') rw_files_pattern($1 ,{ proc_t sysctl_t sysctl_vm_t }, sysctl_vm_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_vm_t) # hal needs this allow $1 sysctl_vm_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_vm_sysctls'($*)) dnl ') ######################################## ## ## Search network sysctl directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_network_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_network_sysctl'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_network_sysctl'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to search network sysctl directories. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_search_network_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_network_sysctl'($*)) dnl gen_require(` type sysctl_net_t; ') dontaudit $1 sysctl_net_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_network_sysctl'($*)) dnl ') ######################################## ## ## Allow caller to read network sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_net_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_net_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_net_sysctls'($*)) dnl ') ######################################## ## ## Allow caller to modiry contents of sysctl network files. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_net_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_net_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_net_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) read_lnk_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_net_sysctls'($*)) dnl ') ######################################## ## ## Allow caller to read unix domain ## socket sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_unix_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_unix_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_unix_sysctls'($*)) dnl ') ######################################## ## ## Read and write unix domain ## socket sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_unix_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unix_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_net_t, sysctl_net_unix_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unix_sysctls'($*)) dnl ') ######################################## ## ## Read the hotplug sysctl. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_hotplug_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_hotplug_sysctls'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_hotplug_sysctls'($*)) dnl ') ######################################## ## ## Read and write the hotplug sysctl. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_hotplug_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_hotplug_sysctls'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_hotplug_sysctls'($*)) dnl ') ######################################## ## ## Read the modprobe sysctl. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_modprobe_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_modprobe_sysctls'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_modprobe_sysctls'($*)) dnl ') ######################################## ## ## Read and write the modprobe sysctl. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_modprobe_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_modprobe_sysctls'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_modprobe_sysctls'($*)) dnl ') ######################################## ## ## Allow mounton generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # define(`kernel_mounton_kernel_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_kernel_sysctl'($*)) dnl gen_require(` type sysctl_kernel_t; ') allow $1 sysctl_kernel_t:dir mounton; allow $1 sysctl_kernel_t:file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_kernel_sysctl'($*)) dnl ') ######################################## ## ## Do not audit attempts to search generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_search_kernel_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_kernel_sysctl'($*)) dnl gen_require(` type sysctl_kernel_t; ') dontaudit $1 sysctl_kernel_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_kernel_sysctl'($*)) dnl ') ######################################## ## ## Read generic crypto sysctls. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_crypto_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_crypto_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_crypto_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_crypto_sysctls'($*)) dnl ') ######################################## ## ## Read general kernel sysctls. ## ## ##

## Allow the specified domain to read general ## kernel sysctl settings. These settings are typically ## read using the sysctl program. The settings ## that are included by this interface are prefixed ## with "kernel.", for example, kernel.sysrq. ##

##

## This does not include access to the hotplug ## handler setting (kernel.hotplug) ## nor the module installer handler setting ## (kernel.modprobe). ##

##

## Related interfaces: ##

##
    ##
  • kernel_rw_kernel_sysctl()
  • ##
##
## ## ## Domain allowed access. ## ## ## # define(`kernel_read_kernel_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_kernel_sysctls'($*)) dnl ') ######################################## ## ## Do not audit attempts to write generic kernel sysctls. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_write_kernel_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_sysctl'($*)) dnl gen_require(` type sysctl_kernel_t; ') dontaudit $1 sysctl_kernel_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_sysctl'($*)) dnl ') ######################################## ## ## Read and write generic kernel sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_kernel_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_sysctl'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_kernel_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_t }, sysctl_kernel_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_sysctl'($*)) dnl ') ######################################## ## ## Read kernel ns lastpid sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_kernel_ns_lastpid_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_kernel_ns_lastpid_sysctls'($*)) dnl ') ######################################## ## ## Do not audit attempts to write kernel ns lastpid sysctls. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_write_kernel_ns_lastpid_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl gen_require(` type sysctl_kernel_ns_last_pid_t; ') dontaudit $1 sysctl_kernel_ns_last_pid_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_kernel_ns_lastpid_sysctl'($*)) dnl ') ######################################## ## ## Read and write kernel ns lastpid sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_kernel_ns_lastpid_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_kernel_ns_last_pid_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_kernel_ns_last_pid_t }, sysctl_kernel_ns_last_pid_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_ns_last_pid_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_kernel_ns_lastpid_sysctl'($*)) dnl ') ######################################## ## ## Read filesystem sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_fs_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_fs_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') read_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_fs_sysctls'($*)) dnl ') ######################################## ## ## Read and write fileystem sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_fs_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_fs_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_t, sysctl_fs_t; ') rw_files_pattern($1, { proc_t sysctl_t sysctl_fs_t }, sysctl_fs_t) list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_fs_sysctls'($*)) dnl ') ######################################## ## ## Read IRQ sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_irq_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_irq_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_irq_t; ') read_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) list_dirs_pattern($1, proc_t, sysctl_irq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_irq_sysctls'($*)) dnl ') ######################################## ## ## Read and write IRQ sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_irq_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_irq_sysctls'($*)) dnl gen_require(` type proc_t, sysctl_irq_t; ') rw_files_pattern($1, { proc_t sysctl_irq_t }, sysctl_irq_t) list_dirs_pattern($1, proc_t, sysctl_irq_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_irq_sysctls'($*)) dnl ') ######################################## ## ## Read RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_rpc_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_rpc_sysctls'($*)) dnl gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') read_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_rpc_sysctls'($*)) dnl ') ######################################## ## ## Read RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_rpc_sysctls_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls_dirs'($*)) dnl gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') rw_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls_dirs'($*)) dnl ') ######################################## ## ## Read and write RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_rpc_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_rpc_sysctls'($*)) dnl gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') rw_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_rpc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_rpc_sysctls'($*)) dnl ') ######################################## ## ## Read and write RPC sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_create_rpc_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_create_rpc_sysctls'($*)) dnl gen_require(` type proc_t, proc_net_t, sysctl_rpc_t; ') create_files_pattern($1, { proc_t proc_net_t sysctl_rpc_t }, sysctl_rpc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_create_rpc_sysctls'($*)) dnl ') ######################################## ## ## Do not audit attempts to list all sysctl directories. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_list_all_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_all_sysctls'($*)) dnl gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:dir list_dir_perms; dontaudit $1 sysctl_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_all_sysctls'($*)) dnl ') ######################################## ## ## Allow attempts to mounton all sysctl directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_all_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_all_sysctls'($*)) dnl gen_require(` attribute sysctl_type; ') allow $1 sysctl_type:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_all_sysctls'($*)) dnl ') ######################################## ## ## Allow attempts to mounton all filesystems used by ProtectKernelTunables systemd feature. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mounton_systemd_ProtectKernelTunables',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mounton_systemd_ProtectKernelTunables'($*)) dnl gen_require(` type sysctl_t; type sysctl_irq_t; type proc_t; type mtrr_device_t; type debugfs_t; type cgroup_t; ') allow $1 sysctl_t:dir mounton; allow $1 sysctl_irq_t:dir mounton; allow $1 proc_t:dir mounton; allow $1 mtrr_device_t:dir mounton; allow $1 debugfs_t:dir mounton; allow $1 cgroup_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mounton_systemd_ProtectKernelTunables'($*)) dnl ') ######################################## ## ## Allow caller to read all sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_all_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_all_sysctls'($*)) dnl gen_require(` attribute sysctl_type; type proc_t, proc_net_t; ') # proc_net_t for /proc/net/rpc sysctls read_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) list_dirs_pattern($1, { proc_t proc_net_t }, sysctl_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_all_sysctls'($*)) dnl ') ######################################## ## ## Read and write all sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_all_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_all_sysctls'($*)) dnl gen_require(` attribute sysctl_type; type proc_t, proc_net_t; ') # proc_net_t for /proc/net/rpc sysctls rw_files_pattern($1, { proc_t proc_net_t sysctl_type }, sysctl_type) allow $1 sysctl_type:dir list_dir_perms; # why is setattr needed? allow $1 sysctl_type:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_all_sysctls'($*)) dnl ') ######################################## ## ## Send a kill signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_kill_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_kill_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_kill_unlabeled'($*)) dnl ') ######################################## ## ## Mount a kernel unlabeled filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_mount_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_mount_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_mount_unlabeled'($*)) dnl ') ######################################## ## ## Unmount a kernel unlabeled filesystem. ## ## ## ## Domain allowed access. ## ## # define(`kernel_unmount_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unmount_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unmount_unlabeled'($*)) dnl ') ######################################## ## ## Send general signals to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_signal_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_signal_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_signal_unlabeled'($*)) dnl ') ######################################## ## ## Send a null signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_signull_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_signull_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_signull_unlabeled'($*)) dnl ') ######################################## ## ## Send a stop signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_sigstop_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_sigstop_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigstop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_sigstop_unlabeled'($*)) dnl ') ######################################## ## ## Send a child terminated signal to unlabeled processes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_sigchld_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_sigchld_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_sigchld_unlabeled'($*)) dnl ') ######################################## ## ## List unlabeled directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_list_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_list_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_list_unlabeled'($*)) dnl ') ######################################## ## ## Delete unlabeled files ## ## ## ## Domain allowed access. ## ## # define(`kernel_delete_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_delete_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir delete_dir_perms; allow $1 unlabeled_t:dir_file_class_set delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_delete_unlabeled'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of all unlabeled_t. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_unlabeled_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_unlabeled_state'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir list_dir_perms; read_files_pattern($1, unlabeled_t, unlabeled_t) read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_unlabeled_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to list unlabeled directories. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_list_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_list_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_list_unlabeled'($*)) dnl ') ######################################## ## ## Read and write unlabeled directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_dirs'($*)) dnl ') ######################################## ## ## Read and write unlabeled files. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_files'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of an unlabeled file. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_files'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to ## read an unlabeled file. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_read_unlabeled_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_unlabeled_files'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_unlabeled_files'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled symbolic links. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:lnk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_symlinks'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled named pipes. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get the ## attributes of unlabeled named sockets. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:sock_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get attributes for ## unlabeled block devices. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_blk_files'($*)) dnl ') ######################################## ## ## Read and write unlabeled block device nodes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_blk_files'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_blk_files'($*)) dnl ') ######################################## ## ## Read and write unlabeled sockets. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_socket'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_socket'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get attributes for ## unlabeled character devices. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_unlabeled_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_unlabeled_chr_files'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled directories. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_dirs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir { list_dir_perms relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_dirs'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled filesystems. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_fs'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:filesystem relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_fs'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled files. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_files'($*)) dnl gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:file { getattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_files'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:lnk_file { getattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_symlinks'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled named pipes. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_pipes'($*)) dnl gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:fifo_file { getattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_pipes'($*)) dnl ') ######################################## ## ## Allow caller to relabel unlabeled named sockets. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_sockets'($*)) dnl gen_require(` type unlabeled_t; ') kernel_list_unlabeled($1) allow $1 unlabeled_t:sock_file { getattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_sockets'($*)) dnl ') ######################################## ## ## Send and receive messages from an ## unlabeled IPSEC association. ## ## ##

## Send and receive messages from an ## unlabeled IPSEC association. Network ## connections that are not protected ## by IPSEC have use an unlabeled ## assocation. ##

##

## The corenetwork interface ## corenet_non_ipsec_sendrecv() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_sendrecv_unlabeled_association',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_association'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:association { sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_association'($*)) dnl ') ######################################## ## ## Do not audit attempts to send and receive messages ## from an unlabeled IPSEC association. ## ## ##

## Do not audit attempts to send and receive messages ## from an unlabeled IPSEC association. Network ## connections that are not protected ## by IPSEC have use an unlabeled ## assocation. ##

##

## The corenetwork interface ## corenet_dontaudit_non_ipsec_sendrecv() should ## be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_sendrecv_unlabeled_association',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:association { sendto recvfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_sendrecv_unlabeled_association'($*)) dnl ') ######################################## ## ## Receive DCCP packets from an unlabeled connection. ## ## ## ## Domain allowed access. ## ## # define(`kernel_dccp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dccp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dccp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dccp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive TCP packets from an unlabeled connection. ## ## ##

## Receive TCP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_tcp_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_tcp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_tcp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:tcp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_tcp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive DCCP packets from an unlabeled ## connection. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_dccp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:dccp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_dccp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive TCP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_tcp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:tcp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_tcp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive UDP packets from an unlabeled connection. ## ## ##

## Receive UDP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_udp_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_udp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_udp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:udp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_udp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive UDP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_udp_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:udp_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_udp_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Receive Raw IP packets from an unlabeled connection. ## ## ##

## Receive Raw IP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_raw_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_raw_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_raw_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:rawip_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_raw_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Read/Write Raw IP packets from an unlabeled connection. ## ## ##

## Receive Raw IP packets from an unlabeled connection. ##

##

## The corenetwork interface corenet_raw_recv_unlabeled() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_rawip_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_rawip_socket'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:rawip_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_rawip_socket'($*)) dnl ') ######################################## ## ## Read/Write smc packets from an unlabeled connection. ## ## ##

## Receive smc packets from an unlabeled connection. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_smc_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_smc_socket'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:smc_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_smc_socket'($*)) dnl ') ######################################## ## ## Read/Write vsock packets from an unlabeled connection. ## ## ##

## Receive vsock packets from an unlabeled connection. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_rw_unlabeled_vsock_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_unlabeled_vsock_socket'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:vsock_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_unlabeled_vsock_socket'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ## ## ##

## Do not audit attempts to receive Raw IP packets from an unlabeled ## connection. ##

##

## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_raw_recvfrom_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:rawip_socket recvfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_raw_recvfrom_unlabeled'($*)) dnl ') ######################################## ## ## Send and receive unlabeled packets. ## ## ##

## Send and receive unlabeled packets. ## These packets do not match any netfilter ## SECMARK rules. ##

##

## The corenetwork interface ## corenet_sendrecv_unlabeled_packets() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_sendrecv_unlabeled_packets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_sendrecv_unlabeled_packets'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:packet { send recv }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_sendrecv_unlabeled_packets'($*)) dnl ') ######################################## ## ## Receive packets from an unlabeled peer. ## ## ##

## Receive packets from an unlabeled peer, these packets do not have any ## peer labeling information present. ##

##

## The corenetwork interface corenet_recvfrom_unlabeled_peer() should ## be used instead of this one. ##

##
## ## ## Domain allowed access. ## ## # define(`kernel_recvfrom_unlabeled_peer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_recvfrom_unlabeled_peer'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_recvfrom_unlabeled_peer'($*)) dnl ') ######################################## ## ## Do not audit attempts to receive packets from an unlabeled peer. ## ## ##

## Do not audit attempts to receive packets from an unlabeled peer, ## these packets do not have any peer labeling information present. ##

##

## The corenetwork interface corenet_dontaudit_*_recvfrom_unlabeled() ## should be used instead of this one. ##

##
## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_recvfrom_unlabeled_peer',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl gen_require(` type unlabeled_t; ') dontaudit $1 unlabeled_t:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_recvfrom_unlabeled_peer'($*)) dnl ') ######################################## ## ## Relabel from unlabeled database objects. ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_unlabeled_database',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_unlabeled_database'($*)) dnl gen_require(` type unlabeled_t; class db_database { setattr relabelfrom }; class db_schema { setattr relabelfrom }; class db_table { setattr relabelfrom }; class db_sequence { setattr relabelfrom }; class db_view { setattr relabelfrom }; class db_procedure { setattr relabelfrom }; class db_language { setattr relabelfrom }; class db_column { setattr relabelfrom }; class db_tuple { update relabelfrom }; class db_blob { setattr relabelfrom }; ') allow $1 unlabeled_t:db_database { setattr relabelfrom }; allow $1 unlabeled_t:db_schema { setattr relabelfrom }; allow $1 unlabeled_t:db_table { setattr relabelfrom }; allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; allow $1 unlabeled_t:db_view { setattr relabelfrom }; allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; allow $1 unlabeled_t:db_language { setattr relabelfrom }; allow $1 unlabeled_t:db_column { setattr relabelfrom }; allow $1 unlabeled_t:db_tuple { update relabelfrom }; allow $1 unlabeled_t:db_blob { setattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_unlabeled_database'($*)) dnl ') ######################################## ## ## Relabel to unlabeled context . ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelto_unlabeled',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelto_unlabeled'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:dir_file_class_set relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelto_unlabeled'($*)) dnl ') ######################################## ## ## Unconfined access to kernel module resources. ## ## ## ## Domain allowed access. ## ## # define(`kernel_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unconfined'($*)) dnl gen_require(` attribute kern_unconfined; ') typeattribute $1 kern_unconfined; kernel_load_module($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unconfined'($*)) dnl ') ######################################## ## ## Allow the specified domain to getattr on ## the kernel with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`kernel_stream_read',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_stream_read'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { read getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_stream_read'($*)) dnl ') ####################################### ## ## Allow the specified domain to write on ## the kernel with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`kernel_stream_write',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_stream_write'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket { write getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_stream_write'($*)) dnl ') ####################################### ## ## Allow the specified domain to read/write on ## the kernel with a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_stream_socket_perms',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_stream_socket_perms'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:unix_stream_socket rw_socket_perms; allow $1 kernel_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_stream_socket_perms'($*)) dnl ') ######################################## ## ## Make the specified type usable for regular entries in proc ## ## ## ## Type to be used for /proc entries. ## ## # define(`kernel_proc_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_proc_type'($*)) dnl gen_require(` attribute proc_type; ') typeattribute $1 proc_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_proc_type'($*)) dnl ') ######################################## ## ## Do not audit attempts by caller to get attributes on all sysctls. ## ## ## ## Domain to not audit. ## ## # define(`kernel_dontaudit_getattr_all_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_getattr_all_sysctls'($*)) dnl gen_require(` attribute sysctl_type; ') dontaudit $1 sysctl_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_getattr_all_sysctls'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of the kernel. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_state'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:dir search_dir_perms; allow $1 kernel_t:file read_file_perms; allow $1 kernel_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_state'($*)) dnl ') ######################################## ## ## Dontaudit attempts to read the process state (/proc/pid) of the kernel. ## ## ## ## Domain allowed access. ## ## # define(`kernel_dontaudit_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_read_state'($*)) dnl gen_require(` type kernel_t; ') dontaudit $1 kernel_t:dir search_dir_perms; dontaudit $1 kernel_t:file read_file_perms; dontaudit $1 kernel_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_read_state'($*)) dnl ') ######################################## ## ## Allow searching of numa state directory. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_search_numa_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_numa_state'($*)) dnl gen_require(` type proc_t, proc_numa_t; ') search_dirs_pattern($1, proc_t, proc_numa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_numa_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the numa ## state directory. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_numa_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_numa_state'($*)) dnl gen_require(` type proc_numa_t; ') dontaudit $1 proc_numa_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_numa_state'($*)) dnl ') ######################################## ## ## Allow caller to read the numa state information. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_numa_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_numa_state'($*)) dnl gen_require(` type proc_t, proc_numa_t; ') read_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) list_dirs_pattern($1, proc_t, proc_numa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_numa_state'($*)) dnl ') ######################################## ## ## Allow caller to read the numa state symbolic links. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_numa_state_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_numa_state_symlinks'($*)) dnl gen_require(` type proc_t, proc_numa_t; ') read_lnk_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) list_dirs_pattern($1, proc_t, proc_numa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_numa_state_symlinks'($*)) dnl ') ######################################## ## ## Allow caller to write numa state information. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_write_numa_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_write_numa_state'($*)) dnl gen_require(` type proc_t, proc_numa_t; ') write_files_pattern($1, { proc_t proc_numa_t }, proc_numa_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_write_numa_state'($*)) dnl ') ######################################## ## ## Allow caller to search virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## # define(`kernel_search_vm_overcommit_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_vm_overcommit_sysctl'($*)) dnl gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) search_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_vm_overcommit_sysctl'($*)) dnl ') ######################################## ## ## Allow caller to read virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_read_vm_overcommit_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_vm_overcommit_sysctls'($*)) dnl gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) read_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_vm_overcommit_sysctls'($*)) dnl ') ######################################## ## ## Read and write virtual memory overcommit sysctls. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_vm_overcommit_sysctls',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_vm_overcommit_sysctls'($*)) dnl gen_require(` type sysctl_vm_overcommit_t; ') kernel_search_vm_sysctl($1) rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_vm_overcommit_sysctls'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the security ## state directory. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_security_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_security_state'($*)) dnl gen_require(` type proc_security_t; ') dontaudit $1 proc_security_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_security_state'($*)) dnl ') ######################################## ## ## Allow searching of security state directory. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_search_security_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_security_state'($*)) dnl gen_require(` type proc_security_t; ') search_dirs_pattern($1, proc_t, proc_security_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_security_state'($*)) dnl ') ######################################## ## ## Read the security state information. ## ## ##

## Allow the specified domain to read the security ## state information. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`kernel_read_security_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_security_state'($*)) dnl gen_require(` type proc_t, proc_security_t; attribute sysctl_type; ') read_files_pattern($1, { proc_t proc_security_t }, proc_security_t) read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) allow $1 sysctl_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_security_state'($*)) dnl ') ######################################## ## ## Write the security state information. ## ## ##

## Allow the specified domain to write the security ## state information. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`kernel_write_security_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_write_security_state'($*)) dnl gen_require(` type proc_t, proc_security_t; ') write_files_pattern($1, { proc_t proc_security_t }, proc_security_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_write_security_state'($*)) dnl ') ######################################## ## ## Allow caller to read the security state symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_security_state_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_security_state_symlinks'($*)) dnl gen_require(` type proc_t, proc_security_t; ') read_lnk_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_security_state_symlinks'($*)) dnl ') ######################################## ## ## Access unlabeled infiniband pkeys. ## ## ## ## Domain allowed access. ## ## # define(`kernel_ib_access_unlabeled_pkeys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_ib_access_unlabeled_pkeys'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:infiniband_pkey access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_ib_access_unlabeled_pkeys'($*)) dnl ') ######################################## ## ## Manage subnet on unlabeled Infiniband endports. ## ## ## ## Domain allowed access. ## ## # define(`kernel_ib_manage_subnet_unlabeled_endports',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:infiniband_endport manage_subnet; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_ib_manage_subnet_unlabeled_endports'($*)) dnl ') ######################################## ## ## Allow caller to read the security state symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`kernel_rw_security_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_security_state'($*)) dnl gen_require(` type proc_t, proc_security_t; ') rw_files_pattern($1, { proc_t proc_security_t }, proc_security_t) list_dirs_pattern($1, proc_t, proc_security_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_security_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the usermodehelper ## state directory. ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_search_usermodehelper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_search_usermodehelper_state'($*)) dnl gen_require(` type usermodehelper_t; ') dontaudit $1 usermodehelper_t:dir search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_search_usermodehelper_state'($*)) dnl ') ######################################## ## ## Allow searching of usermodehelper state directory. ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_search_usermodehelper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_search_usermodehelper_state'($*)) dnl gen_require(` type usermodehelper_t; ') search_dirs_pattern($1, proc_t, usermodehelper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_search_usermodehelper_state'($*)) dnl ') ######################################## ## ## Read the usermodehelper state information. ## ## ##

## Allow the specified domain to read the usermodehelpering ## state information. This includes several pieces ## of usermodehelpering information, such as usermodehelper interface ## names, usermodehelperfilter (iptables) statistics, protocol ## information, routes, and remote procedure call (RPC) ## information. ##

##
## ## ## Domain allowed access. ## ## ## ## # define(`kernel_read_usermodehelper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_usermodehelper_state'($*)) dnl gen_require(` type proc_t, usermodehelper_t; ') read_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_usermodehelper_state'($*)) dnl ') ######################################## ## ## Allow caller to read the usermodehelper state symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_usermodehelper_state_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_usermodehelper_state_symlinks'($*)) dnl gen_require(` type proc_t, usermodehelper_t; ') read_lnk_files_pattern($1, { proc_t usermodehelper_t }, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_usermodehelper_state_symlinks'($*)) dnl ') ######################################## ## ## Read and write usermodehelper state ## ## ## ## Domain allowed access. ## ## ## # define(`kernel_rw_usermodehelper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_rw_usermodehelper_state'($*)) dnl gen_require(` type proc_t, usermodehelper_t; ') dev_search_sysfs($1) rw_files_pattern($1, proc_t, usermodehelper_t) list_dirs_pattern($1, proc_t, usermodehelper_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_rw_usermodehelper_state'($*)) dnl ') ######################################## ## ## Dontaudit write usermodehelper state ## ## ## ## Domain to not audit. ## ## ## # define(`kernel_dontaudit_write_usermodehelper_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_dontaudit_write_usermodehelper_state'($*)) dnl gen_require(` type usermodehelper_t; ') dontaudit $1 usermodehelper_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_dontaudit_write_usermodehelper_state'($*)) dnl ') ######################################## ## ## Relabel to usermodehelper context . ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelto_usermodehelper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelto_usermodehelper'($*)) dnl gen_require(` type usermodehelper_t; ') allow $1 usermodehelper_t:file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelto_usermodehelper'($*)) dnl ') ######################################## ## ## Relabel from usermodehelper context . ## ## ## ## Domain allowed access. ## ## # define(`kernel_relabelfrom_usermodehelper',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_relabelfrom_usermodehelper'($*)) dnl gen_require(` type usermodehelper_t; ') allow $1 usermodehelper_t:file { getattr relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_relabelfrom_usermodehelper'($*)) dnl ') ######################################## ## ## Read netlink audit socket ## ## ## ## Domain allowed access. ## ## # define(`kernel_read_netlink_audit_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_read_netlink_audit_socket'($*)) dnl gen_require(` type kernel_t; ') allow $1 kernel_t:netlink_audit_socket r_netlink_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_read_netlink_audit_socket'($*)) dnl ') ######################################## ## ## Execute an unlabeled file in the specified domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # define(`kernel_unlabeled_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unlabeled_domtrans'($*)) dnl gen_require(` type unlabeled_t; ') read_lnk_files_pattern($1, unlabeled_t, unlabeled_t) domain_transition_pattern($1, unlabeled_t, $2) type_transition $1 unlabeled_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unlabeled_domtrans'($*)) dnl ') ######################################## ## ## Make general progams without labeles an entrypoint for ## the specified domain. ## ## ## ## The domain for which unlabeled_t is an entrypoint. ## ## # define(`kernel_unlabeled_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_unlabeled_entry_type'($*)) dnl gen_require(` type unlabeled_t; ') allow $1 unlabeled_t:file entrypoint; allow $1 unlabeled_t:file { mmap_exec_file_perms ioctl lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_unlabeled_entry_type'($*)) dnl ') ######################################## ## ## Allow the caller load a new kernel ## ## ## ## Domain allowed access. ## ## # define(`kernel_kexec_load',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_kexec_load'($*)) dnl allow $1 self:capability sys_boot; allow $1 self:lockdown integrity; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_kexec_load'($*)) dnl ') ######################################## ## ## Allow the caller write perf_event ## ## ## ## Domain allowed access. ## ## # define(`kernel_write_perf_event',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_write_perf_event'($*)) dnl allow $1 self:capability2 perfmon; # The confidentiality permission may not be needed soon if # the kernel commit 08ef1af4de5f # (perf/core: Fix unconditional security_locked_down() call) # is backported to stable kernels allow $1 self:lockdown confidentiality; allow $1 self:perf_event write_perf_event_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_write_perf_event'($*)) dnl ') ######################################## ## ## Allow the caller manage perf_event ## ## ## ## Domain allowed access. ## ## # define(`kernel_manage_perf_event',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `kernel_manage_perf_event'($*)) dnl allow $1 self:capability2 perfmon; # The confidentiality permission may not be needed, refer to kernel_write_perf_event() allow $1 self:lockdown confidentiality; allow $1 self:perf_event manage_perf_event_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `kernel_manage_perf_event'($*)) dnl ') ## Multicategory security policy ## ## Contains attributes used in MCS policy. ## ######################################## ## ## Constrain by category access control (MCS). ## ## ##

## Constrain the specified type by category based ## access control (MCS) This prevents this domain from ## interacting with subjects and operating on objects ## that it otherwise would be able to interact ## with or operate on respectively. ##

##
## ## ## Type to be constrained by MCS. ## ## ## # define(`mcs_constrained',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_constrained'($*)) dnl gen_require(` attribute mcs_constrained_type; ') typeattribute $1 mcs_constrained_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_constrained'($*)) dnl ') ######################################## ## ## This domain is allowed to read files and directories ## regardless of their MCS category set. ## ## ## ## Domain target for user exemption. ## ## ## # define(`mcs_file_read_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_file_read_all'($*)) dnl refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_file_read_all'($*)) dnl ') ######################################## ## ## This domain is allowed to write files and directories ## regardless of their MCS category set. ## ## ## ## Domain target for user exemption. ## ## ## # define(`mcs_file_write_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_file_write_all'($*)) dnl refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_file_write_all'($*)) dnl ') ######################################## ## ## This domain is allowed to sigkill and sigstop ## all domains regardless of their MCS category set. ## ## ## ## Domain target for user exemption. ## ## ## # define(`mcs_killall',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_killall'($*)) dnl refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_killall'($*)) dnl ') ######################################## ## ## This domain is allowed to ptrace ## all domains regardless of their MCS ## category set. ## ## ## ## Domain target for user exemption. ## ## # define(`mcs_ptrace_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_ptrace_all'($*)) dnl refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_ptrace_all'($*)) dnl ') ######################################## ## ## Make specified domain MCS trusted ## for setting any category set for ## the processes it executes. ## ## ## ## Domain target for user exemption. ## ## # define(`mcs_process_set_categories',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_process_set_categories'($*)) dnl gen_require(` attribute mcssetcats; ') typeattribute $1 mcssetcats; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_process_set_categories'($*)) dnl ') ######################################## ## ## Make specified domain MCS trusted ## for writing to sockets at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mcs_socket_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mcs_socket_write_all_levels'($*)) dnl refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mcs_socket_write_all_levels'($*)) dnl ') ## Multilevel security policy ## ##

## This module contains interfaces for handling multilevel ## security. The interfaces allow the specified subjects ## and objects to be allowed certain privileges in the ## MLS rules. ##

##
## ## Contains attributes used in MLS policy. ## ######################################## ## ## Make specified domain MLS trusted ## for reading from files up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_read_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_read_to_clearance'($*)) dnl gen_require(` attribute mlsfilereadtoclr; ') typeattribute $1 mlsfilereadtoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_read_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from files at all levels. (Deprecated) ## ## ##

## Make specified domain MLS trusted ## for reading from files at all levels. ##

##

## This interface has been deprecated, please use ## mls_file_read_all_levels() instead. ##

##
## ## ## Domain allowed access. ## ## # define(`mls_file_read_up',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_read_up'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use mls_file_read_all_levels() instead.') mls_file_read_all_levels($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_read_up'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from files at all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_read_all_levels'($*)) dnl gen_require(` attribute mlsfileread; ') typeattribute $1 mlsfileread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for write to files up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_write_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_write_to_clearance'($*)) dnl gen_require(` attribute mlsfilewritetoclr; ') typeattribute $1 mlsfilewritetoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_write_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for relabelto to files up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_relabel_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_relabel_to_clearance'($*)) dnl gen_require(` attribute mlsfilerelabeltoclr; ') typeattribute $1 mlsfilerelabeltoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_relabel_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to files at all levels. (Deprecated) ## ## ##

## Make specified domain MLS trusted ## for writing to files at all levels. ##

##

## This interface has been deprecated, please use ## mls_file_write_all_levels() instead. ##

##
## ## ## Domain allowed access. ## ## # define(`mls_file_write_down',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_write_down'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use mls_file_write_all_levels() instead.') mls_file_write_all_levels($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_write_down'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to files at all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_write_all_levels'($*)) dnl gen_require(` attribute mlsfilewrite; ') typeattribute $1 mlsfilewrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for raising the level of files. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_upgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_upgrade'($*)) dnl gen_require(` attribute mlsfileupgrade; ') typeattribute $1 mlsfileupgrade; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_upgrade'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for lowering the level of files. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_downgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_downgrade'($*)) dnl gen_require(` attribute mlsfiledowngrade; ') typeattribute $1 mlsfiledowngrade; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_downgrade'($*)) dnl ') ######################################## ## ## Make specified domain trusted to ## be written to within its MLS range. ## The subject's MLS range must be a ## proper subset of the object's MLS range. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_file_write_within_range',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_file_write_within_range'($*)) dnl gen_require(` attribute mlsfilewriteinrange; ') typeattribute $1 mlsfilewriteinrange; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_file_write_within_range'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from sockets at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_socket_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_socket_read_all_levels'($*)) dnl gen_require(` attribute mlsnetread; ') typeattribute $1 mlsnetread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_socket_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from sockets at any level ## that is dominated by the process clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_socket_read_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_socket_read_to_clearance'($*)) dnl gen_require(` attribute mlsnetreadtoclr; ') typeattribute $1 mlsnetreadtoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_socket_read_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to sockets up to ## its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_socket_write_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_socket_write_to_clearance'($*)) dnl gen_require(` attribute mlsnetwritetoclr; ') typeattribute $1 mlsnetwritetoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_socket_write_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to sockets at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_socket_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_socket_write_all_levels'($*)) dnl gen_require(` attribute mlsnetwrite; ') typeattribute $1 mlsnetwrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_socket_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for receiving network data from ## network interfaces or hosts at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_net_receive_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_net_receive_all_levels'($*)) dnl gen_require(` attribute mlsnetrecvall; ') typeattribute $1 mlsnetrecvall; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_net_receive_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain trusted to ## write to network objects within its MLS range. ## The subject's MLS range must be a ## proper subset of the object's MLS range. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_net_write_within_range',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_net_write_within_range'($*)) dnl gen_require(` attribute mlsnetwriteranged; ') typeattribute $1 mlsnetwriteranged; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_net_write_within_range'($*)) dnl ') ######################################## ## ## Make specified domain trusted to ## write inbound packets regardless of the ## network's or node's MLS range. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_net_inbound_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_net_inbound_all_levels'($*)) dnl gen_require(` attribute mlsnetinbound; ') typeattribute $1 mlsnetinbound; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_net_inbound_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain trusted to ## write outbound packets regardless of the ## network's or node's MLS range. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_net_outbound_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_net_outbound_all_levels'($*)) dnl gen_require(` attribute mlsnetoutbound; ') typeattribute $1 mlsnetoutbound; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_net_outbound_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from System V IPC objects ## up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_sysvipc_read_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_to_clearance'($*)) dnl gen_require(` attribute mlsipcreadtoclr; ') typeattribute $1 mlsipcreadtoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from System V IPC objects ## at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_sysvipc_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_sysvipc_read_all_levels'($*)) dnl gen_require(` attribute mlsipcread; ') typeattribute $1 mlsipcread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_sysvipc_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to System V IPC objects ## up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_sysvipc_write_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_to_clearance'($*)) dnl gen_require(` attribute mlsipcwritetoclr; ') typeattribute $1 mlsipcwritetoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to System V IPC objects ## at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_sysvipc_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_sysvipc_write_all_levels'($*)) dnl gen_require(` attribute mlsipcwrite; ') typeattribute $1 mlsipcwrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_sysvipc_write_all_levels'($*)) dnl ') ######################################## ## ## Allow the specified domain to do a MLS ## range transition that changes ## the current level. ## ## ## ## Domain allowed access. ## ## # define(`mls_rangetrans_source',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_rangetrans_source'($*)) dnl gen_require(` attribute privrangetrans; ') typeattribute $1 privrangetrans; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_rangetrans_source'($*)) dnl ') ######################################## ## ## Make specified domain a target domain ## for MLS range transitions that change ## the current level. ## ## ## ## Domain allowed access. ## ## # define(`mls_rangetrans_target',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_rangetrans_target'($*)) dnl gen_require(` attribute mlsrangetrans; ') typeattribute $1 mlsrangetrans; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_rangetrans_target'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from processes up to ## its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_process_read_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_read_to_clearance'($*)) dnl gen_require(` attribute mlsprocreadtoclr; ') typeattribute $1 mlsprocreadtoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_read_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from processes at all levels. (Deprecated) ## ## ##

## Make specified domain MLS trusted ## for reading from processes at all levels. ##

##

## This interface has been deprecated, please use ## mls_process_read_all_levels() instead. ##

##
## ## ## Domain allowed access. ## ## # define(`mls_process_read_up',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_read_up'($*)) dnl # refpolicywarn(`$0($*) has been deprecated, please use mls_process_read_all_levels() instead.') mls_process_read_all_levels($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_read_up'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from processes at all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_process_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_read_all_levels'($*)) dnl gen_require(` attribute mlsprocread; ') typeattribute $1 mlsprocread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to processes up to ## its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_process_write_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_write_to_clearance'($*)) dnl gen_require(` attribute mlsprocwritetoclr; ') typeattribute $1 mlsprocwritetoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_write_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to processes at all levels. (Deprecated) ## ## ##

## Make specified domain MLS trusted ## for writing to processes at all levels. ##

##

## This interface has been deprecated, please use ## mls_process_write_all_levels() instead. ##

##
## ## ## Domain allowed access. ## ## # define(`mls_process_write_down',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_write_down'($*)) dnl # refpolicywarn(`$0($*) has been deprecated, please use mls_process_write_all_levels() instead.') mls_process_write_all_levels($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_write_down'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to processes at all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_process_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_write_all_levels'($*)) dnl gen_require(` attribute mlsprocwrite; ') typeattribute $1 mlsprocwrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for setting the level of processes ## it executes. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_process_set_level',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_process_set_level'($*)) dnl gen_require(` attribute mlsprocsetsl; ') typeattribute $1 mlsprocsetsl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_process_set_level'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from X objects up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_xwin_read_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_xwin_read_to_clearance'($*)) dnl gen_require(` attribute mlsxwinreadtoclr; ') typeattribute $1 mlsxwinreadtoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_xwin_read_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from X objects at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_xwin_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_xwin_read_all_levels'($*)) dnl gen_require(` attribute mlsxwinread; ') typeattribute $1 mlsxwinread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_xwin_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for write to X objects up to its clearance. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_xwin_write_to_clearance',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_xwin_write_to_clearance'($*)) dnl gen_require(` attribute mlsxwinwritetoclr; ') typeattribute $1 mlsxwinwritetoclr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_xwin_write_to_clearance'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to X objects at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_xwin_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_xwin_write_all_levels'($*)) dnl gen_require(` attribute mlsxwinwrite; ') typeattribute $1 mlsxwinwrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_xwin_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from X colormaps at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_colormap_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_colormap_read_all_levels'($*)) dnl gen_require(` attribute mlsxwinreadcolormap; ') typeattribute $1 mlsxwinreadcolormap; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_colormap_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to X colormaps at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_colormap_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_colormap_write_all_levels'($*)) dnl gen_require(` attribute mlsxwinwritecolormap; ') typeattribute $1 mlsxwinwritecolormap; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_colormap_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified object MLS trusted. ## ## ##

## Make specified object MLS trusted. This ## allows all levels to read and write the ## object. ##

##

## This currently only applies to filesystem ## objects, for example, files and directories. ##

##
## ## ## The type of the object. ## ## # define(`mls_trusted_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_trusted_object'($*)) dnl gen_require(` attribute mlstrustedobject; ') typeattribute $1 mlstrustedobject; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_trusted_object'($*)) dnl ') ######################################## ## ## Make the specified domain trusted ## to inherit and use file descriptors ## from all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_fd_use_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_fd_use_all_levels'($*)) dnl gen_require(` attribute mlsfduse; ') typeattribute $1 mlsfduse; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_fd_use_all_levels'($*)) dnl ') ######################################## ## ## Make the file descriptors from the ## specifed domain inheritable by ## all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_fd_share_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_fd_share_all_levels'($*)) dnl gen_require(` attribute mlsfdshare; ') typeattribute $1 mlsfdshare; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_fd_share_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for translating contexts at all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_context_translate_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_context_translate_all_levels'($*)) dnl gen_require(` attribute mlstranslate; ') typeattribute $1 mlstranslate; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_context_translate_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for reading from databases at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_db_read_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_db_read_all_levels'($*)) dnl gen_require(` attribute mlsdbread; ') typeattribute $1 mlsdbread; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_db_read_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for writing to databases at any level. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_db_write_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_db_write_all_levels'($*)) dnl gen_require(` attribute mlsdbwrite; ') typeattribute $1 mlsdbwrite; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_db_write_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for raising the level of databases. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_db_upgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_db_upgrade'($*)) dnl gen_require(` attribute mlsdbupgrade; ') typeattribute $1 mlsdbupgrade; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_db_upgrade'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for lowering the level of databases. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_db_downgrade',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_db_downgrade'($*)) dnl gen_require(` attribute mlsdbdowngrade; ') typeattribute $1 mlsdbdowngrade; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_db_downgrade'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for sending dbus messages to ## all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_dbus_send_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_dbus_send_all_levels'($*)) dnl gen_require(` attribute mlsdbussend; ') typeattribute $1 mlsdbussend; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_dbus_send_all_levels'($*)) dnl ') ######################################## ## ## Make specified domain MLS trusted ## for receiving dbus messages from ## all levels. ## ## ## ## Domain allowed access. ## ## ## # define(`mls_dbus_recv_all_levels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mls_dbus_recv_all_levels'($*)) dnl gen_require(` attribute mlsdbusrecv; ') typeattribute $1 mlsdbusrecv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mls_dbus_recv_all_levels'($*)) dnl ') ## ## Policy for kernel security interface, in particular, selinuxfs. ## ## ## Contains the policy for the kernel SELinux security interface. ## ######################################## ## ## Make the specified type used for labeling SELinux Booleans. ## This interface is only usable in the base module. ## ## ##

## Make the specified type used for labeling SELinux Booleans. ##

##

## This makes use of genfscon statements, which are only ## available in the base module. Thus any module which calls this ## interface must be included in the base module. ##

##
## ## ## Type used for labeling a Boolean. ## ## ## ## ## Name of the Boolean. ## ## # define(`selinux_labeled_boolean',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_labeled_boolean'($*)) dnl gen_require(` attribute boolean_type; ') typeattribute $1 boolean_type; # because of this statement, any module which # calls this interface must be in the base module: # genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_labeled_boolean'($*)) dnl ') ######################################## ## ## Get the mountpoint of the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`selinux_get_fs_mount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_get_fs_mount'($*)) dnl gen_require(` type security_t; ') allow $1 security_t:lnk_file read_lnk_file_perms; dev_getattr_sysfs_fs($1) dev_search_sysfs($1) # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs allow $1 security_t:filesystem getattr; # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_read_system_state($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_get_fs_mount'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the mountpoint ## of the selinuxfs filesystem. ## ## ## ## Domain to not audit. ## ## # define(`selinux_dontaudit_get_fs_mount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_get_fs_mount'($*)) dnl gen_require(` type security_t; ') # starting in libselinux 2.0.5, init_selinuxmnt() will # attempt to short circuit by checking if SELINUXMNT # (/selinux) is already a selinuxfs dev_dontaudit_search_sysfs($1) dontaudit $1 security_t:filesystem getattr; # read /proc/filesystems to see if selinuxfs is supported # then read /proc/self/mount to see where selinuxfs is mounted kernel_dontaudit_read_system_state($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_get_fs_mount'($*)) dnl ') ######################################## ## ## Mount the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`selinux_mount_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_mount_fs'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_mount_fs'($*)) dnl ') ######################################## ## ## Remount the selinuxfs filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # define(`selinux_remount_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_remount_fs'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem remount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_remount_fs'($*)) dnl ') ######################################## ## ## Unmount the selinuxfs filesystem. ## ## ## ## Domain allowed access. ## ## # define(`selinux_unmount_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_unmount_fs'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_unmount_fs'($*)) dnl ') ######################################## ## ## Get the attributes of the selinuxfs filesystem ## ## ## ## Domain allowed access. ## ## # define(`selinux_getattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_getattr_fs'($*)) dnl gen_require(` type security_t; ') allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_getattr_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of the selinuxfs filesystem ## ## ## ## Domain to not audit. ## ## # define(`selinux_dontaudit_getattr_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_fs'($*)) dnl gen_require(` type security_t; ') dontaudit $1 security_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of the selinuxfs directory. ## ## ## ## Domain to not audit. ## ## # define(`selinux_dontaudit_getattr_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_getattr_dir'($*)) dnl gen_require(` type security_t; ') dontaudit $1 security_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_getattr_dir'($*)) dnl ') ######################################## ## ## Search selinuxfs. ## ## ## ## Domain allowed access. ## ## # define(`selinux_search_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_search_fs'($*)) dnl gen_require(` type security_t; ') dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir search_dir_perms; optional_policy(` seutil_search_config($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_search_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search selinuxfs. ## ## ## ## Domain to not audit. ## ## # define(`selinux_dontaudit_search_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_search_fs'($*)) dnl gen_require(` type security_t; ') dontaudit $1 security_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_search_fs'($*)) dnl ') ######################################## ## ## Mount on selinuxfs directories. ## ## ## ## Domain allowed access. ## ## # define(`selinux_mounton_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_mounton_fs'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_mounton_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to read ## generic selinuxfs entries ## ## ## ## Domain to not audit. ## ## # define(`selinux_dontaudit_read_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_read_fs'($*)) dnl gen_require(` type security_t; ') selinux_dontaudit_getattr_fs($1) dontaudit $1 security_t:dir search_dir_perms; dontaudit $1 security_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_read_fs'($*)) dnl ') ######################################## ## ## Allows the caller to get the mode of policy enforcement ## (enforcing or permissive mode). ## ## ## ## Domain allowed access. ## ## ## # define(`selinux_get_enforce_mode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_get_enforce_mode'($*)) dnl gen_require(` type security_t; ') dev_search_sysfs($1) selinux_get_fs_mount($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file mmap_read_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_get_enforce_mode'($*)) dnl ') ######################################## ## ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## ## ##

## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # define(`selinux_set_enforce_mode',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_set_enforce_mode'($*)) dnl gen_require(` type security_t; attribute can_setenforce; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; typeattribute $1 can_setenforce; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_set_enforce_mode'($*)) dnl ') ######################################## ## ## Allow caller to load the policy into the kernel. ## ## ## ## Domain allowed access. ## ## # define(`selinux_load_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_load_policy'($*)) dnl gen_require(` type security_t; attribute can_load_policy; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; typeattribute $1 can_load_policy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_load_policy'($*)) dnl ') ######################################## ## ## Allow caller to read the policy from the kernel. ## ## ## ## Domain allowed access. ## ## # define(`selinux_read_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_read_policy'($*)) dnl gen_require(` type security_t; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; allow $1 security_t:file read_file_perms; allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:security read_policy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_read_policy'($*)) dnl ') ######################################## ## ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. (Deprecated) ## ## ##

## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##

## This interface has been deprecated. Please use ## selinux_set_generic_booleans() or selinux_set_all_booleans() ## instead. ##

##
## ## ## Domain allowed access. ## ## ## # define(`selinux_set_boolean',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_set_boolean'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use selinux_set_generic_booleans() instead.') selinux_set_generic_booleans($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_set_boolean'($*)) dnl ') ######################################## ## ## Allow caller to set the state of generic Booleans to ## enable or disable conditional portions of the policy. ## ## ##

## Allow caller to set the state of generic Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # define(`selinux_set_generic_booleans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_set_generic_booleans'($*)) dnl gen_require(` type security_t; attribute can_setbool; ') typeattribute $1 can_setbool; dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_set_generic_booleans'($*)) dnl ') ######################################## ## ## Allow caller to set the state of all Booleans to ## enable or disable conditional portions of the policy. ## ## ##

## Allow caller to set the state of all Booleans to ## enable or disable conditional portions of the policy. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # define(`selinux_set_all_booleans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_set_all_booleans'($*)) dnl gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; attribute can_setbool; ') typeattribute $1 can_setbool; dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 boolean_type:dir list_dir_perms; allow $1 boolean_type:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_set_all_booleans'($*)) dnl ') ######################################## ## ## Allow caller to set SELinux access vector cache parameters. ## ## ##

## Allow caller to set SELinux access vector cache parameters. ## The allows the domain to set performance related parameters ## of the AVC, such as cache threshold. ##

##

## Since this is a security event, this action is ## always audited. ##

##
## ## ## Domain allowed access. ## ## ## # define(`selinux_set_parameters',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_set_parameters'($*)) dnl gen_require(` type security_t; attribute can_setsecparam; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setsecparam; auditallow $1 security_t:security setsecparam; typeattribute $1 can_setsecparam; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_set_parameters'($*)) dnl ') ######################################## ## ## Allows caller to validate security contexts. ## ## ## ## Domain allowed access. ## ## ## # define(`selinux_validate_context',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_validate_context'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file { map rw_file_perms }; allow $1 security_t:security check_context; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_validate_context'($*)) dnl ') ######################################## ## ## Do not audit attempts to validate security contexts. ## ## ## ## Domain to not audit. ## ## ## # define(`selinux_dontaudit_validate_context',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_dontaudit_validate_context'($*)) dnl gen_require(` type security_t; ') dontaudit $1 security_t:dir list_dir_perms; dontaudit $1 security_t:file rw_file_perms; dontaudit $1 security_t:security check_context; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_dontaudit_validate_context'($*)) dnl ') ######################################## ## ## Allows caller to compute an access vector. ## ## ## ## Domain allowed access. ## ## ## # define(`selinux_compute_access_vector',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_compute_access_vector'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_compute_access_vector'($*)) dnl ') ######################################## ## ## Calculate the default type for object creation. ## ## ## ## Domain allowed access. ## ## ## # define(`selinux_compute_create_context',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_compute_create_context'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_compute_create_context'($*)) dnl ') ######################################## ## ## Allows caller to compute polyinstatntiated ## directory members. ## ## ## ## Domain allowed access. ## ## # define(`selinux_compute_member',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_compute_member'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_member; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_compute_member'($*)) dnl ') ######################################## ## ## Calculate the context for relabeling objects. ## ## ##

## Calculate the context for relabeling objects. ## This is determined by using the type_change ## rules in the policy, and is generally used ## for determining the context for relabeling ## a terminal when a user logs in. ##

##
## ## ## Domain allowed access. ## ## # define(`selinux_compute_relabel_context',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_compute_relabel_context'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_relabel; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_compute_relabel_context'($*)) dnl ') ######################################## ## ## Allows caller to setcheckreqprot ## ## ## ## Domain allowed access. ## ## # define(`selinux_setcheckreqprot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_setcheckreqprot'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security setcheckreqprot; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_setcheckreqprot'($*)) dnl ') ######################################## ## ## Allows caller to compute possible contexts for a user. ## ## ## ## Domain allowed access. ## ## # define(`selinux_compute_user_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_compute_user_contexts'($*)) dnl gen_require(` type security_t; ') dev_getattr_sysfs_fs($1) dev_search_sysfs($1) allow $1 security_t:lnk_file read_lnk_file_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_user; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_compute_user_contexts'($*)) dnl ') ######################################## ## ## Unconfined access to the SELinux kernel security server. ## ## ## ## Domain allowed access. ## ## # define(`selinux_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_unconfined'($*)) dnl gen_require(` attribute selinux_unconfined_type; ') typeattribute $1 selinux_unconfined_type; selinux_set_all_booleans($1) selinux_load_policy($1) selinux_set_parameters($1) selinux_set_enforce_mode($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_unconfined'($*)) dnl ') ######################################## ## ## Generate a file context for a boolean type ## ## ## ## Domain allowed access. ## ## # define(`selinux_genbool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `selinux_genbool'($*)) dnl gen_require(` attribute boolean_type; ') type $1; typeattribute $1 boolean_type; fs_type($1) mls_trusted_object($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `selinux_genbool'($*)) dnl ') ## Policy controlling access to storage devices ######################################## ## ## Allow the caller to get the attributes of fixed disk ## device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_getattr_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_getattr_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_getattr_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Allow the caller to read/write inherited fixed disk ## device nodes. ## ## ## ## The domain allowed access. ## ## # define(`storage_rw_inherited_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; attribute fixed_disk_raw_read; attribute fixed_disk_raw_write; ') allow $1 fixed_disk_device_t:chr_file { read write }; allow $1 fixed_disk_device_t:blk_file { read write }; typeattribute $1 fixed_disk_raw_read; typeattribute $1 fixed_disk_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_rw_inherited_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_getattr_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Allow the caller to set the attributes of fixed disk ## device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_setattr_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_setattr_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_setattr_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_setattr_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_raw_read_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_raw_read_fixed_disk'($*)) dnl gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; #577012 allow $1 fixed_disk_device_t:lnk_file read_lnk_file_perms; typeattribute $1 fixed_disk_raw_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_raw_read_fixed_disk'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to read ## fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_read_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_fixed_disk'($*)) dnl ') ######################################## ## ## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_raw_write_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_raw_write_fixed_disk'($*)) dnl gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; typeattribute $1 fixed_disk_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_raw_write_fixed_disk'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to write ## fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_write_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_fixed_disk'($*)) dnl ') ######################################## ## ## Allow the caller to directly read and write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_raw_rw_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_raw_rw_fixed_disk'($*)) dnl storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) dev_rw_generic_blk_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_raw_rw_fixed_disk'($*)) dnl ') ######################################## ## ## Allow the caller to watch fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_watch_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_watch_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file watch_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_watch_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Allow the caller to create fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_create_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_create_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; allow $1 fixed_disk_device_t:chr_file create_chr_file_perms; dev_add_entry_generic_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_create_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Allow the caller to create fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_delete_fixed_disk_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_delete_fixed_disk_dev'($*)) dnl gen_require(` type fixed_disk_device_t; ') allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; dev_remove_entry_generic_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_delete_fixed_disk_dev'($*)) dnl ') ######################################## ## ## Create, read, write, and delete fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_manage_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_manage_fixed_disk'($*)) dnl gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_manage_fixed_disk'($*)) dnl ') ######################################## ## ## Create block devices in /dev with the fixed disk type ## via an automatic type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Optional filename of the block device to be created ## ## # define(`storage_dev_filetrans_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_filetrans($1, fixed_disk_device_t, blk_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_fixed_disk'($*)) dnl ') ####################################### ## ## Create block devices in /dev with the fixed disk type ## via an automatic type transition. ## ## ## ## Domain allowed access. ## ## # define(`storage_dev_filetrans_named_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dev_filetrans_named_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dev_filetrans_named_fixed_disk'($*)) dnl ') ######################################## ## ## Create block devices in on a tmpfs filesystem with the ## fixed disk type via an automatic type transition. ## ## ## ## Domain allowed access. ## ## # define(`storage_tmpfs_filetrans_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_tmpfs_filetrans_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_tmpfs_filetrans_fixed_disk'($*)) dnl ') ######################################## ## ## Create block devices in on a tmp filesystem with the ## fixed disk type via an automatic type transition. ## ## ## ## Domain allowed access. ## ## # define(`storage_tmp_filetrans_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_tmp_filetrans_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') files_tmp_filetrans($1, fixed_disk_device_t, blk_file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_tmp_filetrans_fixed_disk'($*)) dnl ') ######################################## ## ## Relabel fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_relabel_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_relabel_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_relabel_fixed_disk'($*)) dnl ') ######################################## ## ## Enable a fixed disk device as swap space ## ## ## ## Domain allowed access. ## ## # define(`storage_swapon_fixed_disk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_swapon_fixed_disk'($*)) dnl gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr swapon }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_swapon_fixed_disk'($*)) dnl ') ######################################## ## ## Allow the caller to get the attributes ## of device nodes of fuse devices. ## ## ## ## Domain allowed access. ## ## # define(`storage_getattr_fuse_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_getattr_fuse_dev'($*)) dnl gen_require(` type fuse_device_t; ') dev_list_all_dev_nodes($1) allow $1 fuse_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_getattr_fuse_dev'($*)) dnl ') ######################################## ## ## read or write fuse device interfaces. ## ## ## ## Domain allowed access. ## ## # define(`storage_rw_fuse',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_rw_fuse'($*)) dnl gen_require(` type fuse_device_t; ') allow $1 fuse_device_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_rw_fuse'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## fuse device interfaces. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_rw_fuse',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_fuse'($*)) dnl gen_require(` type fuse_device_t; ') dontaudit $1 fuse_device_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_fuse'($*)) dnl ') ######################################## ## ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_getattr_scsi_generic_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_getattr_scsi_generic_dev'($*)) dnl gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_getattr_scsi_generic_dev'($*)) dnl ') ######################################## ## ## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_setattr_scsi_generic_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev'($*)) dnl gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev'($*)) dnl ') ######################################## ## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_read_scsi_generic',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_read_scsi_generic'($*)) dnl gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; typeattribute $1 scsi_generic_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_read_scsi_generic'($*)) dnl ') ######################################## ## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_write_scsi_generic',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_write_scsi_generic'($*)) dnl gen_require(` attribute scsi_generic_write; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; typeattribute $1 scsi_generic_write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_write_scsi_generic'($*)) dnl ') ######################################## ## ## Allow the caller to directly read and write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_rw_inherited_scsi_generic',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_scsi_generic'($*)) dnl gen_require(` attribute scsi_generic_read; attribute scsi_generic_write; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms; allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms; typeattribute $1 scsi_generic_write; typeattribute $1 scsi_generic_read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_rw_inherited_scsi_generic'($*)) dnl ') ######################################## ## ## Set attributes of the device nodes ## for the SCSI generic inerface. ## ## ## ## Domain allowed access. ## ## # define(`storage_setattr_scsi_generic_dev_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_setattr_scsi_generic_dev_dev'($*)) dnl gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_setattr_scsi_generic_dev_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## SCSI generic device interfaces. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_rw_scsi_generic',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_rw_scsi_generic'($*)) dnl gen_require(` type scsi_generic_device_t; ') dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_rw_scsi_generic'($*)) dnl ') ######################################## ## ## Allow the caller to get the attributes of removable ## devices device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_getattr_removable_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_getattr_removable_dev'($*)) dnl gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_getattr_removable_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_getattr_removable_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_getattr_removable_dev'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_getattr_removable_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to read ## removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_read_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_read_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file read_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_read_removable_device'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to write ## removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_write_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_write_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file write_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_write_removable_device'($*)) dnl ') ######################################## ## ## Allow the caller to set the attributes of removable ## devices device nodes. ## ## ## ## Domain allowed access. ## ## # define(`storage_setattr_removable_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_setattr_removable_dev'($*)) dnl gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_setattr_removable_dev'($*)) dnl ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_setattr_removable_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_setattr_removable_dev'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_setattr_removable_dev'($*)) dnl ') ######################################## ## ## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_raw_read_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_raw_read_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file read_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_raw_read_removable_device'($*)) dnl ') ######################################## ## ## Do not audit attempts to directly read removable devices. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_raw_read_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_read_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file read_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_read_removable_device'($*)) dnl ') ######################################## ## ## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # define(`storage_raw_write_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_raw_write_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file write_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_raw_write_removable_device'($*)) dnl ') ######################################## ## ## Do not audit attempts to directly write removable devices. ## ## ## ## Domain to not audit. ## ## # define(`storage_dontaudit_raw_write_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_dontaudit_raw_write_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file write_blk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_dontaudit_raw_write_removable_device'($*)) dnl ') ####################################### ## ## Alow read and write inherited removable devices. ## ## ## ## Domain to not audit. ## ## # define(`storage_rw_inherited_removable_device',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_rw_inherited_removable_device'($*)) dnl gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_rw_inherited_removable_device'($*)) dnl ') ######################################## ## ## Allow the caller to directly read ## a tape device. ## ## ## ## Domain allowed access. ## ## # define(`storage_read_tape',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_read_tape'($*)) dnl gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_read_tape'($*)) dnl ') ######################################## ## ## Allow the caller to directly read ## a tape device. ## ## ## ## Domain allowed access. ## ## # define(`storage_write_tape',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_write_tape'($*)) dnl gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_write_tape'($*)) dnl ') ######################################## ## ## Allow the caller to get the attributes ## of device nodes of tape devices. ## ## ## ## Domain allowed access. ## ## # define(`storage_getattr_tape_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_getattr_tape_dev'($*)) dnl gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_getattr_tape_dev'($*)) dnl ') ######################################## ## ## Allow the caller to set the attributes ## of device nodes of tape devices. ## ## ## ## Domain allowed access. ## ## # define(`storage_setattr_tape_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_setattr_tape_dev'($*)) dnl gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_setattr_tape_dev'($*)) dnl ') ######################################## ## ## Unconfined access to storage devices. ## ## ## ## Domain allowed access. ## ## # define(`storage_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_unconfined'($*)) dnl gen_require(` attribute storage_unconfined_type; ') typeattribute $1 storage_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_unconfined'($*)) dnl ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`storage_filetrans_all_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `storage_filetrans_all_named_dev'($*)) dnl gen_require(` type tape_device_t; type fixed_disk_device_t; type removable_device_t; type scsi_generic_device_t; type fuse_device_t; ') dev_filetrans($1, tape_device_t, chr_file, "ht00") dev_filetrans($1, tape_device_t, chr_file, "ht01") dev_filetrans($1, tape_device_t, chr_file, "ht02") dev_filetrans($1, tape_device_t, chr_file, "ht03") dev_filetrans($1, tape_device_t, chr_file, "ht04") dev_filetrans($1, tape_device_t, chr_file, "ht05") dev_filetrans($1, tape_device_t, chr_file, "ht06") dev_filetrans($1, tape_device_t, chr_file, "ht07") dev_filetrans($1, tape_device_t, chr_file, "ht08") dev_filetrans($1, tape_device_t, chr_file, "ht09") dev_filetrans($1, tape_device_t, chr_file, "st00") dev_filetrans($1, tape_device_t, chr_file, "st01") dev_filetrans($1, tape_device_t, chr_file, "st02") dev_filetrans($1, tape_device_t, chr_file, "st03") dev_filetrans($1, tape_device_t, chr_file, "st04") dev_filetrans($1, tape_device_t, chr_file, "st05") dev_filetrans($1, tape_device_t, chr_file, "st06") dev_filetrans($1, tape_device_t, chr_file, "st07") dev_filetrans($1, tape_device_t, chr_file, "st08") dev_filetrans($1, tape_device_t, chr_file, "st09") dev_filetrans($1, tape_device_t, chr_file, "qft0") dev_filetrans($1, tape_device_t, chr_file, "qft1") dev_filetrans($1, tape_device_t, chr_file, "qft2") dev_filetrans($1, tape_device_t, chr_file, "qft3") dev_filetrans($1, tape_device_t, chr_file, "osst00") dev_filetrans($1, tape_device_t, chr_file, "osst01") dev_filetrans($1, tape_device_t, chr_file, "osst02") dev_filetrans($1, tape_device_t, chr_file, "osst03") dev_filetrans($1, tape_device_t, chr_file, "osst04") dev_filetrans($1, tape_device_t, chr_file, "osst05") dev_filetrans($1, tape_device_t, chr_file, "osst06") dev_filetrans($1, tape_device_t, chr_file, "osst07") dev_filetrans($1, tape_device_t, chr_file, "osst08") dev_filetrans($1, tape_device_t, chr_file, "osst09") dev_filetrans($1, tape_device_t, chr_file, "pt0") dev_filetrans($1, tape_device_t, chr_file, "pt1") dev_filetrans($1, tape_device_t, chr_file, "pt2") dev_filetrans($1, tape_device_t, chr_file, "pt3") dev_filetrans($1, tape_device_t, chr_file, "pt4") dev_filetrans($1, tape_device_t, chr_file, "pt5") dev_filetrans($1, tape_device_t, chr_file, "pt6") dev_filetrans($1, tape_device_t, chr_file, "pt7") dev_filetrans($1, tape_device_t, chr_file, "pt8") dev_filetrans($1, tape_device_t, chr_file, "pt9") dev_filetrans($1, tape_device_t, chr_file, "tpqic0") dev_filetrans($1, tape_device_t, chr_file, "tpqic1") dev_filetrans($1, tape_device_t, chr_file, "tpqic2") dev_filetrans($1, tape_device_t, chr_file, "tpqic3") dev_filetrans($1, tape_device_t, chr_file, "tpqic4") dev_filetrans($1, tape_device_t, chr_file, "tpqic5") dev_filetrans($1, tape_device_t, chr_file, "tpqic6") dev_filetrans($1, tape_device_t, chr_file, "tpqic7") dev_filetrans($1, tape_device_t, chr_file, "tpqic8") dev_filetrans($1, tape_device_t, chr_file, "tpqic9") dev_filetrans($1, removable_device_t, blk_file, "aztcd") dev_filetrans($1, removable_device_t, blk_file, "bpcd") dev_filetrans($1, removable_device_t, blk_file, "cdu0") dev_filetrans($1, removable_device_t, blk_file, "cdu1") dev_filetrans($1, removable_device_t, blk_file, "cdu2") dev_filetrans($1, removable_device_t, blk_file, "cdu3") dev_filetrans($1, removable_device_t, blk_file, "cdu4") dev_filetrans($1, removable_device_t, blk_file, "cdu5") dev_filetrans($1, removable_device_t, blk_file, "cdu6") dev_filetrans($1, removable_device_t, blk_file, "cdu7") dev_filetrans($1, removable_device_t, blk_file, "cdu8") dev_filetrans($1, removable_device_t, blk_file, "cdu9") dev_filetrans($1, removable_device_t, blk_file, "cm200") dev_filetrans($1, removable_device_t, blk_file, "cm201") dev_filetrans($1, removable_device_t, blk_file, "cm202") dev_filetrans($1, removable_device_t, blk_file, "cm203") dev_filetrans($1, removable_device_t, blk_file, "cm204") dev_filetrans($1, removable_device_t, blk_file, "cm205") dev_filetrans($1, removable_device_t, blk_file, "cm206") dev_filetrans($1, removable_device_t, blk_file, "cm207") dev_filetrans($1, removable_device_t, blk_file, "cm208") dev_filetrans($1, removable_device_t, blk_file, "cm209") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8") dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9") dev_filetrans($1, fixed_disk_device_t, blk_file, "md0") dev_filetrans($1, fixed_disk_device_t, blk_file, "md1") dev_filetrans($1, fixed_disk_device_t, blk_file, "md2") dev_filetrans($1, fixed_disk_device_t, blk_file, "md3") dev_filetrans($1, fixed_disk_device_t, blk_file, "md4") dev_filetrans($1, fixed_disk_device_t, blk_file, "md5") dev_filetrans($1, fixed_disk_device_t, blk_file, "md6") dev_filetrans($1, fixed_disk_device_t, blk_file, "md7") dev_filetrans($1, fixed_disk_device_t, blk_file, "md8") dev_filetrans($1, fixed_disk_device_t, blk_file, "md9") dev_filetrans($1, fixed_disk_device_t, blk_file, "md126p1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sda9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdb9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdc9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdd9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sde9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdf9") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg0") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg1") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg2") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg3") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg4") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg5") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg6") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg7") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg8") dev_filetrans($1, fixed_disk_device_t, blk_file, "sdg9") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-0") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-1") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-2") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-3") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-4") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-5") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-6") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-7") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-8") dev_filetrans($1, fixed_disk_device_t, blk_file, "dm-9") dev_filetrans($1, removable_device_t, blk_file, "gscd") dev_filetrans($1, removable_device_t, blk_file, "hitcd") dev_filetrans($1, tape_device_t, blk_file, "ht0") dev_filetrans($1, tape_device_t, blk_file, "ht1") dev_filetrans($1, removable_device_t, blk_file, "hwcdrom") dev_filetrans($1, fixed_disk_device_t, blk_file, "initrd") dev_filetrans($1, fixed_disk_device_t, blk_file, "jsfd") dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop0") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop1") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop2") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop3") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop4") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop5") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop6") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop7") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop8") dev_filetrans($1, fixed_disk_device_t, blk_file, "loop9") dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm") dev_filetrans($1, removable_device_t, blk_file, "mcd") dev_filetrans($1, removable_device_t, blk_file, "mcdx") dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8") dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9") dev_filetrans($1, removable_device_t, blk_file, "mmcblk0") dev_filetrans($1, removable_device_t, blk_file, "mmcblk1") dev_filetrans($1, removable_device_t, blk_file, "mmcblk2") dev_filetrans($1, removable_device_t, blk_file, "mmcblk3") dev_filetrans($1, removable_device_t, blk_file, "mmcblk4") dev_filetrans($1, removable_device_t, blk_file, "mmcblk5") dev_filetrans($1, removable_device_t, blk_file, "mmcblk6") dev_filetrans($1, removable_device_t, blk_file, "mmcblk7") dev_filetrans($1, removable_device_t, blk_file, "mmcblk8") dev_filetrans($1, removable_device_t, blk_file, "mmcblk9") dev_filetrans($1, removable_device_t, blk_file, "mspblk0") dev_filetrans($1, removable_device_t, blk_file, "mspblk1") dev_filetrans($1, removable_device_t, blk_file, "mspblk2") dev_filetrans($1, removable_device_t, blk_file, "mspblk3") dev_filetrans($1, removable_device_t, blk_file, "mspblk4") dev_filetrans($1, removable_device_t, blk_file, "mspblk5") dev_filetrans($1, removable_device_t, blk_file, "mspblk6") dev_filetrans($1, removable_device_t, blk_file, "mspblk7") dev_filetrans($1, removable_device_t, blk_file, "mspblk8") dev_filetrans($1, removable_device_t, blk_file, "mspblk9") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd0") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd1") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd2") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd3") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd4") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd5") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd6") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd7") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd8") dev_filetrans($1, fixed_disk_device_t, blk_file, "mtd9") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd0") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd1") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd2") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd3") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd4") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd5") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd6") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd7") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd8") dev_filetrans($1, fixed_disk_device_t, chr_file, "mtd9") dev_filetrans($1, removable_device_t, blk_file, "optcd") dev_filetrans($1, removable_device_t, blk_file, "pf0") dev_filetrans($1, removable_device_t, blk_file, "pf1") dev_filetrans($1, removable_device_t, blk_file, "pf2") dev_filetrans($1, removable_device_t, blk_file, "pf3") dev_filetrans($1, removable_device_t, blk_file, "pg0") dev_filetrans($1, removable_device_t, blk_file, "pg1") dev_filetrans($1, removable_device_t, blk_file, "pg2") dev_filetrans($1, removable_device_t, blk_file, "pg3") dev_filetrans($1, removable_device_t, blk_file, "pcd0") dev_filetrans($1, removable_device_t, blk_file, "pcd1") dev_filetrans($1, removable_device_t, blk_file, "pcd2") dev_filetrans($1, removable_device_t, blk_file, "pcd3") dev_filetrans($1, removable_device_t, chr_file, "pg0") dev_filetrans($1, removable_device_t, chr_file, "pg1") dev_filetrans($1, removable_device_t, chr_file, "pg2") dev_filetrans($1, removable_device_t, chr_file, "pg3") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d0") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d1") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d2") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d3") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d4") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d5") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d6") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d7") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d8") dev_filetrans($1, fixed_disk_device_t, blk_file, "ps3d9") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram0") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram1") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram2") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram3") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram4") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram5") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram6") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram7") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram8") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram9") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram10") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram11") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram12") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram13") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram14") dev_filetrans($1, fixed_disk_device_t, blk_file, "ram15") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd0") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd1") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd2") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd3") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd4") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd5") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd6") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd7") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd8") dev_filetrans($1, fixed_disk_device_t, blk_file, "rd9") dev_filetrans($1, fixed_disk_device_t, blk_file, "root") dev_filetrans($1, removable_device_t, blk_file, "sbpcd0") dev_filetrans($1, removable_device_t, blk_file, "sbpcd1") dev_filetrans($1, removable_device_t, blk_file, "sbpcd2") dev_filetrans($1, removable_device_t, blk_file, "sbpcd3") dev_filetrans($1, removable_device_t, blk_file, "sbpcd4") dev_filetrans($1, removable_device_t, blk_file, "sbpcd5") dev_filetrans($1, removable_device_t, blk_file, "sbpcd6") dev_filetrans($1, removable_device_t, blk_file, "sbpcd7") dev_filetrans($1, removable_device_t, blk_file, "sbpcd8") dev_filetrans($1, removable_device_t, blk_file, "sbpcd9") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg0") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg1") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg2") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg3") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg4") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg5") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg6") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49") dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50") dev_filetrans($1, removable_device_t, blk_file, "sr0") dev_filetrans($1, removable_device_t, blk_file, "sr1") dev_filetrans($1, removable_device_t, blk_file, "sr2") dev_filetrans($1, removable_device_t, blk_file, "sr3") dev_filetrans($1, removable_device_t, blk_file, "sr4") dev_filetrans($1, removable_device_t, blk_file, "sr5") dev_filetrans($1, removable_device_t, blk_file, "sr6") dev_filetrans($1, removable_device_t, blk_file, "sr7") dev_filetrans($1, removable_device_t, blk_file, "sr8") dev_filetrans($1, removable_device_t, blk_file, "sr9") dev_filetrans($1, removable_device_t, blk_file, "sjcd") dev_filetrans($1, removable_device_t, blk_file, "sonycd") dev_filetrans($1, tape_device_t, chr_file, "tape0") dev_filetrans($1, tape_device_t, chr_file, "tape1") dev_filetrans($1, tape_device_t, chr_file, "tape2") dev_filetrans($1, tape_device_t, chr_file, "tape3") dev_filetrans($1, tape_device_t, chr_file, "tape4") dev_filetrans($1, tape_device_t, chr_file, "tape5") dev_filetrans($1, tape_device_t, chr_file, "tape6") dev_filetrans($1, tape_device_t, chr_file, "tape7") dev_filetrans($1, tape_device_t, chr_file, "tape8") dev_filetrans($1, tape_device_t, chr_file, "tape9") dev_filetrans($1, fuse_device_t, chr_file, "fuse") dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8") dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9") dev_filetrans($1, removable_device_t, chr_file, "rio500") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw0") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw1") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw2") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw3") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw4") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw5") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw6") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw7") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw8") dev_filetrans($1, fixed_disk_device_t, chr_file, "tw9") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa0") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa1") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa2") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa3") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa4") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa5") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa6") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa7") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa8") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa9") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa10") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa11") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa12") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa13") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa14") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa15") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa16") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa17") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa18") dev_filetrans($1, fixed_disk_device_t, chr_file, "twa19") dev_filetrans($1, fixed_disk_device_t, blk_file, "zram0") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `storage_filetrans_all_named_dev'($*)) dnl ') ## Policy for terminals. ## ## Depended on by other required modules. ## ######################################## ## ## Transform specified type into a pty type. ## ## ## ## An object type that will applied to a pty. ## ## # define(`term_pty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_pty'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') dev_node($1) allow $1 devpts_t:filesystem associate; typeattribute $1 ptynode; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_pty'($*)) dnl ') ######################################## ## ## Transform specified type into an user ## pty type. This allows it to be relabeled via ## type change by login programs such as ssh. ## ## ## ## The type of the user domain associated with ## this pty. ## ## ## ## ## An object type that will applied to a pty. ## ## # define(`term_user_pty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_user_pty'($*)) dnl gen_require(` attribute server_ptynode; ') term_pty($2) type_change $1 server_ptynode:chr_file $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_user_pty'($*)) dnl ') ######################################## ## ## Transform specified type into a pty type ## used by login programs, such as sshd. ## ## ## ## An object type that will applied to a pty. ## ## # define(`term_login_pty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_login_pty'($*)) dnl gen_require(` attribute server_ptynode; ') term_pty($1) typeattribute $1 server_ptynode; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_login_pty'($*)) dnl ') ######################################## ## ## Transform specified type into a tty type. ## ## ## ## An object type that will applied to a tty. ## ## # define(`term_tty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_tty'($*)) dnl gen_require(` attribute ttynode, serial_device; type tty_device_t; ') typeattribute $1 ttynode, serial_device; dev_node($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_tty'($*)) dnl ') ######################################## ## ## Transform specified type into a user tty type. ## ## ## ## User domain that is related to this tty. ## ## ## ## ## An object type that will applied to a tty. ## ## # define(`term_user_tty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_user_tty'($*)) dnl gen_require(` attribute ttynode; type console_device_t; type tty_device_t; ') term_tty($2) type_change $1 tty_device_t:chr_file $2; # Debian login is from shadow utils and does not allow resetting the perms. # have to fix this! ifdef(`distro_debian',` type_change $1 ttynode:chr_file $2; ') tunable_policy(`login_console_enabled',` # When user logs in from /dev/console, relabel it # to user tty type as well. type_change $1 console_device_t:chr_file $2; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_user_tty'($*)) dnl ') ######################################## ## ## Create the /dev/pts directory. ## ## ## ## Domain allowed access. ## ## # define(`term_create_pty_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_create_pty_dir'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:dir create_dir_perms; dev_filetrans($1, devpts_t, dir, "devpts") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_create_pty_dir'($*)) dnl ') ######################################## ## ## Create a pty in the /dev/pts directory. ## ## ## ## The type of the process creating the pty. ## ## ## ## ## The type of the pty. ## ## # define(`term_create_pty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_create_pty'($*)) dnl gen_require(` type bsdpty_device_t, devpts_t, ptmx_t; ') dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:filesystem getattr; dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; type_transition $1 devpts_t:chr_file $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_create_pty'($*)) dnl ') ######################################## ## ## Write the console, all ## ttys and all ptys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_write_all_terms',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_all_terms'($*)) dnl gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_all_terms'($*)) dnl ') ######################################## ## ## Read and write the console, all ## ttys and all ptys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_terms',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_terms'($*)) dnl gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_terms'($*)) dnl ') ######################################## ## ## Read and write the inherited console, all inherited ## ttys and ptys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_inherited_terms',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_terms'($*)) dnl gen_require(` attribute ttynode, ptynode; type console_device_t, devpts_t, tty_device_t; ') allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_inherited_terms'($*)) dnl ') ######################################## ## ## Write to the console. ## ## ## ## Domain allowed access. ## ## ## # define(`term_write_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_console'($*)) dnl gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_console'($*)) dnl ') ######################################## ## ## Read from the console. ## ## ## ## Domain allowed access. ## ## ## # define(`term_read_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_read_console'($*)) dnl gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_read_console'($*)) dnl ') ######################################## ## ## Do not audit attempts to read from the console. ## ## ## ## Domain to not audit. ## ## ## # define(`term_dontaudit_read_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_read_console'($*)) dnl gen_require(` type console_device_t; ') dontaudit $1 console_device_t:chr_file read_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_read_console'($*)) dnl ') ######################################## ## ## Read from and write to the console. ## ## ## ## Domain allowed access. ## ## # define(`term_use_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_console'($*)) dnl gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_console'($*)) dnl ') ######################################## ## ## Do not audit attemtps to read from ## or write to the console. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_console'($*)) dnl gen_require(` type console_device_t; type tty_device_t; ') init_dontaudit_use_fds($1) dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms; dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_console'($*)) dnl ') ######################################## ## ## Set the attributes of the console ## device node. ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_console'($*)) dnl gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_console'($*)) dnl ') ######################################## ## ## Relabel from and to the console type. ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_console'($*)) dnl gen_require(` type console_device_t; ') dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file relabel_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_console'($*)) dnl ') ######################################## ## ## Create the console device (/dev/console). ## ## ## ## Domain allowed access. ## ## # define(`term_create_console_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_create_console_dev'($*)) dnl gen_require(` type console_device_t; ') dev_add_entry_generic_dirs($1) allow $1 console_device_t:chr_file create; allow $1 self:capability mknod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_create_console_dev'($*)) dnl ') ######################################## ## ## Watch the console device (/dev/console). ## ## ## ## Domain allowed access. ## ## # define(`term_watch_console_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_watch_console_dev'($*)) dnl gen_require(` type console_device_t; ') allow $1 console_device_t:chr_file watch_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_watch_console_dev'($*)) dnl ') ######################################## ## ## Watch_reads the console device (/dev/console). ## ## ## ## Domain allowed access. ## ## # define(`term_watch_reads_console_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_watch_reads_console_dev'($*)) dnl gen_require(` type console_device_t; ') allow $1 console_device_t:chr_file watch_reads_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_watch_reads_console_dev'($*)) dnl ') ######################################## ## ## Get the attributes of a pty filesystem ## ## ## ## Domain allowed access. ## ## # define(`term_getattr_pty_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_pty_fs'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:filesystem getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_pty_fs'($*)) dnl ') ######################################## ## ## Mount a pty filesystem ## ## ## ## Domain allowed access. ## ## # define(`term_mount_pty_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_mount_pty_fs'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:filesystem mount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_mount_pty_fs'($*)) dnl ') ######################################## ## ## Unmount a pty filesystem ## ## ## ## Domain allowed access. ## ## # define(`term_unmount_pty_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_unmount_pty_fs'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:filesystem unmount; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_unmount_pty_fs'($*)) dnl ') ######################################## ## ## Relabel from and to pty filesystem. ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_pty_fs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_pty_fs'($*)) dnl gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:filesystem { relabelto relabelfrom }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_pty_fs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of the /dev/pts directory. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_pty_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_pty_dirs'($*)) dnl gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_pty_dirs'($*)) dnl ') ######################################## ## ## Search the contents of the /dev/pts directory. ## ## ## ## Domain allowed access. ## ## # define(`term_search_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_search_ptys'($*)) dnl gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_search_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the ## contents of the /dev/pts directory. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_search_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_search_ptys'($*)) dnl gen_require(` type devpts_t; ') dev_dontaudit_list_all_dev_nodes($1) dontaudit $1 devpts_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_search_ptys'($*)) dnl ') ######################################## ## ## Read the /dev/pts directory to ## list all ptys. ## ## ## ## Domain allowed access. ## ## # define(`term_list_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_list_ptys'($*)) dnl gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_list_ptys'($*)) dnl ') ######################################## ## ## Relabel the /dev/pts directory ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_ptys_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_ptys_dirs'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:dir relabel_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_ptys_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the ## /dev/pts directory. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_list_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_list_ptys'($*)) dnl gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir { getattr search read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_list_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, ## write, or delete the /dev/pts directory. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_manage_pty_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_manage_pty_dirs'($*)) dnl gen_require(` type devpts_t; ') dontaudit $1 devpts_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_manage_pty_dirs'($*)) dnl ') ######################################## ## ## Get the attributes of generic pty devices. ## ## ## ## Domain to allow ## ## # define(`term_getattr_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_generic_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of generic pty devices. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') dontaudit $1 devpts_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_generic_ptys'($*)) dnl ') ######################################## ## ## ioctl of generic pty devices. ## ## ## ## Domain allowed access. ## ## # # cjp: added for ppp define(`term_ioctl_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_ioctl_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir search; allow $1 devpts_t:chr_file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_ioctl_generic_ptys'($*)) dnl ') ######################################## ## ## Allow setting the attributes of ## generic pty devices. ## ## ## ## Domain allowed access. ## ## # # dwalsh: added for rhgb define(`term_setattr_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') allow $1 devpts_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_generic_ptys'($*)) dnl ') ######################################## ## ## Dontaudit setting the attributes of ## generic pty devices. ## ## ## ## Domain to not audit. ## ## # # dwalsh: added for rhgb define(`term_dontaudit_setattr_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') dontaudit $1 devpts_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_generic_ptys'($*)) dnl ') ######################################## ## ## Read and write the generic pty ## type. This is generally only used in ## the targeted policy. ## ## ## ## Domain allowed access. ## ## # define(`term_use_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 devpts_t:chr_file { rw_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_generic_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write the generic pty type. This is ## generally only used in the targeted policy. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_generic_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_generic_ptys'($*)) dnl gen_require(` type devpts_t; ') init_dontaudit_use_fds($1) dontaudit $1 devpts_t:chr_file { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_generic_ptys'($*)) dnl ') ####################################### ## ## Set the attributes of the tty device ## ## ## ## Domain allowed access. ## ## # define(`term_setattr_controlling_term',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_controlling_term'($*)) dnl gen_require(` type devtty_t; ') dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_controlling_term'($*)) dnl ') ######################################## ## ## Read and write the controlling ## terminal (/dev/tty). ## ## ## ## Domain allowed access. ## ## # define(`term_use_controlling_term',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_controlling_term'($*)) dnl gen_require(` type devtty_t; ') dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file { rw_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_controlling_term'($*)) dnl ') ####################################### ## ## Get the attributes of the pty multiplexor (/dev/ptmx). ## ## ## ## Domain to not audit. ## ## # define(`term_getattr_ptmx',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_ptmx'($*)) dnl gen_require(` type ptmx_t; ') allow $1 ptmx_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_ptmx'($*)) dnl ') ######################################## ## ## Do not audit attempts to get attributes ## on the pty multiplexor (/dev/ptmx). ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_ptmx',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_ptmx'($*)) dnl gen_require(` type ptmx_t; ') dontaudit $1 ptmx_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_ptmx'($*)) dnl ') ######################################## ## ## Read and write the pty multiplexor (/dev/ptmx). ## ## ## ## Domain allowed access. ## ## # define(`term_use_ptmx',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_ptmx'($*)) dnl gen_require(` type ptmx_t; ') dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_ptmx'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write the pty multiplexor (/dev/ptmx). ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_ptmx',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_ptmx'($*)) dnl gen_require(` type ptmx_t; ') dontaudit $1 ptmx_t:chr_file { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_ptmx'($*)) dnl ') ######################################## ## ## Get the attributes of all ## pty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_getattr_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_all_ptys'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_all_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of any pty ## device nodes. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ptys'($*)) dnl gen_require(` attribute ptynode; ') dontaudit $1 ptynode:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ptys'($*)) dnl ') ######################################## ## ## Set the attributes of all ## pty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_all_ptys'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_all_ptys'($*)) dnl ') ######################################## ## ## Relabel to all ptys. ## ## ## ## Domain allowed access. ## ## # define(`term_relabelto_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabelto_all_ptys'($*)) dnl gen_require(` attribute ptynode; ') allow $1 ptynode:chr_file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabelto_all_ptys'($*)) dnl ') ######################################## ## ## Write to all ptys. ## ## ## ## Domain allowed access. ## ## # define(`term_write_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_all_ptys'($*)) dnl gen_require(` attribute ptynode; ') dev_list_all_dev_nodes($1) allow $1 ptynode:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_all_ptys'($*)) dnl ') ######################################## ## ## Read and write all ptys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_ptys'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) allow $1 devpts_t:dir list_dir_perms; allow $1 ptynode:chr_file { rw_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_ptys'($*)) dnl ') ######################################## ## ## Read and write all inherited ptys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_inherited_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_ptys'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') allow $1 ptynode:chr_file { rw_inherited_term_perms lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_inherited_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write any ptys. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ptys'($*)) dnl gen_require(` attribute ptynode; ') dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ptys'($*)) dnl ') ######################################## ## ## Relabel from and to all pty device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_all_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_all_ptys'($*)) dnl gen_require(` attribute ptynode; type devpts_t; ') dev_list_all_dev_nodes($1) relabel_chr_files_pattern($1, devpts_t, { ptynode devpts_t } ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_all_ptys'($*)) dnl ') ######################################## ## ## Get the attributes of all user ## pty device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_getattr_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_getattr_all_ptys() instead.') term_getattr_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of any user pty ## device nodes. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_dontaudit_getattr_all_ptys() instead.') term_dontaudit_getattr_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ptys'($*)) dnl ') ######################################## ## ## Set the attributes of all user ## pty device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_setattr_all_ptys() instead.') term_setattr_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ptys'($*)) dnl ') ######################################## ## ## Relabel to all user ptys. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`term_relabelto_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabelto_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_relabelto_all_ptys() instead.') term_relabelto_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabelto_all_user_ptys'($*)) dnl ') ######################################## ## ## Write to all user ptys. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`term_write_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_write_all_ptys() instead.') term_write_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_all_user_ptys'($*)) dnl ') ######################################## ## ## Read and write all user ptys. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_use_all_ptys() instead.') term_use_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_user_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read any ## user ptys. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_dontaudit_use_all_ptys() instead.') term_dontaudit_use_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ptys'($*)) dnl ') ######################################## ## ## Relabel from and to all user ## user pty device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_all_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ptys'($*)) dnl refpolicywarn(`$0 has been deprecated, use term_relabel_all_ptys() instead.') term_relabel_all_ptys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ptys'($*)) dnl ') ######################################## ## ## Get the attributes of all unallocated ## tty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_getattr_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_unallocated_ttys'($*)) dnl ') ######################################## ## ## Allow open access for all unallocated ## tty device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_open_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_open_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file open; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_open_unallocated_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_unallocated_ttys'($*)) dnl ') ######################################## ## ## Set the attributes of all unallocated ## tty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_unallocated_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## of unallocated tty device nodes. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_setattr_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_setattr_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_setattr_unallocated_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to ioctl ## unallocated tty device nodes. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_ioctl_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dontaudit $1 tty_device_t:chr_file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_ioctl_unallocated_ttys'($*)) dnl ') ######################################## ## ## Watch unallocated tty device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_watch_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_watch_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') allow $1 tty_device_t:chr_file watch_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_watch_unallocated_ttys'($*)) dnl ') ######################################## ## ## Watch_reads unallocated tty device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_watch_reads_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_watch_reads_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') allow $1 tty_device_t:chr_file watch_reads_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_watch_reads_unallocated_ttys'($*)) dnl ') ######################################## ## ## Relabel from and to the unallocated ## tty type. ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file relabel_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_unallocated_ttys'($*)) dnl ') ######################################## ## ## Mounton unallocated tty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_mounton_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_mounton_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') allow $1 tty_device_t:chr_file mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_mounton_unallocated_ttys'($*)) dnl ') ######################################## ## ## Relabel from all user tty types to ## the unallocated tty type. ## ## ## ## Domain allowed access. ## ## # define(`term_reset_tty_labels',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_reset_tty_labels'($*)) dnl gen_require(` attribute ttynode; type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabelfrom; allow $1 tty_device_t:chr_file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_reset_tty_labels'($*)) dnl ') ######################################## ## ## Append to unallocated ttys. ## ## ## ## Domain allowed access. ## ## # define(`term_append_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_append_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file append_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_append_unallocated_ttys'($*)) dnl ') ######################################## ## ## Write to unallocated ttys. ## ## ## ## Domain allowed access. ## ## # define(`term_write_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_unallocated_ttys'($*)) dnl ') ######################################## ## ## Read and write unallocated ttys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_unallocated_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or ## write unallocated ttys. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_unallocated_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_unallocated_ttys'($*)) dnl gen_require(` type tty_device_t; ') init_dontaudit_use_fds($1) dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_unallocated_ttys'($*)) dnl ') ######################################## ## ## Read and write USB tty character ## device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_use_usb_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_usb_ttys'($*)) dnl gen_require(` type usbtty_device_t; ') dev_list_all_dev_nodes($1) allow $1 usbtty_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_usb_ttys'($*)) dnl ') ####################################### ## ## Setattr on USB tty character ## device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_setattr_usb_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_usb_ttys'($*)) dnl gen_require(` type usbtty_device_t; ') allow $1 usbtty_device_t:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_usb_ttys'($*)) dnl ') ######################################## ## ## Get the attributes of all tty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_getattr_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_all_ttys'($*)) dnl gen_require(` type tty_device_t; attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; allow $1 tty_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_all_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of any tty device nodes. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_ttys'($*)) dnl gen_require(` attribute ttynode; type tty_device_t; ') dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; dontaudit $1 tty_device_t:chr_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_ttys'($*)) dnl ') ######################################## ## ## Set the attributes of all tty device nodes. ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_all_ttys'($*)) dnl gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_all_ttys'($*)) dnl ') ######################################## ## ## Relabel from and to all tty device nodes. ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_all_ttys'($*)) dnl gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabel_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_all_ttys'($*)) dnl ') ######################################## ## ## Write to all ttys. ## ## ## ## Domain allowed access. ## ## # define(`term_write_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_all_ttys'($*)) dnl gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file write_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_all_ttys'($*)) dnl ') ######################################## ## ## Read and write all ttys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_ttys'($*)) dnl gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_ttys'($*)) dnl ') ######################################## ## ## Read and write all inherited ttys. ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_inherited_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_inherited_ttys'($*)) dnl gen_require(` attribute ttynode; ') dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_inherited_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## any ttys. ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_all_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_ttys'($*)) dnl gen_require(` attribute ttynode; ') dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_ttys'($*)) dnl ') ######################################## ## ## Get the attributes of all user tty ## device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_getattr_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_getattr_all_ttys() instead.') term_getattr_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_all_user_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of any user tty ## device nodes. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_getattr_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_getattr_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_dontaudit_getattr_all_ttys() instead.') term_dontaudit_getattr_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_getattr_all_user_ttys'($*)) dnl ') ######################################## ## ## Set the attributes of all user tty ## device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_setattr_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_setattr_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_setattr_all_ttys() instead.') term_setattr_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_setattr_all_user_ttys'($*)) dnl ') ######################################## ## ## Relabel from and to all user ## user tty device nodes. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`term_relabel_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_relabel_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_relabel_all_ttys() instead.') term_relabel_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_relabel_all_user_ttys'($*)) dnl ') ######################################## ## ## Write to all user ttys. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`term_write_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_write_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_write_all_ttys() instead.') term_write_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_write_all_user_ttys'($*)) dnl ') ######################################## ## ## Read and write all user to all user ttys. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`term_use_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_use_all_ttys() instead.') term_use_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_all_user_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## any user ttys. (Deprecated) ## ## ## ## Domain to not audit. ## ## # define(`term_dontaudit_use_all_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_dontaudit_use_all_user_ttys'($*)) dnl refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') term_dontaudit_use_all_ttys($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_dontaudit_use_all_user_ttys'($*)) dnl ') #################################### ## ## Getattr on the virtio console. ## ## ## ## Domain allowed access. ## ## # define(`term_getattr_virtio_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_getattr_virtio_console'($*)) dnl gen_require(` type virtio_device_t; ') allow $1 virtio_device_t:chr_file getattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_getattr_virtio_console'($*)) dnl ') ##################################### ## ## Read from and write to the virtio console. ## ## ## ## Domain allowed access. ## ## # define(`term_use_virtio_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_use_virtio_console'($*)) dnl gen_require(` type virtio_device_t; ') dev_list_all_dev_nodes($1) allow $1 virtio_device_t:chr_file rw_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_use_virtio_console'($*)) dnl ') ######################################## ## ## Create all named term devices with the correct label ## ## ## ## Domain allowed access. ## ## # define(`term_filetrans_all_named_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `term_filetrans_all_named_dev'($*)) dnl gen_require(` type tty_device_t; type bsdpty_device_t; type console_device_t; type ptmx_t; type devtty_t; type virtio_device_t; type devpts_t; type usbtty_device_t; ') dev_filetrans($1, devtty_t, chr_file, "tty") dev_filetrans($1, tty_device_t, chr_file, "tty0") dev_filetrans($1, tty_device_t, chr_file, "tty1") dev_filetrans($1, tty_device_t, chr_file, "tty2") dev_filetrans($1, tty_device_t, chr_file, "tty3") dev_filetrans($1, tty_device_t, chr_file, "tty4") dev_filetrans($1, tty_device_t, chr_file, "tty5") dev_filetrans($1, tty_device_t, chr_file, "tty6") dev_filetrans($1, tty_device_t, chr_file, "tty7") dev_filetrans($1, tty_device_t, chr_file, "tty8") dev_filetrans($1, tty_device_t, chr_file, "tty9") dev_filetrans($1, tty_device_t, chr_file, "tty10") dev_filetrans($1, tty_device_t, chr_file, "tty11") dev_filetrans($1, tty_device_t, chr_file, "tty12") dev_filetrans($1, tty_device_t, chr_file, "tty13") dev_filetrans($1, tty_device_t, chr_file, "tty14") dev_filetrans($1, tty_device_t, chr_file, "tty15") dev_filetrans($1, tty_device_t, chr_file, "tty16") dev_filetrans($1, tty_device_t, chr_file, "tty17") dev_filetrans($1, tty_device_t, chr_file, "tty18") dev_filetrans($1, tty_device_t, chr_file, "tty19") dev_filetrans($1, tty_device_t, chr_file, "tty20") dev_filetrans($1, tty_device_t, chr_file, "tty21") dev_filetrans($1, tty_device_t, chr_file, "tty22") dev_filetrans($1, tty_device_t, chr_file, "tty23") dev_filetrans($1, tty_device_t, chr_file, "tty24") dev_filetrans($1, tty_device_t, chr_file, "tty25") dev_filetrans($1, tty_device_t, chr_file, "tty26") dev_filetrans($1, tty_device_t, chr_file, "tty27") dev_filetrans($1, tty_device_t, chr_file, "tty28") dev_filetrans($1, tty_device_t, chr_file, "tty29") dev_filetrans($1, tty_device_t, chr_file, "tty30") dev_filetrans($1, tty_device_t, chr_file, "tty31") dev_filetrans($1, tty_device_t, chr_file, "tty32") dev_filetrans($1, tty_device_t, chr_file, "tty33") dev_filetrans($1, tty_device_t, chr_file, "tty34") dev_filetrans($1, tty_device_t, chr_file, "tty35") dev_filetrans($1, tty_device_t, chr_file, "tty36") dev_filetrans($1, tty_device_t, chr_file, "tty37") dev_filetrans($1, tty_device_t, chr_file, "tty38") dev_filetrans($1, tty_device_t, chr_file, "tty39") dev_filetrans($1, tty_device_t, chr_file, "tty40") dev_filetrans($1, tty_device_t, chr_file, "tty41") dev_filetrans($1, tty_device_t, chr_file, "tty42") dev_filetrans($1, tty_device_t, chr_file, "tty43") dev_filetrans($1, tty_device_t, chr_file, "tty44") dev_filetrans($1, tty_device_t, chr_file, "tty45") dev_filetrans($1, tty_device_t, chr_file, "tty46") dev_filetrans($1, tty_device_t, chr_file, "tty47") dev_filetrans($1, tty_device_t, chr_file, "tty48") dev_filetrans($1, tty_device_t, chr_file, "tty49") dev_filetrans($1, tty_device_t, chr_file, "tty50") dev_filetrans($1, tty_device_t, chr_file, "tty51") dev_filetrans($1, tty_device_t, chr_file, "tty52") dev_filetrans($1, tty_device_t, chr_file, "tty53") dev_filetrans($1, tty_device_t, chr_file, "tty54") dev_filetrans($1, tty_device_t, chr_file, "tty55") dev_filetrans($1, tty_device_t, chr_file, "tty56") dev_filetrans($1, tty_device_t, chr_file, "tty57") dev_filetrans($1, tty_device_t, chr_file, "tty58") dev_filetrans($1, tty_device_t, chr_file, "tty59") dev_filetrans($1, tty_device_t, chr_file, "tty60") dev_filetrans($1, tty_device_t, chr_file, "tty61") dev_filetrans($1, tty_device_t, chr_file, "tty62") dev_filetrans($1, tty_device_t, chr_file, "tty63") dev_filetrans($1, tty_device_t, chr_file, "tty64") dev_filetrans($1, tty_device_t, chr_file, "tty65") dev_filetrans($1, tty_device_t, chr_file, "tty66") dev_filetrans($1, tty_device_t, chr_file, "tty67") dev_filetrans($1, tty_device_t, chr_file, "tty68") dev_filetrans($1, tty_device_t, chr_file, "tty69") dev_filetrans($1, tty_device_t, chr_file, "tty70") dev_filetrans($1, tty_device_t, chr_file, "tty71") dev_filetrans($1, tty_device_t, chr_file, "tty72") dev_filetrans($1, tty_device_t, chr_file, "tty73") dev_filetrans($1, tty_device_t, chr_file, "tty74") dev_filetrans($1, tty_device_t, chr_file, "tty75") dev_filetrans($1, tty_device_t, chr_file, "tty76") dev_filetrans($1, tty_device_t, chr_file, "tty77") dev_filetrans($1, tty_device_t, chr_file, "tty78") dev_filetrans($1, tty_device_t, chr_file, "tty79") dev_filetrans($1, tty_device_t, chr_file, "tty80") dev_filetrans($1, tty_device_t, chr_file, "tty81") dev_filetrans($1, tty_device_t, chr_file, "tty82") dev_filetrans($1, tty_device_t, chr_file, "tty83") dev_filetrans($1, tty_device_t, chr_file, "tty84") dev_filetrans($1, tty_device_t, chr_file, "tty85") dev_filetrans($1, tty_device_t, chr_file, "tty86") dev_filetrans($1, tty_device_t, chr_file, "tty87") dev_filetrans($1, tty_device_t, chr_file, "tty88") dev_filetrans($1, tty_device_t, chr_file, "tty89") dev_filetrans($1, tty_device_t, chr_file, "tty90") dev_filetrans($1, tty_device_t, chr_file, "tty91") dev_filetrans($1, tty_device_t, chr_file, "tty92") dev_filetrans($1, tty_device_t, chr_file, "tty93") dev_filetrans($1, tty_device_t, chr_file, "tty94") dev_filetrans($1, tty_device_t, chr_file, "tty95") dev_filetrans($1, tty_device_t, chr_file, "tty96") dev_filetrans($1, tty_device_t, chr_file, "tty97") dev_filetrans($1, tty_device_t, chr_file, "tty98") dev_filetrans($1, tty_device_t, chr_file, "tty99") dev_filetrans($1, tty_device_t, chr_file, "pty") dev_filetrans($1, tty_device_t, chr_file, "pty0") dev_filetrans($1, tty_device_t, chr_file, "pty1") dev_filetrans($1, tty_device_t, chr_file, "pty2") dev_filetrans($1, tty_device_t, chr_file, "pty3") dev_filetrans($1, tty_device_t, chr_file, "pty4") dev_filetrans($1, tty_device_t, chr_file, "pty5") dev_filetrans($1, tty_device_t, chr_file, "pty6") dev_filetrans($1, tty_device_t, chr_file, "pty7") dev_filetrans($1, tty_device_t, chr_file, "pty8") dev_filetrans($1, tty_device_t, chr_file, "pty9") dev_filetrans($1, tty_device_t, chr_file, "pty10") dev_filetrans($1, tty_device_t, chr_file, "pty11") dev_filetrans($1, tty_device_t, chr_file, "pty12") dev_filetrans($1, tty_device_t, chr_file, "pty13") dev_filetrans($1, tty_device_t, chr_file, "pty14") dev_filetrans($1, tty_device_t, chr_file, "pty15") dev_filetrans($1, tty_device_t, chr_file, "pty16") dev_filetrans($1, tty_device_t, chr_file, "pty17") dev_filetrans($1, tty_device_t, chr_file, "pty18") dev_filetrans($1, tty_device_t, chr_file, "pty19") dev_filetrans($1, tty_device_t, chr_file, "pty20") dev_filetrans($1, tty_device_t, chr_file, "pty21") dev_filetrans($1, tty_device_t, chr_file, "pty22") dev_filetrans($1, tty_device_t, chr_file, "pty23") dev_filetrans($1, tty_device_t, chr_file, "pty24") dev_filetrans($1, tty_device_t, chr_file, "pty25") dev_filetrans($1, tty_device_t, chr_file, "pty26") dev_filetrans($1, tty_device_t, chr_file, "pty27") dev_filetrans($1, tty_device_t, chr_file, "pty28") dev_filetrans($1, tty_device_t, chr_file, "pty29") dev_filetrans($1, tty_device_t, chr_file, "pty30") dev_filetrans($1, tty_device_t, chr_file, "pty31") dev_filetrans($1, tty_device_t, chr_file, "pty32") dev_filetrans($1, tty_device_t, chr_file, "pty33") dev_filetrans($1, tty_device_t, chr_file, "pty34") dev_filetrans($1, tty_device_t, chr_file, "pty35") dev_filetrans($1, tty_device_t, chr_file, "pty36") dev_filetrans($1, tty_device_t, chr_file, "pty37") dev_filetrans($1, tty_device_t, chr_file, "pty38") dev_filetrans($1, tty_device_t, chr_file, "pty39") dev_filetrans($1, tty_device_t, chr_file, "pty40") dev_filetrans($1, tty_device_t, chr_file, "pty41") dev_filetrans($1, tty_device_t, chr_file, "pty42") dev_filetrans($1, tty_device_t, chr_file, "pty43") dev_filetrans($1, tty_device_t, chr_file, "pty44") dev_filetrans($1, tty_device_t, chr_file, "pty45") dev_filetrans($1, tty_device_t, chr_file, "pty46") dev_filetrans($1, tty_device_t, chr_file, "pty47") dev_filetrans($1, tty_device_t, chr_file, "pty48") dev_filetrans($1, tty_device_t, chr_file, "pty49") dev_filetrans($1, tty_device_t, chr_file, "pty50") dev_filetrans($1, tty_device_t, chr_file, "pty51") dev_filetrans($1, tty_device_t, chr_file, "pty52") dev_filetrans($1, tty_device_t, chr_file, "pty53") dev_filetrans($1, tty_device_t, chr_file, "pty54") dev_filetrans($1, tty_device_t, chr_file, "pty55") dev_filetrans($1, tty_device_t, chr_file, "pty56") dev_filetrans($1, tty_device_t, chr_file, "pty57") dev_filetrans($1, tty_device_t, chr_file, "pty58") dev_filetrans($1, tty_device_t, chr_file, "pty59") dev_filetrans($1, tty_device_t, chr_file, "pty60") dev_filetrans($1, tty_device_t, chr_file, "pty61") dev_filetrans($1, tty_device_t, chr_file, "pty62") dev_filetrans($1, tty_device_t, chr_file, "pty63") dev_filetrans($1, tty_device_t, chr_file, "pty64") dev_filetrans($1, tty_device_t, chr_file, "pty65") dev_filetrans($1, tty_device_t, chr_file, "pty66") dev_filetrans($1, tty_device_t, chr_file, "pty67") dev_filetrans($1, tty_device_t, chr_file, "pty68") dev_filetrans($1, tty_device_t, chr_file, "pty69") dev_filetrans($1, tty_device_t, chr_file, "pty70") dev_filetrans($1, tty_device_t, chr_file, "pty71") dev_filetrans($1, tty_device_t, chr_file, "pty72") dev_filetrans($1, tty_device_t, chr_file, "pty73") dev_filetrans($1, tty_device_t, chr_file, "pty74") dev_filetrans($1, tty_device_t, chr_file, "pty75") dev_filetrans($1, tty_device_t, chr_file, "pty76") dev_filetrans($1, tty_device_t, chr_file, "pty77") dev_filetrans($1, tty_device_t, chr_file, "pty78") dev_filetrans($1, tty_device_t, chr_file, "pty79") dev_filetrans($1, tty_device_t, chr_file, "pty80") dev_filetrans($1, tty_device_t, chr_file, "pty81") dev_filetrans($1, tty_device_t, chr_file, "pty82") dev_filetrans($1, tty_device_t, chr_file, "pty83") dev_filetrans($1, tty_device_t, chr_file, "pty84") dev_filetrans($1, tty_device_t, chr_file, "pty85") dev_filetrans($1, tty_device_t, chr_file, "pty86") dev_filetrans($1, tty_device_t, chr_file, "pty87") dev_filetrans($1, tty_device_t, chr_file, "pty88") dev_filetrans($1, tty_device_t, chr_file, "pty89") dev_filetrans($1, tty_device_t, chr_file, "pty90") dev_filetrans($1, tty_device_t, chr_file, "pty91") dev_filetrans($1, tty_device_t, chr_file, "pty92") dev_filetrans($1, tty_device_t, chr_file, "pty93") dev_filetrans($1, tty_device_t, chr_file, "pty94") dev_filetrans($1, tty_device_t, chr_file, "pty95") dev_filetrans($1, tty_device_t, chr_file, "pty96") dev_filetrans($1, tty_device_t, chr_file, "pty97") dev_filetrans($1, tty_device_t, chr_file, "pty98") dev_filetrans($1, tty_device_t, chr_file, "pty99") dev_filetrans($1, tty_device_t, chr_file, "adb0") dev_filetrans($1, tty_device_t, chr_file, "adb1") dev_filetrans($1, tty_device_t, chr_file, "adb2") dev_filetrans($1, tty_device_t, chr_file, "adb3") dev_filetrans($1, tty_device_t, chr_file, "adb4") dev_filetrans($1, tty_device_t, chr_file, "adb5") dev_filetrans($1, tty_device_t, chr_file, "adb6") dev_filetrans($1, tty_device_t, chr_file, "adb7") dev_filetrans($1, tty_device_t, chr_file, "adb8") dev_filetrans($1, tty_device_t, chr_file, "adb9") dev_filetrans($1, tty_device_t, chr_file, "capi0") dev_filetrans($1, tty_device_t, chr_file, "capi1") dev_filetrans($1, tty_device_t, chr_file, "capi2") dev_filetrans($1, tty_device_t, chr_file, "capi3") dev_filetrans($1, tty_device_t, chr_file, "capi4") dev_filetrans($1, tty_device_t, chr_file, "capi5") dev_filetrans($1, tty_device_t, chr_file, "capi6") dev_filetrans($1, tty_device_t, chr_file, "capi7") dev_filetrans($1, tty_device_t, chr_file, "capi8") dev_filetrans($1, tty_device_t, chr_file, "capi9") dev_filetrans($1, console_device_t, chr_file, "console") dev_filetrans($1, tty_device_t, chr_file, "cu0") dev_filetrans($1, tty_device_t, chr_file, "cu1") dev_filetrans($1, tty_device_t, chr_file, "cu2") dev_filetrans($1, tty_device_t, chr_file, "cu3") dev_filetrans($1, tty_device_t, chr_file, "cu4") dev_filetrans($1, tty_device_t, chr_file, "cu5") dev_filetrans($1, tty_device_t, chr_file, "cu6") dev_filetrans($1, tty_device_t, chr_file, "cu7") dev_filetrans($1, tty_device_t, chr_file, "cu8") dev_filetrans($1, tty_device_t, chr_file, "cu9") dev_filetrans($1, tty_device_t, chr_file, "dcbri0") dev_filetrans($1, tty_device_t, chr_file, "dcbri1") dev_filetrans($1, tty_device_t, chr_file, "dcbri2") dev_filetrans($1, tty_device_t, chr_file, "dcbri3") dev_filetrans($1, tty_device_t, chr_file, "dcbri4") dev_filetrans($1, tty_device_t, chr_file, "dcbri5") dev_filetrans($1, tty_device_t, chr_file, "dcbri6") dev_filetrans($1, tty_device_t, chr_file, "dcbri7") dev_filetrans($1, tty_device_t, chr_file, "dcbri8") dev_filetrans($1, tty_device_t, chr_file, "dcbri9") dev_filetrans($1, tty_device_t, chr_file, "vcsa") dev_filetrans($1, tty_device_t, chr_file, "vcsb") dev_filetrans($1, tty_device_t, chr_file, "vcsc") dev_filetrans($1, tty_device_t, chr_file, "vcsd") dev_filetrans($1, tty_device_t, chr_file, "vcse") dev_filetrans($1, tty_device_t, chr_file, "hvc0") dev_filetrans($1, tty_device_t, chr_file, "hvc1") dev_filetrans($1, tty_device_t, chr_file, "hvc2") dev_filetrans($1, tty_device_t, chr_file, "hvc3") dev_filetrans($1, tty_device_t, chr_file, "hvc4") dev_filetrans($1, tty_device_t, chr_file, "hvc5") dev_filetrans($1, tty_device_t, chr_file, "hvc6") dev_filetrans($1, tty_device_t, chr_file, "hvc7") dev_filetrans($1, tty_device_t, chr_file, "hvc8") dev_filetrans($1, tty_device_t, chr_file, "hvc9") dev_filetrans($1, tty_device_t, chr_file, "hvsi0") dev_filetrans($1, tty_device_t, chr_file, "hvsi1") dev_filetrans($1, tty_device_t, chr_file, "hvsi2") dev_filetrans($1, tty_device_t, chr_file, "hvsi3") dev_filetrans($1, tty_device_t, chr_file, "hvsi4") dev_filetrans($1, tty_device_t, chr_file, "hvsi5") dev_filetrans($1, tty_device_t, chr_file, "hvsi6") dev_filetrans($1, tty_device_t, chr_file, "hvsi7") dev_filetrans($1, tty_device_t, chr_file, "hvsi8") dev_filetrans($1, tty_device_t, chr_file, "hvsi9") dev_filetrans($1, tty_device_t, chr_file, "ircomm0") dev_filetrans($1, tty_device_t, chr_file, "ircomm1") dev_filetrans($1, tty_device_t, chr_file, "ircomm2") dev_filetrans($1, tty_device_t, chr_file, "ircomm3") dev_filetrans($1, tty_device_t, chr_file, "ircomm4") dev_filetrans($1, tty_device_t, chr_file, "ircomm5") dev_filetrans($1, tty_device_t, chr_file, "ircomm6") dev_filetrans($1, tty_device_t, chr_file, "ircomm7") dev_filetrans($1, tty_device_t, chr_file, "ircomm8") dev_filetrans($1, tty_device_t, chr_file, "ircomm9") dev_filetrans($1, tty_device_t, chr_file, "isdn0") dev_filetrans($1, tty_device_t, chr_file, "isdn1") dev_filetrans($1, tty_device_t, chr_file, "isdn2") dev_filetrans($1, tty_device_t, chr_file, "isdn3") dev_filetrans($1, tty_device_t, chr_file, "isdn4") dev_filetrans($1, tty_device_t, chr_file, "isdn5") dev_filetrans($1, tty_device_t, chr_file, "isdn6") dev_filetrans($1, tty_device_t, chr_file, "isdn7") dev_filetrans($1, tty_device_t, chr_file, "isdn8") dev_filetrans($1, tty_device_t, chr_file, "isdn9") filetrans_pattern($1, devpts_t, ptmx_t, chr_file, "ptmx") dev_filetrans($1, ptmx_t, chr_file, "ptmx") dev_filetrans($1, tty_device_t, chr_file, "rfcomm0") dev_filetrans($1, tty_device_t, chr_file, "rfcomm1") dev_filetrans($1, tty_device_t, chr_file, "rfcomm2") dev_filetrans($1, tty_device_t, chr_file, "rfcomm3") dev_filetrans($1, tty_device_t, chr_file, "rfcomm4") dev_filetrans($1, tty_device_t, chr_file, "rfcomm5") dev_filetrans($1, tty_device_t, chr_file, "rfcomm6") dev_filetrans($1, tty_device_t, chr_file, "rfcomm7") dev_filetrans($1, tty_device_t, chr_file, "rfcomm8") dev_filetrans($1, tty_device_t, chr_file, "rfcomm9") dev_filetrans($1, tty_device_t, chr_file, "slamr0") dev_filetrans($1, tty_device_t, chr_file, "slamr1") dev_filetrans($1, tty_device_t, chr_file, "slamr2") dev_filetrans($1, tty_device_t, chr_file, "slamr3") dev_filetrans($1, tty_device_t, chr_file, "slamr4") dev_filetrans($1, tty_device_t, chr_file, "slamr5") dev_filetrans($1, tty_device_t, chr_file, "slamr6") dev_filetrans($1, tty_device_t, chr_file, "slamr7") dev_filetrans($1, tty_device_t, chr_file, "slamr8") dev_filetrans($1, tty_device_t, chr_file, "slamr9") dev_filetrans($1, tty_device_t, chr_file, "ttyACM0") dev_filetrans($1, tty_device_t, chr_file, "ttyACM1") dev_filetrans($1, tty_device_t, chr_file, "ttyACM2") dev_filetrans($1, tty_device_t, chr_file, "ttyACM3") dev_filetrans($1, tty_device_t, chr_file, "ttyACM4") dev_filetrans($1, tty_device_t, chr_file, "ttyACM5") dev_filetrans($1, tty_device_t, chr_file, "ttyACM6") dev_filetrans($1, tty_device_t, chr_file, "ttyACM7") dev_filetrans($1, tty_device_t, chr_file, "ttyACM8") dev_filetrans($1, tty_device_t, chr_file, "ttyACM9") dev_filetrans($1, tty_device_t, chr_file, "ttyS0") dev_filetrans($1, tty_device_t, chr_file, "ttyS1") dev_filetrans($1, tty_device_t, chr_file, "ttyS2") dev_filetrans($1, tty_device_t, chr_file, "ttyS3") dev_filetrans($1, tty_device_t, chr_file, "ttyS4") dev_filetrans($1, tty_device_t, chr_file, "ttyS5") dev_filetrans($1, tty_device_t, chr_file, "ttyS6") dev_filetrans($1, tty_device_t, chr_file, "ttyS7") dev_filetrans($1, tty_device_t, chr_file, "ttyS8") dev_filetrans($1, tty_device_t, chr_file, "ttyS9") dev_filetrans($1, tty_device_t, chr_file, "ttySG0") dev_filetrans($1, tty_device_t, chr_file, "ttySG1") dev_filetrans($1, tty_device_t, chr_file, "ttySG2") dev_filetrans($1, tty_device_t, chr_file, "ttySG3") dev_filetrans($1, tty_device_t, chr_file, "ttySG4") dev_filetrans($1, tty_device_t, chr_file, "ttySG5") dev_filetrans($1, tty_device_t, chr_file, "ttySG6") dev_filetrans($1, tty_device_t, chr_file, "ttySG7") dev_filetrans($1, tty_device_t, chr_file, "ttySG8") dev_filetrans($1, tty_device_t, chr_file, "ttySG9") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8") dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9") dev_filetrans($1, virtio_device_t, chr_file, "vport0p0") dev_filetrans($1, virtio_device_t, chr_file, "vport0p1") dev_filetrans($1, virtio_device_t, chr_file, "vport0p2") dev_filetrans($1, virtio_device_t, chr_file, "vport0p3") dev_filetrans($1, virtio_device_t, chr_file, "vport0p4") dev_filetrans($1, virtio_device_t, chr_file, "vport0p5") dev_filetrans($1, virtio_device_t, chr_file, "vport0p6") dev_filetrans($1, virtio_device_t, chr_file, "vport0p7") dev_filetrans($1, virtio_device_t, chr_file, "vport0p8") dev_filetrans($1, virtio_device_t, chr_file, "vport0p9") dev_filetrans($1, devpts_t, dir, "pts") dev_filetrans($1, tty_device_t, chr_file, "xvc0") dev_filetrans($1, tty_device_t, chr_file, "xvc1") dev_filetrans($1, tty_device_t, chr_file, "xvc2") dev_filetrans($1, tty_device_t, chr_file, "xvc3") dev_filetrans($1, tty_device_t, chr_file, "xvc4") dev_filetrans($1, tty_device_t, chr_file, "xvc5") dev_filetrans($1, tty_device_t, chr_file, "xvc6") dev_filetrans($1, tty_device_t, chr_file, "xvc7") dev_filetrans($1, tty_device_t, chr_file, "xvc8") dev_filetrans($1, tty_device_t, chr_file, "xvc9") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `term_filetrans_all_named_dev'($*)) dnl ') ## User-based access control policy ## ## Contains attributes used in UBAC policy. ## ######################################## ## ## Constrain by user-based access control (UBAC). ## ## ##

## Constrain the specified type by user-based ## access control (UBAC). Typically, these are ## user processes or user files that need to be ## differentiated by SELinux user. Normally this ## does not include administrative or privileged ## programs. For the UBAC rules to be enforced, ## both the subject (source) type and the object ## (target) types must be UBAC constrained. ##

##
## ## ## Type to be constrained by UBAC. ## ## ## # define(`ubac_constrained',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_constrained'($*)) dnl gen_require(` attribute ubac_constrained_type; ') typeattribute $1 ubac_constrained_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_constrained'($*)) dnl ') ######################################## ## ## Exempt user-based access control for files. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_file_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_file_exempt'($*)) dnl gen_require(` attribute ubacfile; ') typeattribute $1 ubacfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_file_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for processes. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_process_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_process_exempt'($*)) dnl gen_require(` attribute ubacproc; ') typeattribute $1 ubacproc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_process_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for file descriptors. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_fd_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_fd_exempt'($*)) dnl gen_require(` attribute ubacfd; ') typeattribute $1 ubacfd; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_fd_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for sockets. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_socket_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_socket_exempt'($*)) dnl gen_require(` attribute ubacsock; ') typeattribute $1 ubacsock; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_socket_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for SysV IPC. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_sysvipc_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_sysvipc_exempt'($*)) dnl gen_require(` attribute ubacipc; ') typeattribute $1 ubacipc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_sysvipc_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for X Windows. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_xwin_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_xwin_exempt'($*)) dnl gen_require(` attribute ubacxwin; ') typeattribute $1 ubacxwin; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_xwin_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for dbus. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_dbus_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_dbus_exempt'($*)) dnl gen_require(` attribute ubacdbus; ') typeattribute $1 ubacdbus; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_dbus_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for keys. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_key_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_key_exempt'($*)) dnl gen_require(` attribute ubackey; ') typeattribute $1 ubackey; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_key_exempt'($*)) dnl ') ######################################## ## ## Exempt user-based access control for databases. ## ## ## ## Domain to be exempted. ## ## # define(`ubac_db_exempt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ubac_db_exempt'($*)) dnl gen_require(` attribute ubacdb; ') typeattribute $1 ubacdb; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ubac_db_exempt'($*)) dnl ') ## Policy for allowing confined domains to use unlabeled_t packets ## Audit administrator role ######################################## ## ## Change to the audit administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`auditadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auditadm_role_change'($*)) dnl gen_require(` role auditadm_r; ') allow $1 auditadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auditadm_role_change'($*)) dnl ') ######################################## ## ## Change from the audit administrator role. ## ## ##

## Change from the audit administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`auditadm_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auditadm_role_change_to'($*)) dnl gen_require(` role auditadm_r; ') allow auditadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auditadm_role_change_to'($*)) dnl ') ## Log administrator role ######################################## ## ## Change to the log administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`logadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logadm_role_change'($*)) dnl gen_require(` role logadm_r; ') allow $1 logadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logadm_role_change'($*)) dnl ') ######################################## ## ## Change from the log administrator role. ## ## ##

## Change from the log administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`logadm_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logadm_role_change_to'($*)) dnl gen_require(` role logadm_r; ') allow logadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logadm_role_change_to'($*)) dnl ') ## Security administrator role ######################################## ## ## Change to the security administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`secadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `secadm_role_change'($*)) dnl gen_require(` role secadm_r; ') allow $1 secadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `secadm_role_change'($*)) dnl ') ######################################## ## ## Change from the security administrator role. ## ## ##

## Change from the security administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`secadm_role_change_to_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `secadm_role_change_to_template'($*)) dnl gen_require(` role secadm_r; ') allow secadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `secadm_role_change_to_template'($*)) dnl ') ## Administrator's unprivileged user ##################################### ## ## staff stub userdomain interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`staff_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `staff_stub'($*)) dnl gen_require(` type staff_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `staff_stub'($*)) dnl ') ######################################## ## ## Change to the staff role. ## ## ## ## Role allowed access. ## ## ## # define(`staff_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `staff_role_change'($*)) dnl gen_require(` role staff_r; ') allow $1 staff_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `staff_role_change'($*)) dnl ') ######################################## ## ## Change from the staff role. ## ## ##

## Change from the staff role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`staff_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `staff_role_change_to'($*)) dnl gen_require(` role staff_r; ') allow staff_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `staff_role_change_to'($*)) dnl ') ## General system administration role ######################################## ## ## Change to the system administrator role. ## ## ## ## Role allowed access. ## ## ## # define(`sysadm_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_role_change'($*)) dnl gen_require(` role sysadm_r; ') allow $1 sysadm_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_role_change'($*)) dnl ') ######################################## ## ## Change from the system administrator role. ## ## ##

## Change from the system administrator role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`sysadm_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_role_change_to'($*)) dnl gen_require(` role sysadm_r; ') allow sysadm_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_role_change_to'($*)) dnl ') ######################################## ## ## Execute a shell in the sysadm domain. ## ## ## ## Domain allowed access. ## ## # define(`sysadm_shell_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_shell_domtrans'($*)) dnl gen_require(` type sysadm_t; ') corecmd_shell_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_shell_domtrans'($*)) dnl ') ####################################### ## ## sysadm stub interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`sysadm_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_stub'($*)) dnl gen_require(` type sysadm_t; role sysadm_r; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_stub'($*)) dnl ') ######################################## ## ## Execute a generic bin program in the sysadm domain. ## ## ## ## Domain allowed access. ## ## # define(`sysadm_bin_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans'($*)) dnl gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans'($*)) dnl ') ######################################## ## ## Execute all entrypoint files in the sysadm domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed access. ## ## # define(`sysadm_entry_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans'($*)) dnl gen_require(` type sysadm_t; ') domain_entry_file_spec_domtrans($1, sysadm_t) allow sysadm_t $1:fd use; allow sysadm_t $1:fifo_file rw_file_perms; allow sysadm_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans'($*)) dnl ') ######################################## ## ## Allow sysadm to execute all entrypoint files in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ## ## ##

## Allow sysadm to execute all entrypoint files in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain allowed access. ## ## # define(`sysadm_entry_spec_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_entry_spec_domtrans_to'($*)) dnl gen_require(` type sysadm_t; ') domain_entry_file_spec_domtrans(sysadm_t, $1) allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_entry_spec_domtrans_to'($*)) dnl ') ######################################## ## ## Allow sysadm to execute a generic bin program in ## a specified domain. This is an explicit transition, ## requiring the caller to use setexeccon(). ## ## ##

## Allow sysadm to execute a generic bin program in ## a specified domain. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## # define(`sysadm_bin_spec_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_bin_spec_domtrans_to'($*)) dnl gen_require(` type sysadm_t; ') corecmd_bin_spec_domtrans(sysadm_t, $1) allow $1 sysadm_t:fd use; allow $1 sysadm_t:fifo_file rw_file_perms; allow $1 sysadm_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_bin_spec_domtrans_to'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to sysadm users. ## ## ## ## Domain allowed access. ## ## # define(`sysadm_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_sigchld'($*)) dnl gen_require(` type sysadm_t; ') allow $1 sysadm_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_sigchld'($*)) dnl ') ######################################## ## ## Inherit and use sysadm file descriptors ## ## ## ## Domain allowed access. ## ## # define(`sysadm_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_use_fds'($*)) dnl gen_require(` type sysadm_t; ') allow $1 sysadm_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_use_fds'($*)) dnl ') ######################################## ## ## Read and write sysadm user unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`sysadm_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysadm_rw_pipes'($*)) dnl gen_require(` type sysadm_t; ') allow $1 sysadm_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysadm_rw_pipes'($*)) dnl ') ## No Interfaces ## Unconfined user role ######################################## ## ## Change from the unconfineduser role. ## ## ##

## Change from the unconfineduser role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`unconfined_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_role_change_to'($*)) dnl gen_require(` role unconfined_r; ') allow unconfined_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_role_change_to'($*)) dnl ') ######################################## ## ## Transition to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_domtrans'($*)) dnl gen_require(` type unconfined_t, unconfined_exec_t; ') domtrans_pattern($1,unconfined_exec_t,unconfined_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_domtrans'($*)) dnl ') ######################################## ## ## Execute specified programs in the unconfined domain. ## ## ## ## The type of the process performing this action. ## ## ## ## ## The role to allow the unconfined domain. ## ## # define(`unconfined_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_run'($*)) dnl gen_require(` type unconfined_t; ') unconfined_domtrans($1) role $2 types unconfined_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_run'($*)) dnl ') ######################################## ## ## Transition to the unconfined domain by executing a shell. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_shell_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_shell_domtrans'($*)) dnl gen_require(` attribute unconfined_login_domain; ') typeattribute $1 unconfined_login_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_shell_domtrans'($*)) dnl ') ######################################## ## ## Execute an Xserver session in unconfined domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`unconfined_xsession_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_xsession_spec_domtrans'($*)) dnl gen_require(` type unconfined_t; ') xserver_xsession_spec_domtrans($1, unconfined_t) allow unconfined_t $1:fd use; allow unconfined_t $1:fifo_file rw_file_perms; allow unconfined_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_xsession_spec_domtrans'($*)) dnl ') ######################################## ## ## Allow unconfined to execute the specified program in ## the specified domain. ## ## ##

## Allow unconfined to execute the specified program in ## the specified domain. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## ## ## ## Domain entry point file. ## ## # define(`unconfined_domtrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_domtrans_to'($*)) dnl gen_require(` type unconfined_t; ') domtrans_pattern(unconfined_t,$2,$1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_domtrans_to'($*)) dnl ') ######################################## ## ## Allow unconfined to execute the specified program in ## the specified domain. Allow the specified domain the ## unconfined role and use of unconfined user terminals. ## ## ##

## Allow unconfined to execute the specified program in ## the specified domain. Allow the specified domain the ## unconfined role and use of unconfined user terminals. ##

##

## This is a interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Domain to execute in. ## ## ## ## ## Domain entry point file. ## ## # define(`unconfined_run_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_run_to'($*)) dnl gen_require(` type unconfined_t; role unconfined_r; ') domtrans_pattern(unconfined_t,$2,$1) role unconfined_r types $1; userdom_use_user_terminals($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_run_to'($*)) dnl ') ###################################### ## ## Stub unconfined role. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_stub_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_stub_role'($*)) dnl gen_require(` role unconfined_r; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_stub_role'($*)) dnl ') ######################################## ## ## Inherit file descriptors from the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_use_fds'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_use_fds'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_sigchld'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_sigchld'($*)) dnl ') ######################################## ## ## Send a SIGNULL signal to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_signull'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_signull'($*)) dnl ') ######################################## ## ## Send generic signals to the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_signal'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_signal'($*)) dnl ') ######################################## ## ## Read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_read_pipes'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_read_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dontaudit_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_pipes'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_pipes'($*)) dnl ') ######################################## ## ## Read and write unconfined domain unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_rw_pipes'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## unconfined domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`unconfined_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_pipes'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:fifo_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## unconfined domain stream. ## ## ## ## Domain to not audit. ## ## # define(`unconfined_dontaudit_rw_stream',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_stream'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_stream'($*)) dnl ') ######################################## ## ## Connect to the unconfined domain using ## a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_stream_connect'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_stream_connect'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain tcp sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain tcp sockets. ##

##

## This interface was added due to a broken ## symptom in ldconfig. ##

##
## ## ## Domain to not audit. ## ## # define(`unconfined_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## unconfined domain packet sockets. ## ## ##

## Do not audit attempts to read or write ## unconfined domain packet sockets. ##

##

## This interface was added due to a broken ## symptom. ##

##
## ## ## Domain to not audit. ## ## # define(`unconfined_dontaudit_rw_packet_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_rw_packet_sockets'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:packet_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_rw_packet_sockets'($*)) dnl ') ######################################## ## ## Create keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_create_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_create_keys'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:key create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_create_keys'($*)) dnl ') ######################################## ## ## Dontaudit write process information for unconfined process. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dontaudit_write_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_write_state'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_write_state'($*)) dnl ') ######################################## ## ## Dontaudit read process information for unconfined process. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dontaudit_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dontaudit_read_state'($*)) dnl gen_require(` type unconfined_t; ') dontaudit $1 unconfined_t:dir list_dir_perms; dontaudit $1 unconfined_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dontaudit_read_state'($*)) dnl ') ######################################## ## ## Write keys for the unconfined domain. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_write_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_write_keys'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:key write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_write_keys'($*)) dnl ') ######################################## ## ## Send messages to the unconfined domain over dbus. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dbus_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dbus_send'($*)) dnl gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; allow unconfined_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dbus_send'($*)) dnl ') ######################################## ## ## Create communication channel with unconfined domain over dbus. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dbus_acquire_svc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dbus_acquire_svc'($*)) dnl gen_require(` type unconfined_t; class dbus acquire_svc; ') allow $1 unconfined_t:dbus acquire_svc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dbus_acquire_svc'($*)) dnl ') ######################################## ## ## Send and receive messages from ## unconfined_t over dbus. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dbus_chat'($*)) dnl gen_require(` type unconfined_t; class dbus send_msg; ') allow $1 unconfined_t:dbus send_msg; allow unconfined_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dbus_chat'($*)) dnl ') ######################################## ## ## Connect to the the unconfined DBUS ## for service (acquire_svc). ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dbus_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dbus_connect'($*)) dnl gen_require(` type unconfined_t; class dbus acquire_svc; ') allow $1 unconfined_t:dbus acquire_svc; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dbus_connect'($*)) dnl ') ######################################## ## ## Allow ptrace of unconfined domain ## ## ## ## Domain allowed access. ## ## # define(`unconfined_ptrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_ptrace'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process ptrace; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_ptrace'($*)) dnl ') ######################################## ## ## Read and write to unconfined shared memory. ## ## ## ## The type of the process performing this action. ## ## # define(`unconfined_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_rw_shm'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_rw_shm'($*)) dnl ') ######################################## ## ## Allow apps to set rlimits on unconfined user ## ## ## ## Domain allowed access. ## ## # define(`unconfined_set_rlimitnh',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_set_rlimitnh'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process rlimitinh; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_set_rlimitnh'($*)) dnl ') ######################################## ## ## Allow apps to setsched on unconfined user ## ## ## ## Domain allowed access. ## ## # define(`unconfined_setsched',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_setsched'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process setsched; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_setsched'($*)) dnl ') ######################################## ## ## Get the process group of unconfined. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_getpgid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_getpgid'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_getpgid'($*)) dnl ') ######################################## ## ## Change to the unconfined role. ## ## ## ## Role allowed access. ## ## ## # define(`unconfined_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_role_change'($*)) dnl gen_require(` role unconfined_r; ') allow $1 unconfined_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_role_change'($*)) dnl ') ######################################## ## ## Allow domain to attach to TUN devices created by unconfined_t users. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_attach_tun_iface',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_attach_tun_iface'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_attach_tun_iface'($*)) dnl ') ######################################## ## ## Allow domain to transition to unconfined_t user ## ## ## ## Domain allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`unconfined_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_transition'($*)) dnl gen_require(` type unconfined_t; ') domtrans_pattern($1,$2,unconfined_t) allow unconfined_t $2:file entrypoint; allow $1 unconfined_t:process signal_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_transition'($*)) dnl ') ######################################## ## ## unconfined_t domain typebounds calling domain. ## ## ## ## Domain to be typebound. ## ## # define(`unconfined_typebounds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_typebounds'($*)) dnl gen_require(` type unconfined_t; ') typebounds unconfined_t $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_typebounds'($*)) dnl ') ######################################## ## ## unconfined_exec_t domain typebounds file_type. ## ## ## ## File type to be typebound. ## ## # define(`unconfined_exec_typebounds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_exec_typebounds'($*)) dnl gen_require(` type unconfined_exec_t; ') typebounds unconfined_exec_t $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_exec_typebounds'($*)) dnl ') ######################################## ## ## Send a message to unconfined user over a unix domain datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_dgram_send'($*)) dnl gen_require(` type unconfined_t; ') allow $1 unconfined_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_dgram_send'($*)) dnl ') ## Generic unprivileged user ######################################## ## ## Change to the generic user role. ## ## ## ## Role allowed access. ## ## ## # define(`unprivuser_role_change',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unprivuser_role_change'($*)) dnl gen_require(` role user_r; ') allow $1 user_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unprivuser_role_change'($*)) dnl ') ######################################## ## ## Change from the generic user role. ## ## ##

## Change from the generic user role to ## the specified role. ##

##

## This is an interface to support third party modules ## and its use is not allowed in upstream reference ## policy. ##

##
## ## ## Role allowed access. ## ## ## # define(`unprivuser_role_change_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unprivuser_role_change_to'($*)) dnl gen_require(` role user_r; ') allow user_r $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unprivuser_role_change_to'($*)) dnl ') ## PostgreSQL relational database ####################################### ## ## Role access for SE-PostgreSQL. ## ## ## ## The role associated with the user domain. ## ## ## ## ## The type of the user domain. ## ## # define(`postgresql_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_role'($*)) dnl gen_require(` attribute sepgsql_client_type; type sepgsql_trusted_proc_t; type sepgsql_ranged_proc_t; ') typeattribute $2 sepgsql_client_type; role $1 types sepgsql_trusted_proc_t; role $1 types sepgsql_ranged_proc_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_role'($*)) dnl ') ######################################## ## ## Execute the postgresql program in the postgresql domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the postgresql domain. ## ## ## # define(`postgresql_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_run'($*)) dnl gen_require(` type postgresql_t; ') postgresql_domtrans($1) role $2 types postgresql_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_run'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL loadable shared library module ## ## ## ## Type marked as a database object type. ## ## # define(`postgresql_loadable_module',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_loadable_module'($*)) dnl gen_require(` attribute sepgsql_module_type; ') typeattribute $1 sepgsql_module_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_loadable_module'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL database object type ## ## ## ## Type marked as a database object type. ## ## # define(`postgresql_database_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_database_object'($*)) dnl gen_require(` attribute sepgsql_database_type; ') typeattribute $1 sepgsql_database_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_database_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL schema object type ## ## ## ## Type marked as a schema object type. ## ## # define(`postgresql_schema_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_schema_object'($*)) dnl gen_require(` attribute sepgsql_schema_type; ') typeattribute $1 sepgsql_schema_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_schema_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL table/column/tuple object type ## ## ## ## Type marked as a table/column/tuple object type. ## ## # define(`postgresql_table_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_table_object'($*)) dnl gen_require(` attribute sepgsql_table_type; ') typeattribute $1 sepgsql_table_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_table_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL system table/column/tuple object type ## ## ## ## Type marked as a table/column/tuple object type. ## ## # define(`postgresql_system_table_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_system_table_object'($*)) dnl gen_require(` attribute sepgsql_table_type, sepgsql_sysobj_table_type; ') typeattribute $1 sepgsql_table_type; typeattribute $1 sepgsql_sysobj_table_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_system_table_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL sequence type ## ## ## ## Type marked as a sequence type. ## ## # define(`postgresql_sequence_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_sequence_object'($*)) dnl gen_require(` attribute sepgsql_sequence_type; ') typeattribute $1 sepgsql_sequence_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_sequence_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL view object type ## ## ## ## Type marked as a view object type. ## ## # define(`postgresql_view_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_view_object'($*)) dnl gen_require(` attribute sepgsql_view_type; ') typeattribute $1 sepgsql_view_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_view_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL procedure object type ## ## ## ## Type marked as a procedure object type. ## ## # define(`postgresql_procedure_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_procedure_object'($*)) dnl gen_require(` attribute sepgsql_procedure_type; ') typeattribute $1 sepgsql_procedure_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_procedure_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL trusted procedure object type ## ## ## ## Type marked as a trusted procedure object type. ## ## # define(`postgresql_trusted_procedure_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_trusted_procedure_object'($*)) dnl gen_require(` attribute sepgsql_procedure_type; attribute sepgsql_trusted_procedure_type; ') typeattribute $1 sepgsql_procedure_type; typeattribute $1 sepgsql_trusted_procedure_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_trusted_procedure_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL procedural language object type ## ## ## ## Type marked as a procedural language object type. ## ## # define(`postgresql_language_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_language_object'($*)) dnl gen_require(` attribute sepgsql_language_type; ') typeattribute $1 sepgsql_language_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_language_object'($*)) dnl ') ######################################## ## ## Marks as a SE-PostgreSQL binary large object type ## ## ## ## Type marked as a database binary large object type. ## ## # define(`postgresql_blob_object',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_blob_object'($*)) dnl gen_require(` attribute sepgsql_blob_type; ') typeattribute $1 sepgsql_blob_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_blob_object'($*)) dnl ') ######################################## ## ## Allow the specified domain to search postgresql's database directory. ## ## ## ## Domain allowed access. ## ## # define(`postgresql_search_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_search_db'($*)) dnl gen_require(` type postgresql_db_t; ') allow $1 postgresql_db_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_search_db'($*)) dnl ') ######################################## ## ## Allow the specified domain to manage postgresql's database. ## ## ## ## Domain allowed access. ## ## # define(`postgresql_manage_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_manage_db'($*)) dnl gen_require(` type postgresql_db_t; ') files_search_var_lib($1) manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t) manage_files_pattern($1, postgresql_db_t, postgresql_db_t) manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_manage_db'($*)) dnl ') ######################################## ## ## Execute postgresql in the postgresql domain. ## ## ## ## Domain allowed to transition. ## ## # define(`postgresql_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_domtrans'($*)) dnl gen_require(` type postgresql_t, postgresql_exec_t; ') domtrans_pattern($1, postgresql_exec_t, postgresql_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_domtrans'($*)) dnl ') ###################################### ## ## Execute Postgresql in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`postgresql_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_exec'($*)) dnl gen_require(` type postgresql_exec_t; ') can_exec($1, postgresql_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_exec'($*)) dnl ') ###################################### ## ## Allow domain to signal postgresql ## ## ## ## Domain allowed access. ## ## # define(`postgresql_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_signal'($*)) dnl gen_require(` type postgresql_t; ') allow $1 postgresql_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_signal'($*)) dnl ') ###################################### ## ## Allow domain to signull postgresql ## ## ## ## Domain allowed access. ## ## # define(`postgresql_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_signull'($*)) dnl gen_require(` type postgresql_t; ') allow $1 postgresql_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_signull'($*)) dnl ') ######################################## ## ## Allow the specified domain to read postgresql's etc. ## ## ## ## Domain allowed access. ## ## ## # define(`postgresql_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_read_config'($*)) dnl gen_require(` type postgresql_etc_t; ') files_search_etc($1) allow $1 postgresql_etc_t:dir list_dir_perms; allow $1 postgresql_etc_t:file read_file_perms; allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_read_config'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to postgresql with a tcp socket. ## ## ## ## Domain allowed access. ## ## # define(`postgresql_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_tcp_connect'($*)) dnl gen_require(` type postgresql_t; ') corenet_tcp_recvfrom_labeled($1, postgresql_t) corenet_tcp_sendrecv_postgresql_port($1) corenet_tcp_connect_postgresql_port($1) corenet_sendrecv_postgresql_client_packets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_tcp_connect'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to postgresql with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`postgresql_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_stream_connect'($*)) dnl gen_require(` type postgresql_t, postgresql_var_run_t, postgresql_tmp_t; ') stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) files_search_pids($1) files_search_tmp($1) stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_stream_connect'($*)) dnl ') ######################################## ## ## Allow the specified domain unprivileged accesses to unifined database objects ## managed by SE-PostgreSQL, ## ## ## ## Domain allowed access. ## ## # define(`postgresql_unpriv_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_unpriv_client'($*)) dnl gen_require(` attribute sepgsql_client_type; ') typeattribute $1 sepgsql_client_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_unpriv_client'($*)) dnl ') ######################################## ## ## Allow the specified domain unconfined accesses to any database objects ## managed by SE-PostgreSQL, ## ## ## ## Domain allowed access. ## ## # define(`postgresql_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_unconfined'($*)) dnl gen_require(` attribute sepgsql_unconfined_type; ') typeattribute $1 sepgsql_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_unconfined'($*)) dnl ') ######################################## ## ## Transition to postgresql named content ## ## ## ## Domain allowed access. ## ## # define(`postgresql_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_filetrans_named_content'($*)) dnl gen_require(` type postgresql_db_t; type postgresql_log_t; ') files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql") files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres") files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql") filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile") filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_filetrans_named_content'($*)) dnl ') ######################################## ## ## All of the rules required to administrate an postgresql environment ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed to manage the postgresql domain. ## ## ## # define(`postgresql_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `postgresql_admin'($*)) dnl gen_require(` attribute sepgsql_admin_type, sepgsql_client_type; type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t; type postgresql_tmp_t, postgresql_db_t, postgresql_log_t; type postgresql_etc_t; ') typeattribute $1 sepgsql_admin_type; allow $1 postgresql_t:process signal_perms; ps_process_pattern($1, postgresql_t) tunable_policy(`deny_ptrace',`',` allow $1 postgresql_t:process ptrace; ') init_labeled_script_domtrans($1, postgresql_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 postgresql_initrc_exec_t system_r; allow $2 system_r; files_list_pids($1) admin_pattern($1, postgresql_var_run_t) files_list_var_lib($1) admin_pattern($1, postgresql_db_t) files_list_etc($1) admin_pattern($1, postgresql_etc_t) logging_list_logs($1) admin_pattern($1, postgresql_log_t) files_list_tmp($1) admin_pattern($1, postgresql_tmp_t) postgresql_tcp_connect($1) postgresql_stream_connect($1) postgresql_filetrans_named_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `postgresql_admin'($*)) dnl ') ## Secure shell client and server policy. ####################################### ## ## Basic SSH client template. ## ## ##

## This template creates a derived domains which are used ## for ssh client sessions. A derived ## type is also created to protect the user ssh keys. ##

##

## This template was added for NX. ##

##
## ## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## The type of the domain. ## ## ## ## ## The role associated with the user domain. ## ## # define(`ssh_basic_client_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_basic_client_template'($*)) dnl gen_require(` attribute ssh_server; type ssh_exec_t, sshd_key_t, sshd_tmp_t; type ssh_keysign_exec_t, ssh_keysign_t; type ssh_home_t; ') ############################## # # Declarations # type $1_ssh_t; application_domain($1_ssh_t, ssh_exec_t) role $3 types $1_ssh_t; ############################## # # Client local policy # allow $1_ssh_t self:capability { setuid setgid dac_read_search }; allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1_ssh_t self:fd use; allow $1_ssh_t self:fifo_file rw_fifo_file_perms; allow $1_ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow $1_ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_ssh_t self:shm create_shm_perms; allow $1_ssh_t self:sem create_sem_perms; allow $1_ssh_t self:msgq create_msgq_perms; allow $1_ssh_t self:msg { send receive }; allow $1_ssh_t self:tcp_socket create_stream_socket_perms; allow $1_ssh_t self:tun_socket create_socket_perms; # for rsync allow $1_ssh_t $2:unix_stream_socket rw_socket_perms; allow $1_ssh_t $2:unix_stream_socket connectto; # Read the ssh key file. allow $1_ssh_t sshd_key_t:file read_file_perms; # Access the ssh temporary files. allow $1_ssh_t sshd_tmp_t:dir manage_dir_perms; allow $1_ssh_t sshd_tmp_t:file manage_file_perms; files_tmp_filetrans($1_ssh_t, sshd_tmp_t, { file dir }) # Transition from the domain to the derived domain. domtrans_pattern($2, ssh_exec_t, $1_ssh_t) # inheriting stream sockets is needed for "ssh host command" as no pty # is allocated # cjp: should probably fix target to be an attribute for ssh servers # or "regular" (not special like sshd_extern_t) servers allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms; # derived domain can execute ssh-keysign domtrans_pattern($1_ssh_t, ssh_keysign_exec_t, ssh_keysign_t) role $3 types ssh_keysign_t; # allow ps to show ssh ps_process_pattern($2, $1_ssh_t) # user can manage the keys and config manage_files_pattern($2, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($2, ssh_home_t, ssh_home_t) manage_sock_files_pattern($2, ssh_home_t, ssh_home_t) # ssh client can manage the keys and config manage_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) read_lnk_files_pattern($1_ssh_t, ssh_home_t, ssh_home_t) # ssh servers can read the user keys and config allow ssh_server ssh_home_t:dir list_dir_perms; read_files_pattern(ssh_server, ssh_home_t, ssh_home_t) read_lnk_files_pattern(ssh_server, ssh_home_t, ssh_home_t) kernel_read_kernel_sysctls($1_ssh_t) kernel_read_system_state($1_ssh_t) kernel_read_network_state($1_ssh_t) corenet_all_recvfrom_netlabel($1_ssh_t) corenet_tcp_sendrecv_generic_if($1_ssh_t) corenet_tcp_sendrecv_generic_node($1_ssh_t) corenet_tcp_sendrecv_all_ports($1_ssh_t) corenet_tcp_connect_ssh_port($1_ssh_t) corenet_sendrecv_ssh_client_packets($1_ssh_t) corenet_tcp_bind_generic_node($1_ssh_t) corenet_tcp_bind_all_unreserved_ports($1_ssh_t) corenet_rw_inherited_tun_tap_dev($1_ssh_t) dev_read_urand($1_ssh_t) fs_getattr_all_fs($1_ssh_t) fs_search_auto_mountpoints($1_ssh_t) # run helper programs - needed eg for x11-ssh-askpass corecmd_exec_shell($1_ssh_t) corecmd_exec_bin($1_ssh_t) domain_use_interactive_fds($1_ssh_t) files_list_home($1_ssh_t) files_read_usr_files($1_ssh_t) files_read_etc_runtime_files($1_ssh_t) files_read_etc_files($1_ssh_t) files_read_var_files($1_ssh_t) auth_use_nsswitch($1_ssh_t) logging_send_syslog_msg($1_ssh_t) logging_read_generic_logs($1_ssh_t) seutil_read_config($1_ssh_t) optional_policy(` kerberos_use($1_ssh_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_basic_client_template'($*)) dnl ') ###################################### ## ## The template to define a domain to which sshd dyntransition. ## ## ## ## The prefix of the dyntransition domain ## ## # define(`ssh_dyntransition_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dyntransition_domain_template'($*)) dnl gen_require(` attribute ssh_dyntransition_domain; ') type $1, ssh_dyntransition_domain; domain_type($1) role system_r types $1; optional_policy(` ssh_dyntransition_to($1) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dyntransition_domain_template'($*)) dnl ') ####################################### ## ## The template to define a ssh server. ## ## ##

## This template creates a domains to be used for ## creating a ssh server. This is typically done ## to have multiple ssh servers of different sensitivities, ## such as for an internal network-facing ssh server, and ## a external network-facing ssh server. ##

##
## ## ## The prefix of the server domain (e.g., sshd ## is the prefix for sshd_t). ## ## # define(`ssh_server_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_server_template'($*)) dnl gen_require(` type sshd_t; ') type $1_t, ssh_server; auth_login_pgm_domain($1_t) type $1_devpts_t; term_login_pty($1_devpts_t) type $1_tmpfs_t; files_tmpfs_file($1_tmpfs_t) type $1_var_run_t; files_pid_file($1_var_run_t) allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config }; allow $1_t self:fifo_file rw_fifo_file_perms; allow $1_t self:process { getcap signal getsched setsched setrlimit setexec }; allow $1_t self:process { signal getcap getsched setsched setrlimit setexec }; allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:udp_socket create_socket_perms; allow $1_t self:tun_socket { create_socket_perms relabelfrom relabelto }; # ssh agent connections: allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:shm create_shm_perms; allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms getattr_chr_file_perms relabelfrom }; term_create_pty($1_t, $1_devpts_t) #manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) #fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file) userdom_manage_tmp_role(system_r, sshd_t) allow $1_t $1_var_run_t:file manage_file_perms; files_pid_filetrans($1_t, $1_var_run_t, file) can_exec($1_t, sshd_exec_t) # Access key files allow $1_t sshd_key_t:file read_file_perms; kernel_read_kernel_sysctls($1_t) kernel_search_network_sysctl($1_t) kernel_read_network_state($1_t) kernel_request_load_module($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) corenet_tcp_sendrecv_generic_if($1_t) corenet_udp_sendrecv_generic_if($1_t) corenet_raw_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_node($1_t) corenet_udp_sendrecv_generic_node($1_t) corenet_raw_sendrecv_generic_node($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_tcp_bind_ssh_port($1_t) corenet_sendrecv_ssh_server_packets($1_t) # -R qualifier corenet_sendrecv_ssh_server_packets($1_t) # tunnel feature and -w (net_admin capability also) corenet_rw_tun_tap_dev($1_t) fs_getattr_all_fs($1_t) auth_rw_login_records($1_t) auth_rw_faillog($1_t) corecmd_read_bin_symlinks($1_t) corecmd_getattr_bin_files($1_t) # for sshd subsystems, such as sftp-server. corecmd_getattr_bin_files($1_t) dev_rw_crypto($1_t) domain_interactive_fd($1_t) domain_dyntrans_type($1_t) files_read_etc_files($1_t) files_read_etc_runtime_files($1_t) files_read_usr_files($1_t) logging_search_logs($1_t) userdom_dontaudit_relabelfrom_user_ptys($1_t) userdom_read_user_home_content_files($1_t) # Allow checking users mail at login optional_policy(` mta_getattr_spool($1_t) ') userdom_home_manager($1_t) optional_policy(` kerberos_use($1_t) #kerberos_manage_host_rcache($1_t) ') optional_policy(` files_read_var_lib_symlinks($1_t) nx_spec_domtrans_server($1_t) ') optional_policy(` rlogin_read_home_content($1_t) ') optional_policy(` shutdown_getattr_exec_files($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_server_template'($*)) dnl ') ######################################## ## ## Role access for ssh ## ## ## ## The prefix of the role (e.g., user ## is the prefix for user_r). ## ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## ## # define(`ssh_role_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_role_template'($*)) dnl gen_require(` attribute ssh_server, ssh_agent_type; type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t; type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t; type ssh_agent_tmp_t; type cache_home_t; ') ############################## # # Declarations # role $2 types ssh_t; type $1_ssh_agent_t, ssh_agent_type; userdom_user_application_domain($1_ssh_agent_t, ssh_agent_exec_t) domain_interactive_fd($1_ssh_agent_t) role $2 types $1_ssh_agent_t; ############################## # # Local policy # # Transition from the domain to the derived domain. domtrans_pattern($3, ssh_exec_t, ssh_t) # inheriting stream sockets is needed for "ssh host command" as no pty # is allocated allow $3 ssh_server:unix_stream_socket rw_stream_socket_perms; # allow ps to show ssh ps_process_pattern($3, ssh_t) allow $3 ssh_t:process signal_perms; # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; allow ssh_t $3:key manage_key_perms; allow $3 ssh_t:key { write search read view }; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t) manage_sock_files_pattern($3, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1_t) userdom_manage_tmp_role($2, ssh_t) ############################## # # SSH agent local policy # allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; # for ssh-add stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t) stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t) # Allow the user shell to signal the ssh program. allow $3 $1_ssh_agent_t:process signal_perms; # allow ps to show ssh ps_process_pattern($3, $1_ssh_agent_t) domtrans_pattern($3, ssh_agent_exec_t, $1_ssh_agent_t) kernel_read_system_state($1_ssh_agent_t) # transition back to normal privs upon exec corecmd_shell_domtrans($1_ssh_agent_t, $3) corecmd_bin_domtrans($1_ssh_agent_t, $3) auth_use_nsswitch($1_ssh_agent_t) logging_send_syslog_msg($1_ssh_agent_t) userdom_user_home_domtrans($1_ssh_agent_t, $3) userdom_home_manager($1_ssh_agent_t) ssh_exec_keygen($3) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_role_template'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the ssh server. ## ## ## ## Domain allowed access. ## ## # define(`ssh_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_sigchld'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_sigchld'($*)) dnl ') ######################################## ## ## Send a generic signal to the ssh server. ## ## ## ## Domain allowed access. ## ## # define(`ssh_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_signal'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_signal'($*)) dnl ') ######################################## ## ## Send a null signal to sshd processes. ## ## ## ## Domain allowed access. ## ## # define(`ssh_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_signull'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_signull'($*)) dnl ') ######################################## ## ## Read a ssh server unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`ssh_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_read_pipes'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_read_pipes'($*)) dnl ') ###################################### ## ## Read and write ssh server unix dgram sockets. ## ## ## ## Domain allowed access. ## ## # define(`ssh_rw_dgram_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_rw_dgram_sockets'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_rw_dgram_sockets'($*)) dnl ') ######################################## ## ## Read and write a ssh server unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`ssh_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_rw_pipes'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_rw_pipes'($*)) dnl ') ######################################## ## ## Read and write ssh server unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`ssh_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_rw_stream_sockets'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:unix_stream_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Read and write ssh server TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`ssh_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_rw_tcp_sockets'($*)) dnl gen_require(` type sshd_t; ') allow $1 sshd_t:tcp_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## ssh server TCP sockets. ## ## ## ## Domain to not audit. ## ## # define(`ssh_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type sshd_t; ') dontaudit $1 sshd_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Connect to SSH daemons over TCP sockets. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`ssh_tcp_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_tcp_connect'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_tcp_connect'($*)) dnl ') ######################################## ## ## Execute the ssh daemon sshd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ssh_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_domtrans'($*)) dnl gen_require(` type sshd_t, sshd_exec_t; ') domtrans_pattern($1, sshd_exec_t, sshd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_domtrans'($*)) dnl ') ######################################## ## ## Execute sshd server in the sshd domain. ## ## ## ## Domain allowed access. ## ## # define(`ssh_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_initrc_domtrans'($*)) dnl gen_require(` type sshd_initrc_exec_t; ') init_labeled_script_domtrans($1, sshd_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute the ssh client in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ssh_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_exec'($*)) dnl gen_require(` type ssh_exec_t; ') corecmd_search_bin($1) can_exec($1, ssh_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_exec'($*)) dnl ') ######################################## ## ## Set the attributes of sshd key files. ## ## ## ## Domain allowed access. ## ## # define(`ssh_setattr_key_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_setattr_key_files'($*)) dnl gen_require(` type sshd_key_t; ') allow $1 sshd_key_t:file setattr_file_perms; files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_setattr_key_files'($*)) dnl ') ######################################## ## ## Execute the ssh agent client in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ssh_agent_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_agent_exec'($*)) dnl gen_require(` type ssh_agent_exec_t; ') corecmd_search_bin($1) can_exec($1, ssh_agent_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_agent_exec'($*)) dnl ') ######################################## ## ## Send generic signals to ssh_agent_type. ## ## ## ## Domain allowed access. ## ## # define(`ssh_agent_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_agent_signal'($*)) dnl gen_require(` attribute ssh_agent_type; ') allow $1 ssh_agent_type:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_agent_signal'($*)) dnl ') ######################################## ## ## Getattr ssh home directory ## ## ## ## Domain allowed access. ## ## # define(`ssh_getattr_user_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_getattr_user_home_dir'($*)) dnl gen_require(` type ssh_home_t; ') allow $1 ssh_home_t:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_getattr_user_home_dir'($*)) dnl ') ######################################## ## ## Dontaudit search ssh home directory ## ## ## ## Domain to not audit. ## ## # define(`ssh_dontaudit_search_user_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_search_user_home_dir'($*)) dnl gen_require(` type ssh_home_t; ') dontaudit $1 ssh_home_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dontaudit_search_user_home_dir'($*)) dnl ') ######################################## ## ## Read ssh home directory content ## ## ## ## Domain allowed access. ## ## # define(`ssh_read_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_read_user_home_files'($*)) dnl gen_require(` type ssh_home_t; ') allow $1 ssh_home_t:dir list_dir_perms; read_files_pattern($1, ssh_home_t, ssh_home_t) read_lnk_files_pattern($1, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_read_user_home_files'($*)) dnl ') ######################################## ## ## Execute the ssh key generator in the ssh keygen domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ssh_domtrans_keygen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_domtrans_keygen'($*)) dnl gen_require(` type ssh_keygen_t, ssh_keygen_exec_t; ') domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t) allow $1 ssh_keygen_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_domtrans_keygen'($*)) dnl ') ######################################## ## ## Execute the ssh key generator in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ssh_exec_keygen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_exec_keygen'($*)) dnl gen_require(` type ssh_keygen_exec_t; ') can_exec($1, ssh_keygen_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_exec_keygen'($*)) dnl ') ####################################### ## ## Execute ssh-keygen in the iptables domain, and ## allow the specified role the ssh-keygen domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ssh_run_keygen',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_run_keygen'($*)) dnl gen_require(` type ssh_keygen_t; ') role $2 types ssh_keygen_t; ssh_domtrans_keygen($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_run_keygen'($*)) dnl ') ######################################## ## ## Getattr ssh server keys ## ## ## ## Domain to not audit. ## ## # define(`ssh_getattr_server_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_getattr_server_keys'($*)) dnl gen_require(` type sshd_key_t; ') allow $1 sshd_key_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_getattr_server_keys'($*)) dnl ') ######################################## ## ## Read ssh server keys ## ## ## ## Domain to not audit. ## ## # define(`ssh_dontaudit_read_server_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_read_server_keys'($*)) dnl gen_require(` type sshd_key_t; ') dontaudit $1 sshd_key_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dontaudit_read_server_keys'($*)) dnl ') ###################################### ## ## Append ssh home directory content ## ## ## ## Domain allowed access. ## ## # define(`ssh_append_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_append_home_files'($*)) dnl gen_require(` type ssh_home_t; ') append_files_pattern($1, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_append_home_files'($*)) dnl ') ###################################### ## ## Manage ssh home directory content ## ## ## ## Domain allowed access. ## ## # define(`ssh_manage_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_manage_home_files'($*)) dnl gen_require(` type ssh_home_t; ') manage_files_pattern($1, ssh_home_t, ssh_home_t) userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_manage_home_files'($*)) dnl ') ####################################### ## ## Delete from the ssh temp files. ## ## ## ## Domain allowed access. ## ## # define(`ssh_delete_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_delete_tmp'($*)) dnl gen_require(` type sshd_tmp_t; ') files_search_tmp($1) delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_delete_tmp'($*)) dnl ') ##################################### ## ## Allow domain dyntransition to chroot_user_t domain. ## ## ## ## Domain allowed access. ## ## # define(`ssh_dyntransition_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dyntransition_to'($*)) dnl gen_require(` type sshd_t; ') allow sshd_t $1:process dyntransition; allow $1 sshd_t:process sigchld; allow sshd_t $1:process { getattr sigkill sigstop signull signal }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dyntransition_to'($*)) dnl ') ######################################## ## ## Create .ssh directory in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`ssh_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_filetrans_admin_home_content'($*)) dnl gen_require(` type ssh_home_t; ') userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Create .ssh directory in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`ssh_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_filetrans_home_content'($*)) dnl gen_require(` type ssh_home_t; ') userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh") userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts") files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_filetrans_home_content'($*)) dnl ') ######################################## ## ## Create .ssh directory in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`ssh_filetrans_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_filetrans_keys'($*)) dnl gen_require(` type sshd_key_t; ') files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key") files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key") files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key") files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_key.pub") files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_dsa_key.pub") files_etc_filetrans($1, sshd_key_t, file, ".ssh_host_rsa_key.pub") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_filetrans_keys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write the sshd pty type. ## ## ## ## Domain to not audit. ## ## # define(`ssh_dontaudit_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_dontaudit_use_ptys'($*)) dnl gen_require(` type sshd_devpts_t; ') dontaudit $1 sshd_devpts_t:chr_file { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_dontaudit_use_ptys'($*)) dnl ') ######################################## ## ## Read and write inherited sshd pty type. ## ## ## ## Domain to not audit. ## ## # define(`ssh_use_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_use_ptys'($*)) dnl gen_require(` type sshd_devpts_t; ') allow $1 sshd_devpts_t:chr_file rw_inherited_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_use_ptys'($*)) dnl ') ######################################## ## ## Execute sshd server in the sshd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ssh_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_systemctl'($*)) dnl gen_require(` type sshd_t; type sshd_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 sshd_unit_file_t:file manage_file_perms; allow $1 sshd_unit_file_t:service manage_service_perms; ps_process_pattern($1, sshd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_systemctl'($*)) dnl ') ######################################## ## ## Allow the domain to read state files in /proc. ## ## ## ## Domain to allow access. ## ## # define(`ssh_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ssh_read_state'($*)) dnl gen_require(` type ssh_t; ') read_files_pattern($1, ssh_t, ssh_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ssh_read_state'($*)) dnl ') ## X Windows Server ######################################## ## ## Rules required for using the X Windows server ## and environment, for restricted users. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`xserver_restricted_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_restricted_role'($*)) dnl gen_require(` type xauth_t, iceauth_t; attribute dridomain, x_userdomain; ') role $1 types { xauth_t iceauth_t }; typeattribute $2 x_userdomain, dridomain; xserver_common_x_domain_template(user,$2) xserver_stream_connect_xdm($2) xserver_xdm_append_log($2) xserver_dri_domain($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_restricted_role'($*)) dnl ') ######################################## ## ## Domain wants to use direct io devices ## ## ## ## Domain allowed access. ## ## # define(`xserver_dri_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dri_domain'($*)) dnl gen_require(` attribute dridomain; ') typeattribute $1 dridomain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dri_domain'($*)) dnl ') ######################################## ## ## Rules required for using the X Windows server ## and environment. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`xserver_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_role'($*)) dnl gen_require(` type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') xserver_restricted_role($1, $2) # Communicate via System V shared memory. allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; allow $2 iceauth_home_t:file relabel_file_perms; allow $2 xauth_home_t:file manage_file_perms; allow $2 xauth_home_t:file relabel_file_perms; mls_xwin_read_to_clearance($2) manage_dirs_pattern($2, user_fonts_t, user_fonts_t) manage_files_pattern($2, user_fonts_t, user_fonts_t) allow $2 user_fonts_t:lnk_file read_lnk_file_perms; relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) manage_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_dirs_pattern($2, user_fonts_cache_t, user_fonts_cache_t) relabel_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t) manage_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_role'($*)) dnl ') ####################################### ## ## Create sessions on the X server, with read-only ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # define(`xserver_ro_session',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_ro_session'($*)) dnl gen_require(` type xserver_t, xserver_tmp_t, xserver_tmpfs_t; ') # Xserver read/write client shm allow xserver_t $1:fd use; allow xserver_t $1:shm rw_shm_perms; allow xserver_t $2:file rw_file_perms; # Connect to xserver allow $1 xserver_t:unix_stream_socket connectto; allow $1 xserver_t:process signal; # Read /tmp/.X0-lock allow $1 xserver_tmp_t:file read_file_perms; # Client read xserver shm allow $1 xserver_t:fd use; allow $1 xserver_t:shm r_shm_perms; allow $1 xserver_tmpfs_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_ro_session'($*)) dnl ') ####################################### ## ## Create sessions on the X server, with read and write ## access to the X server shared ## memory segments. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # define(`xserver_rw_session',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_session'($*)) dnl gen_require(` type xserver_t, xserver_tmpfs_t; ') xserver_ro_session($1, $2) allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file { map rw_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_session'($*)) dnl ') ####################################### ## ## Create non-drawing client sessions on an X server. ## ## ## ## Domain allowed access. ## ## # define(`xserver_non_drawing_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_non_drawing_client'($*)) dnl gen_require(` class x_drawable { getattr get_property }; class x_extension { query use }; class x_gc { create setattr }; class x_property read; type xserver_t, xdm_var_run_t; type xextension_t, xproperty_t, root_xdrawable_t; ') allow $1 self:x_gc { create setattr }; allow $1 xdm_var_run_t:dir search_dir_perms; allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; allow $1 root_xdrawable_t:x_drawable { getattr get_property }; allow $1 xproperty_t:x_property read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_non_drawing_client'($*)) dnl ') ####################################### ## ## Create full client sessions ## on a user X server. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # define(`xserver_user_client',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_user_client'($*)) dnl refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.') gen_require(` type xdm_t; type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t; ') allow $1 self:shm create_shm_perms; allow $1 self:unix_dgram_socket create_socket_perms; allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $1 xauth_home_t:file read_file_perms; allow $1 iceauth_home_t:file read_file_perms; # for when /tmp/.X11-unix is created by the system allow $1 xdm_t:fd use; allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; userdom_search_user_tmp_dirs($1) userdom_rw_user_tmp_sock_files($1) dontaudit $1 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($1) miscfiles_read_fonts($1) userdom_search_user_home_dirs($1) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($1) xserver_ro_session($1,$2) xserver_use_user_fonts($1) xserver_read_xdm_tmp_files($1) # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_user_client'($*)) dnl ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## # define(`xserver_common_x_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_common_x_domain_template'($*)) dnl gen_require(` type root_xdrawable_t, xdm_t, xserver_t; type xproperty_t, $1_xproperty_t; type xevent_t, client_xevent_t; type input_xevent_t, $1_input_xevent_t; attribute x_domain, input_xevent_type; attribute xdrawable_type, xcolormap_type; class x_drawable all_x_drawable_perms; class x_property all_x_property_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; class x_client destroy; class x_server manage; class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor }; class x_pointer { get_property set_property manage }; class x_keyboard { read manage freeze }; ') ############################## # # Local Policy # # Type attributes typeattribute $2 x_domain; typeattribute $2 xdrawable_type, xcolormap_type; # X Properties # disable property transitions for the time being. # type_transition $2 xproperty_t:x_property $1_xproperty_t; # X Windows # new windows have the domain type type_transition $2 root_xdrawable_t:x_drawable $2; # X Input # distinguish input events type_transition $2 input_xevent_t:x_event $1_input_xevent_t; # can send own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } send; # can receive own events allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive; # can receive default events allow $2 client_xevent_t:{ x_event x_synthetic_event } receive; allow $2 xevent_t:{ x_event x_synthetic_event } { send receive }; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; allow $2 xdm_t:x_drawable { hide read add_child manage }; allow $2 xdm_t:x_client destroy; allow $2 root_xdrawable_t:x_drawable write; allow $2 xserver_t:x_server manage; allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show }; allow $2 xserver_t:x_pointer { get_property set_property manage }; allow $2 xserver_t:x_keyboard { read manage freeze }; dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_common_x_domain_template'($*)) dnl ') ####################################### ## ## Template for creating the set of types used ## in an X windows domain. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## # define(`xserver_object_types_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_object_types_template'($*)) dnl gen_require(` attribute xproperty_type, input_xevent_type, xevent_type; ') ############################## # # Declarations # # Types for properties type $1_xproperty_t, xproperty_type; ubac_constrained($1_xproperty_t) # Types for events type $1_input_xevent_t, input_xevent_type, xevent_type; ubac_constrained($1_input_xevent_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_object_types_template'($*)) dnl ') ####################################### ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Provides the minimal set required by a basic ## X client application. ## ## ## ## The prefix of the X client domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Client domain allowed access. ## ## ## ## ## The type of the domain SYSV tmpfs files. ## ## # define(`xserver_user_x_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_user_x_domain_template'($*)) dnl gen_require(` type xdm_t, xserver_tmpfs_t; type xdm_home_t; type xauth_home_t, iceauth_home_t, xserver_t; ') allow $2 self:shm create_shm_perms; allow $2 self:unix_dgram_socket create_socket_perms; allow $2 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; xserver_filetrans_home_content($2) # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; allow $2 xdm_t:fifo_file rw_inherited_fifo_file_perms; userdom_search_user_tmp_dirs($2) userdom_rw_user_tmp_sock_files($2) dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. files_search_tmp($2) miscfiles_read_fonts($2) userdom_search_user_home_dirs($2) # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) xserver_ro_session($2, $3) xserver_use_user_fonts($2) userdom_read_user_tmp_files($2) xserver_read_xdm_pid($2) xserver_xdm_append_log($2) # X object manager xserver_object_types_template($1) xserver_common_x_domain_template($1, $2) # Client write xserver shm tunable_policy(`xserver_clients_write_xshm',` allow $2 xserver_t:shm rw_shm_perms; allow $2 xserver_tmpfs_t:file rw_file_perms; ') tunable_policy(`selinuxuser_direct_dri_enabled',` dev_rw_dri($2) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_user_x_domain_template'($*)) dnl ') ######################################## ## ## Read user fonts, user font configuration, ## and manage the user font cache. ## ## ##

## Read user fonts, user font configuration, ## and manage the user font cache. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## # define(`xserver_use_user_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_use_user_fonts'($*)) dnl gen_require(` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; ') # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; allow $1 user_fonts_t:lnk_file read_lnk_file_perms; # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t) # Read per user font config allow $1 user_fonts_config_t:dir list_dir_perms; allow $1 user_fonts_config_t:file read_file_perms; userdom_search_user_home_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_use_user_fonts'($*)) dnl ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # define(`xserver_domtrans_xdm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xdm'($*)) dnl gen_require(` type xdm_t, xdm_exec_t; ') domtrans_pattern($1, xdm_exec_t, xdm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_domtrans_xdm'($*)) dnl ') ######################################## ## ## Transition to the Xauthority domain. ## ## ## ## Domain allowed to transition. ## ## # define(`xserver_domtrans_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_domtrans_xauth'($*)) dnl gen_require(` type xauth_t, xauth_exec_t; ') domtrans_pattern($1, xauth_exec_t, xauth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_domtrans_xauth'($*)) dnl ') ###################################### ## ## Allow exec of Xauthority program.. ## ## ## ## Domain allowed to transition. ## ## # define(`xserver_exec_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_exec_xauth'($*)) dnl gen_require(` type xauth_t, xauth_exec_t; ') can_exec($1, xauth_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_exec_xauth'($*)) dnl ') ######################################## ## ## Dontaudit exec of Xauthority program. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_exec_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_exec_xauth'($*)) dnl gen_require(` type xauth_exec_t; ') dontaudit $1 xauth_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_exec_xauth'($*)) dnl ') ######################################## ## ## Create a Xauthority file in the user home directory. ## ## ## ## Domain allowed access. ## ## # define(`xserver_user_home_dir_filetrans_user_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl gen_require(` type xauth_home_t; ') userdom_user_home_dir_filetrans($1, xauth_home_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_user_home_dir_filetrans_user_xauth'($*)) dnl ') ######################################## ## ## Create a Xauthority file in the admin home directory. ## ## ## ## Domain allowed access. ## ## # define(`xserver_admin_home_dir_filetrans_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_admin_home_dir_filetrans_xauth'($*)) dnl gen_require(` type xauth_home_t; ') userdom_admin_home_dir_filetrans($1, xauth_home_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_admin_home_dir_filetrans_xauth'($*)) dnl ') ######################################## ## ## Read all users fonts, user font configurations, ## and manage all users font caches. ## ## ## ## Domain allowed access. ## ## # define(`xserver_use_all_users_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_use_all_users_fonts'($*)) dnl refpolicywarn(`$0() has been deprecated, please use xserver_use_user_fonts.') xserver_use_user_fonts($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_use_all_users_fonts'($*)) dnl ') ######################################## ## ## Read all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_user_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_user_xauth'($*)) dnl gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) xserver_read_xdm_pid($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_user_xauth'($*)) dnl ') ######################################## ## ## Manage all users .Xauthority. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_user_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_user_xauth'($*)) dnl gen_require(` type xauth_home_t; ') allow $1 xauth_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_user_xauth'($*)) dnl ') ######################################## ## ## Set the attributes of the X windows console named pipes. ## ## ## ## Domain allowed access. ## ## # define(`xserver_setattr_console_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_setattr_console_pipes'($*)) dnl gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file setattr_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_setattr_console_pipes'($*)) dnl ') ######################################## ## ## Read and write the X windows console named pipe. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_console'($*)) dnl gen_require(` type xconsole_device_t; ') allow $1 xconsole_device_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_console'($*)) dnl ') ######################################## ## ## Read XDM state files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_state_xdm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_state_xdm'($*)) dnl gen_require(` type xdm_t; ') kernel_search_proc($1) ps_process_pattern($1, xdm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_state_xdm'($*)) dnl ') ######################################## ## ## Use file descriptors for xdm. ## ## ## ## Domain allowed access. ## ## # define(`xserver_use_xdm_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_use_xdm_fds'($*)) dnl gen_require(` type xdm_t; ') allow $1 xdm_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_use_xdm_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit ## XDM file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_use_xdm_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_use_xdm_fds'($*)) dnl gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_use_xdm_fds'($*)) dnl ') ######################################## ## ## Read and write XDM unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_xdm_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_pipes'($*)) dnl gen_require(` type xdm_t; ') allow $1 xdm_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## XDM unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_rw_xdm_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_xdm_pipes'($*)) dnl gen_require(` type xdm_t; ') dontaudit $1 xdm_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_xdm_pipes'($*)) dnl ') ######################################## ## ## Read xdm process state files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_state'($*)) dnl gen_require(` type xdm_t; ') kernel_search_proc($1) allow $1 xdm_t:dir list_dir_perms; allow $1 xdm_t:file read_file_perms; allow $1 xdm_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_state'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## xdm_spool files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_xdm_spool_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_spool_files'($*)) dnl gen_require(` type xdm_spool_t; ') files_search_spool($1) manage_files_pattern($1, xdm_spool_t, xdm_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_spool_files'($*)) dnl ') ######################################## ## ## Connect to XDM over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xserver_stream_connect_xdm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_stream_connect_xdm'($*)) dnl gen_require(` type xdm_t, xdm_var_run_t; ') files_search_tmp($1) files_search_pids($1) stream_connect_pattern($1, { xdm_var_run_t }, { xdm_var_run_t }, xdm_t) userdom_stream_connect($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_stream_connect_xdm'($*)) dnl ') ######################################## ## ## Allow domain to append XDM unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xserver_append_xdm_stream_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_stream_socket'($*)) dnl gen_require(` type xdm_t; ') allow $1 xdm_t:unix_stream_socket append; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_append_xdm_stream_socket'($*)) dnl ') ######################################## ## ## Read XDM files in user home directories. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_home_files'($*)) dnl gen_require(` type xdm_home_t; ') userdom_search_user_home_dirs($1) allow $1 xdm_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_home_files'($*)) dnl ') ######################################## ## ## Read xserver configuration files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_config'($*)) dnl gen_require(` type xserver_etc_t; ') files_search_etc($1) read_files_pattern($1, xserver_etc_t, xserver_etc_t) read_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_config'($*)) dnl ') ######################################## ## ## Manage xserver configuration files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_config'($*)) dnl gen_require(` type xserver_etc_t; ') files_search_etc($1) manage_files_pattern($1, xserver_etc_t, xserver_etc_t) manage_lnk_files_pattern($1, xserver_etc_t, xserver_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_config'($*)) dnl ') ######################################## ## ## Read xdm-writable configuration files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_rw_config'($*)) dnl gen_require(` type xdm_rw_etc_t; ') files_search_etc($1) allow $1 xdm_rw_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_rw_config'($*)) dnl ') ######################################## ## ## Search XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`xserver_search_xdm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_search_xdm_tmp_dirs'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_search_user_tmp_dirs instead.') userdom_search_user_tmp_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_search_xdm_tmp_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of XDM temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`xserver_setattr_xdm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_setattr_xdm_tmp_dirs'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') userdom_dontaudit_setattr_user_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_setattr_xdm_tmp_dirs'($*)) dnl ') ######################################## ## ## Dont audit attempts to set the attributes of XDM temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_xdm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xdm_tmp_dirs'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_setattr_user_tmp instead.') userdom_dontaudit_setattr_user_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xdm_tmp_dirs'($*)) dnl ') ######################################## ## ## Create a named socket in a XDM ## temporary directory. ## ## ## ## Domain allowed access. ## ## # define(`xserver_create_xdm_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_create_xdm_tmp_sockets'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_create_user_tmp_sockets instead.') userdom_create_user_tmp_sockets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_create_xdm_tmp_sockets'($*)) dnl ') ######################################## ## ## Read XDM pid files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_pid'($*)) dnl gen_require(` type xdm_var_run_t; ') files_search_pids($1) read_files_pattern($1, xdm_var_run_t, xdm_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_pid'($*)) dnl ') ######################################## ## ## Mmap XDM pid files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_map_xdm_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_map_xdm_pid'($*)) dnl gen_require(` type xdm_var_run_t; ') allow $1 xdm_var_run_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_map_xdm_pid'($*)) dnl ') ###################################### ## ## Dontaudit Read XDM pid files. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_read_xdm_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_pid'($*)) dnl gen_require(` type xdm_var_run_t; ') dontaudit $1 xdm_var_run_t:dir search_dir_perms; dontaudit $1 xdm_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_pid'($*)) dnl ') ######################################## ## ## Read XDM var lib files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_lib_files'($*)) dnl gen_require(` type xdm_var_lib_t; ') read_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) read_lnk_files_pattern($1, xdm_var_lib_t, xdm_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_lib_files'($*)) dnl ') ######################################## ## ## Read inherited XDM var lib files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_inherited_xdm_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_inherited_xdm_lib_files'($*)) dnl gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:file { read_inherited_file_perms map }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_inherited_xdm_lib_files'($*)) dnl ') ######################################## ## ## Make an X session script an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # define(`xserver_xsession_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xsession_entry_type'($*)) dnl gen_require(` type xsession_exec_t; ') domain_entry_file($1, xsession_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xsession_entry_type'($*)) dnl ') ######################################## ## ## Execute an X session in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ##

## Execute an Xsession in the target domain. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the shell process. ## ## # define(`xserver_xsession_spec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xsession_spec_domtrans'($*)) dnl gen_require(` type xsession_exec_t; ') domain_trans($1, xsession_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xsession_spec_domtrans'($*)) dnl ') ######################################## ## ## Get the attributes of X server logs. ## ## ## ## Domain allowed access. ## ## # define(`xserver_getattr_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_getattr_log'($*)) dnl gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file getattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_getattr_log'($*)) dnl ') ####################################### ## ## Allow domain to read X server logs. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_log'($*)) dnl gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_log'($*)) dnl ') ######################################## ## ## Do not audit attempts to write the X server ## log files. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_write_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_write_log'($*)) dnl gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_write_log'($*)) dnl ') ######################################## ## ## Delete X server log files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_delete_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_delete_log'($*)) dnl gen_require(` type xserver_log_t; ') logging_search_logs($1) allow $1 xserver_log_t:dir list_dir_perms; delete_files_pattern($1, xserver_log_t, xserver_log_t) delete_fifo_files_pattern($1, xserver_log_t, xserver_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_delete_log'($*)) dnl ') ######################################## ## ## Read X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xkb_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xkb_libs'($*)) dnl gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xkb_libs'($*)) dnl ') ######################################## ## ## Manage X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_xkb_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_xkb_libs'($*)) dnl gen_require(` type xkb_var_lib_t; ') files_search_var_lib($1) allow $1 xkb_var_lib_t:dir list_dir_perms; manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_xkb_libs'($*)) dnl ') ######################################## ## ## dontaudit access checks X keyboard extension libraries. ## ## ## ## Domain allowed access. ## ## # define(`xserver_dontaudit_xkb_libs_access',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xkb_libs_access'($*)) dnl gen_require(` type xkb_var_lib_t; ') dontaudit $1 xkb_var_lib_t:dir audit_access; dontaudit $1 xkb_var_lib_t:file audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xkb_libs_access'($*)) dnl ') ######################################## ## ## Read xdm config files. ## ## ## ## Domain to not audit ## ## # define(`xserver_read_xdm_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_etc_files'($*)) dnl gen_require(` type xdm_etc_t; ') files_search_etc($1) read_files_pattern($1, xdm_etc_t, xdm_etc_t) read_lnk_files_pattern($1, xdm_etc_t, xdm_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_etc_files'($*)) dnl ') ######################################## ## ## Manage xdm config files. ## ## ## ## Domain to not audit ## ## # define(`xserver_manage_xdm_etc_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_etc_files'($*)) dnl gen_require(` type xdm_etc_t; ') files_search_etc($1) manage_files_pattern($1, xdm_etc_t, xdm_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_etc_files'($*)) dnl ') ######################################## ## ## Watch xdm config directories. ## ## ## ## Domain to not audit ## ## # define(`xserver_watch_xdm_etc_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_watch_xdm_etc_dirs'($*)) dnl gen_require(` type xdm_etc_t; ') files_search_etc($1) watch_dirs_pattern($1, xdm_etc_t, xdm_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_watch_xdm_etc_dirs'($*)) dnl ') ######################################## ## ## Read xdm temporary files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_xdm_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_xdm_tmp_files'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_read_user_tmpfs_files instead.') userdom_read_user_tmpfs_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_xdm_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read xdm temporary files. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_read_xdm_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_read_user_tmp_files instead.') userdom_dontaudit_read_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_read_xdm_tmp_files'($*)) dnl ') ######################################## ## ## Read write xdm temporary files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_xdm_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_tmp_files'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_rw_user_tmpfs_files instead.') userdom_rw_user_tmpfs_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete xdm temporary files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_xdm_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_files'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_files instead.') userdom_manage_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete xdm temporary dirs. ## ## ## ## Domain allowed access. ## ## # define(`xserver_relabel_xdm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_relabel_xdm_tmp_dirs'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_tmp_dirs instead.') userdom_relabel_user_tmp_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_relabel_xdm_tmp_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete xdm temporary dirs. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_xdm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_xdm_tmp_dirs'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_tmp_dirs instead.') userdom_manage_user_tmp_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_xdm_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_getattr_xdm_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_dontaudit_user_getattr_tmp_sockets instead.') userdom_dontaudit_user_getattr_tmp_sockets($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_getattr_xdm_tmp_sockets'($*)) dnl ') ######################################## ## ## Execute the X server in the X server domain. ## ## ## ## Domain allowed to transition. ## ## # define(`xserver_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_domtrans'($*)) dnl gen_require(` type xserver_t, xserver_exec_t; ') allow $1 xserver_t:process siginh; domtrans_pattern($1, xserver_exec_t, xserver_t) allow xserver_t $1:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_domtrans'($*)) dnl ') ######################################## ## ## Allow SELinux Domain trasition ## into confined domain with NoNewPrivileges ## Systemd Security feature. ## ## ## ## Domain allowed access. ## ## # define(`xserver_nnp_daemon_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_nnp_daemon_domain'($*)) dnl gen_require(` type xserver_t; ') allow $1 xserver_t:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_nnp_daemon_domain'($*)) dnl ') ######################################## ## ## Allow execute the X server. ## ## ## ## Domain allowed to transition. ## ## # define(`xserver_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_exec'($*)) dnl gen_require(` type xserver_exec_t; ') can_exec($1, xserver_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_exec'($*)) dnl ') ######################################## ## ## Signal X servers ## ## ## ## Domain allowed access. ## ## # define(`xserver_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_signal'($*)) dnl gen_require(` type xserver_t; ') allow $1 xserver_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_signal'($*)) dnl ') ######################################## ## ## Send a null signal to xdm processes. ## ## ## ## Domain allowed access. ## ## # define(`xserver_xdm_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_signull'($*)) dnl gen_require(` type xdm_t; ') allow $1 xdm_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_signull'($*)) dnl ') ######################################## ## ## Kill X servers ## ## ## ## Domain allowed access. ## ## # define(`xserver_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_kill'($*)) dnl gen_require(` type xserver_t; ') allow $1 xserver_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_kill'($*)) dnl ') ######################################## ## ## Read and write X server Sys V Shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_shm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_shm'($*)) dnl gen_require(` type xserver_t; ') allow $1 xserver_t:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_shm'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write to ## X server sockets. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_tcp_sockets'($*)) dnl gen_require(` type xserver_t; ') dontaudit $1 xserver_t:tcp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write X server ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_rw_stream_sockets'($*)) dnl gen_require(` type xserver_t; ') dontaudit $1 xserver_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write xdm ## unix domain stream sockets. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_xdm_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_xdm_rw_stream_sockets'($*)) dnl gen_require(` type xdm_t; ') dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_xdm_rw_stream_sockets'($*)) dnl ') ######################################## ## ## Connect to the X server over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`xserver_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_stream_connect'($*)) dnl gen_require(` type xserver_t, xserver_tmp_t; ') files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) allow xserver_t $1:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_stream_connect'($*)) dnl ') ###################################### ## ## Dontaudit attempts to connect to xserver ## over a unix stream socket. ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_stream_connect'($*)) dnl gen_require(` type xserver_t, xserver_tmp_t; ') stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_stream_connect'($*)) dnl ') ######################################## ## ## Read X server temporary files. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_tmp_files'($*)) dnl gen_require(` type xserver_tmp_t; ') allow $1 xserver_tmp_t:file read_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_tmp_files'($*)) dnl ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the ## virtual core keyboard and virtual core pointer devices. ## ## ## ## Domain allowed access. ## ## # define(`xserver_manage_core_devices',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_core_devices'($*)) dnl gen_require(` type xserver_t, root_xdrawable_t, xevent_t; class x_device all_x_device_perms; class x_pointer all_x_pointer_perms; class x_keyboard all_x_keyboard_perms; class x_screen all_x_screen_perms; class x_drawable { manage }; attribute x_domain; class x_drawable all_x_drawable_perms; class x_resource all_x_resource_perms; class x_synthetic_event all_x_synthetic_event_perms; class x_cursor all_x_cursor_perms; ') allow $1 xserver_t:{ x_device x_pointer x_keyboard } *; allow $1 xserver_t:{ x_screen } setattr; allow $1 x_domain:x_cursor all_x_cursor_perms; allow $1 x_domain:x_drawable all_x_drawable_perms; allow $1 x_domain:x_resource all_x_resource_perms; allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms; allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_core_devices'($*)) dnl ') ######################################## ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain complete control over the ## display. ## ## ## ## Domain allowed access. ## ## # define(`xserver_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_unconfined'($*)) dnl gen_require(` attribute x_domain, xserver_unconfined_type; ') typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_unconfined'($*)) dnl ') ######################################## ## ## Dontaudit append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # define(`xserver_dontaudit_append_xdm_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_append_xdm_home_files'($*)) dnl gen_require(` type xdm_home_t; ') dontaudit $1 xdm_home_t:file rw_inherited_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_dontaudit_rw_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_dontaudit_rw_cifs_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_append_xdm_home_files'($*)) dnl ') ######################################## ## ## append to .xsession-errors file ## ## ## ## Domain to not audit ## ## # define(`xserver_append_xdm_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_home_files'($*)) dnl gen_require(` type xdm_home_t, xserver_tmp_t; ') allow $1 xdm_home_t:file append_file_perms; allow $1 xserver_tmp_t:file append_file_perms; tunable_policy(`use_nfs_home_dirs',` fs_append_nfs_files($1) ') tunable_policy(`use_samba_home_dirs',` fs_append_cifs_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_append_xdm_home_files'($*)) dnl ') ####################################### ## ## Allow search the xdm_spool files ## ## ## ## Domain allowed access. ## ## # define(`xserver_xdm_search_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_search_spool'($*)) dnl gen_require(` type xdm_spool_t; ') files_search_spool($1) search_dirs_pattern($1, xdm_spool_t, xdm_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_search_spool'($*)) dnl ') ###################################### ## ## Allow read the xdm_spool files ## ## ## ## Domain allowed access. ## ## # define(`xserver_xdm_read_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_read_spool'($*)) dnl gen_require(` type xdm_spool_t; ') files_search_spool($1) read_files_pattern($1, xdm_spool_t, xdm_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_read_spool'($*)) dnl ') ######################################## ## ## Manage the xdm_spool files ## ## ## ## Domain allowed access. ## ## # define(`xserver_xdm_manage_spool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_manage_spool'($*)) dnl gen_require(` type xdm_spool_t; ') files_search_spool($1) manage_files_pattern($1, xdm_spool_t, xdm_spool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_manage_spool'($*)) dnl ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # define(`xserver_dbus_chat_xdm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat_xdm'($*)) dnl gen_require(` type xdm_t; class dbus send_msg; ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dbus_chat_xdm'($*)) dnl ') ######################################## ## ## Send and receive messages from ## xdm over dbus. ## ## ## ## Domain allowed access. ## ## # define(`xserver_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dbus_chat'($*)) dnl gen_require(` type xserver_t; class dbus send_msg; ') allow $1 xserver_t:dbus send_msg; allow xserver_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dbus_chat'($*)) dnl ') ######################################## ## ## Read xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_pid'($*)) dnl gen_require(` type xserver_var_run_t; ') files_search_pids($1) read_files_pattern($1, xserver_var_run_t, xserver_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_pid'($*)) dnl ') ######################################## ## ## Execute xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # define(`xserver_exec_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_exec_pid'($*)) dnl gen_require(` type xserver_var_run_t; ') files_search_pids($1) exec_files_pattern($1, xserver_var_run_t, xserver_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_exec_pid'($*)) dnl ') ######################################## ## ## Write xserver files created in /var/run ## ## ## ## Domain allowed access. ## ## # define(`xserver_write_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_write_pid'($*)) dnl gen_require(` type xserver_var_run_t; ') files_search_pids($1) write_files_pattern($1, xserver_var_run_t, xserver_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_write_pid'($*)) dnl ') ######################################## ## ## Allow append the xdm ## log files. ## ## ## ## Domain to not audit ## ## # define(`xserver_xdm_append_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_append_log'($*)) dnl gen_require(` type xdm_log_t; attribute xdmhomewriter; ') typeattribute $1 xdmhomewriter; allow $1 xdm_log_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_append_log'($*)) dnl ') ######################################## ## ## Allow ioctl the xdm log files. ## ## ## ## Domain to not audit ## ## # define(`xserver_xdm_ioctl_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_ioctl_log'($*)) dnl gen_require(` type xdm_log_t; ') allow $1 xdm_log_t:file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_ioctl_log'($*)) dnl ') ######################################## ## ## Allow append the xdm ## tmp files. ## ## ## ## Domain to not audit ## ## # define(`xserver_append_xdm_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_append_xdm_tmp_files'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_append_user_tmp_files instead.') userdom_append_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_append_xdm_tmp_files'($*)) dnl ') ######################################## ## ## Read a user Iceauthority domain. ## ## ## ## Domain allowed access. ## ## # define(`xserver_read_user_iceauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_user_iceauth'($*)) dnl gen_require(` type iceauth_home_t; ') # Read .Iceauthority file allow $1 iceauth_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_user_iceauth'($*)) dnl ') ######################################## ## ## Read/write inherited user homedir fonts. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_inherited_user_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_inherited_user_fonts'($*)) dnl gen_require(` type user_fonts_t, user_fonts_config_t; ') allow $1 user_fonts_t:file rw_inherited_file_perms; allow $1 user_fonts_t:file read_lnk_file_perms; allow $1 user_fonts_config_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_inherited_user_fonts'($*)) dnl ') ######################################## ## ## Search XDM var lib dirs. ## ## ## ## Domain allowed access. ## ## # define(`xserver_search_xdm_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_search_xdm_lib'($*)) dnl gen_require(` type xdm_var_lib_t; ') allow $1 xdm_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_search_xdm_lib'($*)) dnl ') ######################################## ## ## Make an X executable an entrypoint for the specified domain. ## ## ## ## The domain for which the shell is an entrypoint. ## ## # define(`xserver_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_entry_type'($*)) dnl gen_require(` type xserver_exec_t; ') domain_entry_file($1, xserver_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_entry_type'($*)) dnl ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## ## # define(`xserver_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_run'($*)) dnl gen_require(` type xserver_t; ') xserver_domtrans($1) xserver_nnp_daemon_domain($1) role $2 types xserver_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_run'($*)) dnl ') ######################################## ## ## Execute xsever in the xserver domain, and ## allow the specified role the xserver domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the xserver domain. ## ## ## # define(`xserver_run_xauth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_run_xauth'($*)) dnl gen_require(` type xauth_t; ') xserver_domtrans_xauth($1) role $2 types xauth_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_run_xauth'($*)) dnl ') ######################################## ## ## Read user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # define(`xserver_read_home_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_read_home_fonts'($*)) dnl gen_require(` type user_fonts_t, user_fonts_config_t; ') list_dirs_pattern($1, user_fonts_t, user_fonts_t) read_files_pattern($1, user_fonts_t, user_fonts_t) read_lnk_files_pattern($1, user_fonts_t, user_fonts_t) read_files_pattern($1, user_fonts_config_t, user_fonts_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_read_home_fonts'($*)) dnl ') ######################################## ## ## Manage user fonts dir. ## ## ## ## Domain allowed access. ## ## ## # define(`xserver_manage_user_fonts_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_user_fonts_dir'($*)) dnl gen_require(` type user_fonts_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_user_fonts_dir'($*)) dnl ') ######################################## ## ## Manage user homedir fonts. ## ## ## ## Domain allowed access. ## ## ## # define(`xserver_manage_home_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_manage_home_fonts'($*)) dnl gen_require(` type user_fonts_t, user_fonts_config_t, user_fonts_cache_t; ') manage_dirs_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_t, user_fonts_t) manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t) manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t) # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts.d") # userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") # userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_manage_home_fonts'($*)) dnl ') ####################################### ## ## Transition to xserver .fontconfig named content ## ## ## ## Domain allowed access. ## ## # define(`xserver_filetrans_fonts_cache_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_filetrans_fonts_cache_home_content'($*)) dnl gen_require(` type user_fonts_cache_t; ') userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_filetrans_fonts_cache_home_content'($*)) dnl ') ######################################## ## ## Transition to xserver named content ## ## ## ## Domain allowed access. ## ## # define(`xserver_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_filetrans_home_content'($*)) dnl gen_require(` type xdm_home_t, xauth_home_t, iceauth_home_t; type user_home_t, user_fonts_t, user_fonts_cache_t; type user_fonts_config_t; ') userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n") userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth") userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".vnc") userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") optional_policy(` gnome_data_filetrans($1, user_fonts_t, dir, "fonts") ') userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, "auto") files_tmp_filetrans($1, user_fonts_t, dir, ".font-unix") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_filetrans_home_content'($*)) dnl ') ######################################## ## ## Create xserver content in admin home ## directory with a named file transition. ## ## ## ## Domain allowed access. ## ## # define(`xserver_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_filetrans_admin_home_content'($*)) dnl gen_require(` type xdm_home_t, xauth_home_t, iceauth_home_t; type user_home_t, user_fonts_t, user_fonts_cache_t; type user_fonts_config_t; ') userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, "xsession-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".wayland-errors") userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".vnc") userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP") userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".xauth") userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauth") userdom_admin_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf") userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d") userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts") userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig") optional_policy(` gnome_cache_filetrans($1, xdm_home_t, dir, "xdm") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Create objects in a xdm temporary directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`xserver_xdm_tmp_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_xdm_tmp_filetrans'($*)) dnl refpolicywarn(`$0() has been deprecated, please use userdom_user_tmp_filetrans instead.') userdom_user_tmp_filetrans($1,$2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_xdm_tmp_filetrans'($*)) dnl ') ######################################## ## ## Dontaudit search ssh home directory ## ## ## ## Domain to not audit. ## ## # define(`xserver_dontaudit_search_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_dontaudit_search_log'($*)) dnl gen_require(` type xserver_log_t; ') dontaudit $1 xserver_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_dontaudit_search_log'($*)) dnl ') ######################################## ## ## Manage keys for xdm. ## ## ## ## Domain allowed access. ## ## # define(`xserver_rw_xdm_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_rw_xdm_keys'($*)) dnl gen_require(` type xdm_t; ') allow $1 xdm_t:key { read write setattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_rw_xdm_keys'($*)) dnl ') ###################################### ## ## Transition to xdm named content ## ## ## ## Domain allowed access. ## ## # define(`xserver_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `xserver_filetrans_named_content'($*)) dnl gen_require(` type xdm_var_run_t; ') files_pid_filetrans($1, xdm_var_run_t, dir, "gdm") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `xserver_filetrans_named_content'($*)) dnl ') ## Policy for user executable applications. ######################################## ## ## Make the specified type usable as an application domain. ## ## ## ## Type to be used as a domain type. ## ## # define(`application_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_type'($*)) dnl gen_require(` attribute application_domain_type; ') typeattribute $1 application_domain_type; # start with basic domain domain_type($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_type'($*)) dnl ') ######################################## ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # define(`application_executable_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_executable_file'($*)) dnl gen_require(` attribute application_exec_type; ') typeattribute $1 application_exec_type; corecmd_executable_file($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_executable_file'($*)) dnl ') ####################################### ## ## Make the specified type usable for files ## that are exectuables, such as binary programs. ## This does not include shared libraries. ## ## ## ## Type to be used for files. ## ## # define(`application_executable_ioctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_executable_ioctl'($*)) dnl gen_require(` attribute application_exec_type; ') allow $1 application_exec_type:file ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_executable_ioctl'($*)) dnl ') ######################################## ## ## Execute application executables in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`application_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_exec'($*)) dnl gen_require(` attribute application_exec_type; ') can_exec($1, application_exec_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_exec'($*)) dnl ') ######################################## ## ## Execute all executable files. ## ## ## ## Domain allowed access. ## ## ## # define(`application_exec_all',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_exec_all'($*)) dnl corecmd_dontaudit_exec_all_executables($1) corecmd_exec_bin($1) corecmd_exec_shell($1) application_exec($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_exec_all'($*)) dnl ') ######################################## ## ## Dontaudit execute all executable files. ## ## ## ## Domain to not audit. ## ## # define(`application_dontaudit_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_dontaudit_exec'($*)) dnl gen_require(` attribute application_exec_type; ') dontaudit $1 application_exec_type:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_dontaudit_exec'($*)) dnl ') ######################################## ## ## Create a domain for applications. ## ## ##

## Create a domain for applications. Typically these are ## programs that are run interactively. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##
## ## ## Type to be used as an application domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## # define(`application_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_domain'($*)) dnl application_type($1) application_executable_file($2) domain_entry_file($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_domain'($*)) dnl ') ######################################## ## ## Send null signals to all application domains. ## ## ## ## Domain allowed access. ## ## # define(`application_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_signull'($*)) dnl gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_signull'($*)) dnl ') ######################################## ## ## Do not audit attempts to send null signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # define(`application_dontaudit_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_dontaudit_signull'($*)) dnl gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_dontaudit_signull'($*)) dnl ') ######################################## ## ## Send general signals to all application domains. ## ## ## ## Domain allowed access. ## ## # define(`application_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_signal'($*)) dnl gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_signal'($*)) dnl ') ######################################## ## ## Do not audit attempts to send general signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # define(`application_dontaudit_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_dontaudit_signal'($*)) dnl gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_dontaudit_signal'($*)) dnl ') ######################################## ## ## Send kill signals to all application domains. ## ## ## ## Domain allowed access. ## ## # define(`application_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_sigkill'($*)) dnl gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_sigkill'($*)) dnl ') ######################################## ## ## Do not audit attempts to send kill signals ## to all application domains. ## ## ## ## Domain to not audit. ## ## # define(`application_dontaudit_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_dontaudit_sigkill'($*)) dnl gen_require(` attribute application_domain_type; ') dontaudit $1 application_domain_type:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_dontaudit_sigkill'($*)) dnl ') ####################################### ## ## Getattr all application sockets. ## ## ## ## Domain allowed access. ## ## # define(`application_getattr_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `application_getattr_socket'($*)) dnl gen_require(` attribute application_domain_type; ') allow $1 application_domain_type:socket_class_set getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `application_getattr_socket'($*)) dnl ') ## Common policy for authentication and user login. ######################################## ## ## Role access for password authentication. ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## # define(`auth_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_role'($*)) dnl gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; ') role $1 types chkpwd_t; # Transition from the user domain to this domain. auth_domtrans_chkpwd($2) ps_process_pattern($2, chkpwd_t) dontaudit $2 shadow_t:file read_file_perms; logging_send_syslog_msg($2) logging_send_audit_msgs($2) usermanage_read_crack_db($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_role'($*)) dnl ') ######################################## ## ## Use PAM for authentication. ## ## ## ## Domain allowed access. ## ## # define(`auth_use_pam',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_use_pam'($*)) dnl # for SSP/ProPolice dev_read_urand($1) # for encrypted homedir dev_read_sysfs($1) auth_domtrans_chk_passwd($1) auth_domtrans_upd_passwd($1) auth_dontaudit_read_shadow($1) auth_read_login_records($1) auth_append_login_records($1) auth_rw_lastlog($1) auth_create_lastlog($1) auth_manage_faillog($1) auth_exec_pam($1) auth_use_nsswitch($1) init_rw_stream_sockets($1) logging_send_audit_msgs($1) logging_send_syslog_msg($1) userdom_search_user_tmp_dirs($1) optional_policy(` dbus_system_bus_client($1) optional_policy(` consolekit_dbus_chat($1) ') optional_policy(` fprintd_dbus_chat($1) ') ') optional_policy(` kerberos_manage_host_rcache($1) kerberos_read_config($1) ') optional_policy(` locallogin_getattr_home_content($1) ') optional_policy(` nis_authenticate($1) ') optional_policy(` systemd_dbus_chat_logind($1) systemd_use_fds_logind($1) systemd_write_inherited_logind_sessions_pipes($1) systemd_read_logind_sessions_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_use_pam'($*)) dnl ') ######################################## ## ## Make the specified domain used for a login program. ## ## ## ## Domain type used for a login program domain. ## ## # define(`auth_login_pgm_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_login_pgm_domain'($*)) dnl gen_require(` type var_auth_t, auth_cache_t; attribute polydomain; attribute login_pgm; ') domain_type($1) typeattribute $1 polydomain; typeattribute $1 login_pgm; domain_subj_id_change_exemption($1) domain_role_change_exemption($1) domain_obj_id_change_exemption($1) role system_r types $1; selinux_get_fs_mount($1) mls_file_read_all_levels($1) mls_file_write_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) mls_process_set_level($1) mls_process_write_to_clearance($1) mls_fd_share_all_levels($1) auth_use_pam($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_login_pgm_domain'($*)) dnl ') ######################################## ## ## Read authlogin state files. ## ## ## ## Domain allowed access. ## ## # define(`authlogin_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authlogin_read_state'($*)) dnl gen_require(` attribute polydomain; ') kernel_search_proc($1) ps_process_pattern($1, polydomain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authlogin_read_state'($*)) dnl ') ######################################## ## ## Read and write a authlogin unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`authlogin_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `authlogin_rw_pipes'($*)) dnl gen_require(` attribute polydomain; ') allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `authlogin_rw_pipes'($*)) dnl ') ######################################## ## ## Use the login program as an entry point program. ## ## ## ## Domain allowed access. ## ## # define(`auth_login_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_login_entry_type'($*)) dnl gen_require(` type login_exec_t; ') domain_entry_file($1, login_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_login_entry_type'($*)) dnl ') ######################################## ## ## Make the specified type usable as a ## login file. ## ## ##

## Make the specified type usable as a login file, ## This type has restricted modification capabilities when used with ## other interfaces that permit files_type access. ## The default type has properties similar to that of the shadow file. ## This will also make the type usable as a security file, making ## calls to files_security_file() redundant. ##

##
## ## ## Type to be used as a login file. ## ## ## # define(`auth_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_file'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_auth_file() instead.') files_auth_file($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_file'($*)) dnl ') ######################################## ## ## Execute a login_program in the target domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the login_program process. ## ## # define(`auth_domtrans_login_program',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_login_program'($*)) dnl gen_require(` type login_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, login_exec_t, $2) allow $1 login_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_login_program'($*)) dnl ') ######################################## ## ## Execute a login_program in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_exec_login_program',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_exec_login_program'($*)) dnl gen_require(` type login_exec_t; ') corecmd_search_bin($1) can_exec($1, login_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_exec_login_program'($*)) dnl ') ######################################## ## ## Execute a login_program in the target domain, ## with a range transition. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The type of the login_program process. ## ## ## ## ## Range of the login program. ## ## # define(`auth_ranged_domtrans_login_program',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_ranged_domtrans_login_program'($*)) dnl gen_require(` type login_exec_t; ') auth_domtrans_login_program($1, $2) ifdef(`enable_mcs',` range_transition $1 login_exec_t:process $3; ') ifdef(`enable_mls',` range_transition $1 login_exec_t:process $3; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_ranged_domtrans_login_program'($*)) dnl ') ######################################## ## ## Search authentication cache ## ## ## ## Domain allowed access. ## ## # define(`auth_search_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_search_cache'($*)) dnl gen_require(` type auth_cache_t; ') allow $1 auth_cache_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_search_cache'($*)) dnl ') ######################################## ## ## Read authentication cache ## ## ## ## Domain allowed access. ## ## # define(`auth_read_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_cache'($*)) dnl gen_require(` type auth_cache_t; ') read_files_pattern($1, auth_cache_t, auth_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_cache'($*)) dnl ') ######################################## ## ## Read/Write authentication cache ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_cache'($*)) dnl gen_require(` type auth_cache_t; ') rw_files_pattern($1, auth_cache_t, auth_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_cache'($*)) dnl ') ######################################## ## ## Create authentication cache ## ## ## ## Domain allowed access. ## ## # define(`auth_create_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_create_cache'($*)) dnl gen_require(` type auth_cache_t; ') create_files_pattern($1, auth_cache_t, auth_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_create_cache'($*)) dnl ') ######################################## ## ## Manage authentication cache ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_cache'($*)) dnl gen_require(` type auth_cache_t; ') manage_dirs_pattern($1, auth_cache_t, auth_cache_t) manage_files_pattern($1, auth_cache_t, auth_cache_t) allow $1 auth_cache_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_cache'($*)) dnl ') ####################################### ## ## Automatic transition from cache_t to cache. ## ## ## ## Domain allowed access. ## ## # define(`auth_var_filetrans_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_var_filetrans_cache'($*)) dnl gen_require(` type auth_cache_t; ') files_var_filetrans($1, auth_cache_t, { file dir } ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_var_filetrans_cache'($*)) dnl ') ######################################## ## ## Run unix_chkpwd to check a password. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_chk_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_chk_passwd'($*)) dnl gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; type auth_cache_t; ') allow $1 auth_cache_t:dir search_dir_perms; corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) allow $1 chkpwd_exec_t:file map; dontaudit $1 shadow_t:file read_file_perms; dev_read_rand($1) dev_read_urand($1) auth_use_nsswitch($1) auth_rw_faillog($1) logging_send_audit_msgs($1) miscfiles_read_generic_certs($1) optional_policy(` kerberos_read_keytab($1) ') optional_policy(` pcscd_read_pid_files($1) pcscd_stream_connect($1) ') optional_policy(` samba_stream_connect_winbind($1) ') auth_domtrans_upd_passwd($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_chk_passwd'($*)) dnl ') ######################################## ## ## Run unix_chkpwd to check a password. ## Stripped down version to be called within boolean ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_chkpwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_chkpwd'($*)) dnl gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; ') corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) dontaudit $1 shadow_t:file { getattr read }; auth_domtrans_upd_passwd($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_chkpwd'($*)) dnl ') ######################################## ## ## Execute chkpwd in the caller domain. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_exec_chkpwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_exec_chkpwd'($*)) dnl gen_require(` type chkpwd_exec_t; ') allow $1 chkpwd_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_exec_chkpwd'($*)) dnl ') ######################################## ## ## Execute chkpwd programs in the chkpwd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the chkpwd domain. ## ## # define(`auth_run_chk_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_chk_passwd'($*)) dnl gen_require(` type chkpwd_t; ') auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; auth_run_upd_passwd($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_chk_passwd'($*)) dnl ') ######################################## ## ## Send generic signals to chkpwd processes. ## ## ## ## Domain allowed access. ## ## # define(`auth_signal_chk_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_signal_chk_passwd'($*)) dnl gen_require(` type chkpwd_t; ') allow $1 chkpwd_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_signal_chk_passwd'($*)) dnl ') ######################################## ## ## Execute a domain transition to run unix_update. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_upd_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_upd_passwd'($*)) dnl gen_require(` type updpwd_t, updpwd_exec_t; ') domtrans_pattern($1, updpwd_exec_t, updpwd_t) auth_dontaudit_read_shadow($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_upd_passwd'($*)) dnl ') ######################################## ## ## Execute updpwd programs in the updpwd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the updpwd domain. ## ## # define(`auth_run_upd_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_upd_passwd'($*)) dnl gen_require(` type updpwd_t; ') auth_domtrans_upd_passwd($1) role $2 types updpwd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_upd_passwd'($*)) dnl ') ######################################## ## ## Get the attributes of the shadow passwords file. ## ## ## ## Domain allowed access. ## ## # define(`auth_getattr_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_getattr_shadow'($*)) dnl gen_require(` type shadow_t; ') files_search_etc($1) allow $1 shadow_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_getattr_shadow'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of the shadow passwords file. ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_getattr_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_shadow'($*)) dnl gen_require(` type shadow_t; ') dontaudit $1 shadow_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_shadow'($*)) dnl ') ######################################## ## ## Mmap the shadow passwords file. ## ## ## ## Domain allowed access. ## ## # define(`auth_map_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_map_shadow'($*)) dnl gen_require(` type shadow_t; ') allow $1 shadow_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_map_shadow'($*)) dnl ') ######################################## ## ## Read the shadow passwords file (/etc/shadow) ## ## ## ## Domain allowed access. ## ## # # cjp: these next three interfaces are split # since typeattribute does not work in conditionals # yet, otherwise they should be one interface. # define(`auth_read_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_shadow'($*)) dnl auth_can_read_shadow_passwords($1) auth_tunable_read_shadow($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_shadow'($*)) dnl ') ######################################## ## ## Pass shadow assertion for reading. ## ## ##

## Pass shadow assertion for reading. ## This should only be used with ## auth_tunable_read_shadow(), and ## only exists because typeattribute ## does not work in conditionals. ##

##
## ## ## Domain allowed access. ## ## # define(`auth_can_read_shadow_passwords',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_can_read_shadow_passwords'($*)) dnl gen_require(` attribute can_read_shadow_passwords; ') typeattribute $1 can_read_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_can_read_shadow_passwords'($*)) dnl ') ######################################## ## ## Read the shadow password file. ## ## ##

## Read the shadow password file. This ## should only be used in a conditional; ## it does not pass the reading shadow ## assertion. ##

##
## ## ## Domain allowed access. ## ## # define(`auth_tunable_read_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_tunable_read_shadow'($*)) dnl gen_require(` type shadow_t; ') files_list_etc($1) allow $1 shadow_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_tunable_read_shadow'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the shadow ## password file (/etc/shadow). ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_read_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_shadow'($*)) dnl gen_require(` type shadow_t; ') dontaudit $1 shadow_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_shadow'($*)) dnl ') ######################################## ## ## Read and write the shadow password file (/etc/shadow). ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_shadow'($*)) dnl gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; ') files_list_etc($1) allow $1 shadow_t:file rw_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_shadow'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the shadow ## password file. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_shadow'($*)) dnl gen_require(` attribute can_read_shadow_passwords, can_write_shadow_passwords; type shadow_t; ') allow $1 shadow_t:file manage_file_perms; typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords; files_var_filetrans($1, shadow_t, file, "shadow") files_var_filetrans($1, shadow_t, file, "shadow-") files_etc_filetrans($1, shadow_t, file, "gshadow") files_etc_filetrans($1, shadow_t, file, "nshadow") files_etc_filetrans($1, shadow_t, file, "opasswd") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_shadow'($*)) dnl ') ####################################### ## ## Automatic transition from etc to shadow. ## ## ## ## Domain allowed access. ## ## # define(`auth_etc_filetrans_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_etc_filetrans_shadow'($*)) dnl gen_require(` type shadow_t; ') files_etc_filetrans($1, shadow_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_etc_filetrans_shadow'($*)) dnl ') ####################################### ## ## Relabel to the shadow ## password file type. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabelto_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabelto_shadow'($*)) dnl gen_require(` attribute can_relabelto_shadow_passwords; type shadow_t; ') files_search_etc($1) allow $1 shadow_t:file relabelto; typeattribute $1 can_relabelto_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabelto_shadow'($*)) dnl ') ####################################### ## ## Relabel from and to the shadow ## password file type. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabel_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_shadow'($*)) dnl gen_require(` attribute can_relabelto_shadow_passwords; type shadow_t; ') files_search_etc($1) allow $1 shadow_t:file relabel_file_perms; typeattribute $1 can_relabelto_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_shadow'($*)) dnl ') ####################################### ## ## Append to the login failure log. ## ## ## ## Domain allowed access. ## ## # define(`auth_append_faillog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_append_faillog'($*)) dnl gen_require(` type faillog_t; ') logging_search_logs($1) allow $1 faillog_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_append_faillog'($*)) dnl ') ######################################## ## ## Read and write the login failure log. ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_faillog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_faillog'($*)) dnl gen_require(` type faillog_t; ') logging_search_logs($1) rw_files_pattern($1, faillog_t, faillog_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_faillog'($*)) dnl ') ######################################## ## ## Relabel the login failure log. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabel_faillog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_faillog'($*)) dnl gen_require(` type faillog_t; ') allow $1 faillog_t:dir relabel_dir_perms; allow $1 faillog_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_faillog'($*)) dnl ') ######################################## ## ## Manage the login failure log. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_faillog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_faillog'($*)) dnl gen_require(` type faillog_t; ') logging_search_logs($1) files_search_pids($1) allow $1 faillog_t:dir manage_dir_perms; allow $1 faillog_t:file manage_file_perms; logging_log_named_filetrans($1, faillog_t, file, "tallylog") logging_log_named_filetrans($1, faillog_t, file, "faillog") logging_log_named_filetrans($1, faillog_t, file, "btmp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_faillog'($*)) dnl ') ####################################### ## ## Read the last logins log. ## ## ## ## Domain allowed access. ## ## ## # define(`auth_read_lastlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_lastlog'($*)) dnl gen_require(` type lastlog_t; ') logging_search_logs($1) allow $1 lastlog_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_lastlog'($*)) dnl ') ####################################### ## ## Append only to the last logins log. ## ## ## ## Domain allowed access. ## ## # define(`auth_append_lastlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_append_lastlog'($*)) dnl gen_require(` type lastlog_t; ') logging_search_logs($1) allow $1 lastlog_t:file { append_file_perms lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_append_lastlog'($*)) dnl ') ####################################### ## ## Read and write to the last logins log. ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_lastlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_lastlog'($*)) dnl gen_require(` type lastlog_t; ') logging_search_logs($1) allow $1 lastlog_t:file { rw_file_perms lock setattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_lastlog'($*)) dnl ') ####################################### ## ## Manage create logins log. ## ## ## ## Domain allowed access. ## ## # define(`auth_create_lastlog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_create_lastlog'($*)) dnl gen_require(` type lastlog_t; ') logging_search_logs($1) allow $1 lastlog_t:file create; logging_log_named_filetrans($1, lastlog_t, file, "lastlog") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_create_lastlog'($*)) dnl ') ######################################## ## ## Execute pam timestamp programs in the pam timestamp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_pam_timestamp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_timestamp'($*)) dnl gen_require(` type pam_timestamp_t, pam_timestamp_exec_t; ') domtrans_pattern($1, pam_timestamp_exec_t, pam_timestamp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_timestamp'($*)) dnl ') ######################################## ## ## Execute pam timestamp programs in the pam timestamp domain. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_pam',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam'($*)) dnl auth_domtrans_pam_timestamp($1) refpolicywarn(`$0() has been deprecated, please use auth_domtrans_pam_timestamp() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_pam'($*)) dnl ') ######################################## ## ## Send generic signals to pam processes. ## ## ## ## Domain allowed access. ## ## # define(`auth_signal_pam',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_signal_pam'($*)) dnl gen_require(` type pam_timestamp_t; ') allow $1 pam_timestamp_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_signal_pam'($*)) dnl ') ######################################## ## ## Execute pam_timestamp programs in the PAM timestamp domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the PAM domain. ## ## # define(`auth_run_pam_timestamp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_pam_timestamp'($*)) dnl gen_require(` type pam_timestamp_t; ') auth_domtrans_pam_timestamp($1) role $2 types pam_timestamp_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_pam_timestamp'($*)) dnl ') ######################################## ## ## Execute pam_timestamp programs in the PAM timestamp domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the PAM domain. ## ## # define(`auth_run_pam',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_pam'($*)) dnl auth_run_pam_timestamp($1, $2) refpolicywarn(`$0() has been deprecated, please use auth_run_pam_timestamp.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_pam'($*)) dnl ') ######################################## ## ## Execute the pam program. ## ## ## ## Domain allowed access. ## ## # define(`auth_exec_pam',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_exec_pam'($*)) dnl gen_require(` type pam_exec_t; ') can_exec($1, pam_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_exec_pam'($*)) dnl ') ######################################## ## ## Read var auth files. Used by various other applications ## and pam applets etc. ## ## ## ## Domain allowed access. ## ## # define(`auth_read_var_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_var_auth'($*)) dnl gen_require(` type var_auth_t; ') files_search_var($1) read_files_pattern($1, var_auth_t, var_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_var_auth'($*)) dnl ') ####################################### ## ## Read and write var auth files. Used by various other applications ## and pam applets etc. ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_var_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_var_auth'($*)) dnl gen_require(` type var_auth_t; ') files_search_var($1) rw_files_pattern($1, var_auth_t, var_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_var_auth'($*)) dnl ') ######################################## ## ## Manage var auth files. Used by various other applications ## and pam applets etc. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_var_auth',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_var_auth'($*)) dnl gen_require(` type var_auth_t; ') files_search_var($1) manage_dirs_pattern($1, var_auth_t, var_auth_t) manage_files_pattern($1, var_auth_t, var_auth_t) manage_lnk_files_pattern($1, var_auth_t, var_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_var_auth'($*)) dnl ') ######################################## ## ## Relabel all var auth files. Used by various other applications ## and pam applets etc. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabel_var_auth_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_var_auth_dirs'($*)) dnl gen_require(` type var_auth_t; ') files_search_var($1) relabel_dirs_pattern($1, var_auth_t, var_auth_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_var_auth_dirs'($*)) dnl ') ######################################## ## ## Read PAM PID files. ## ## ## ## Domain allowed access. ## ## # define(`auth_read_pam_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_pam_pid'($*)) dnl gen_require(` type pam_var_run_t; ') files_search_pids($1) allow $1 pam_var_run_t:dir list_dir_perms; allow $1 pam_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_pam_pid'($*)) dnl ') ####################################### ## ## Do not audit attemps to read PAM PID files. ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_read_pam_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_pam_pid'($*)) dnl gen_require(` type pam_var_run_t; ') dontaudit $1 pam_var_run_t:file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_pam_pid'($*)) dnl ') ######################################## ## ## Delete pam PID files. ## ## ## ## Domain allowed access. ## ## # define(`auth_delete_pam_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_delete_pam_pid'($*)) dnl gen_require(` type pam_var_run_t; ') files_search_pids($1) allow $1 pam_var_run_t:dir del_entry_dir_perms; allow $1 pam_var_run_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_delete_pam_pid'($*)) dnl ') ######################################## ## ## Manage pam PID files. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_pam_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_pam_pid'($*)) dnl gen_require(` type pam_var_run_t; ') files_search_pids($1) allow $1 pam_var_run_t:dir manage_dir_perms; allow $1 pam_var_run_t:file manage_file_perms; files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") files_pid_filetrans($1, pam_var_run_t, dir, "pam_timestamp") files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") files_pid_filetrans($1, pam_var_run_t, dir, "sudo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_pam_pid'($*)) dnl ') ######################################## ## ## Execute pam_console with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_pam_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_pam_console'($*)) dnl gen_require(` type pam_console_t, pam_console_exec_t; ') domtrans_pattern($1, pam_console_exec_t, pam_console_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_pam_console'($*)) dnl ') ######################################## ## ## Execute pam_console in the pam timestamp domain ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow transitioning into the pam_console_t domain. ## ## # define(`auth_run_pam_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_pam_console'($*)) dnl gen_require(` type pam_console_t; ') auth_domtrans_pam_console($1) role $2 types pam_console_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_pam_console'($*)) dnl ') ######################################## ## ## Search the contents of the ## pam_console data directory. ## ## ## ## Domain allowed access. ## ## # define(`auth_search_pam_console_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_search_pam_console_data'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_pids($1) allow $1 pam_var_console_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_search_pam_console_data'($*)) dnl ') ######################################## ## ## List the contents of the pam_console ## data directory. ## ## ## ## Domain allowed access. ## ## # define(`auth_list_pam_console_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_list_pam_console_data'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_pids($1) allow $1 pam_var_console_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_list_pam_console_data'($*)) dnl ') ######################################## ## ## Create pam var console pid directories. ## ## ## ## Domain allowed access. ## ## # define(`auth_create_pam_console_data_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_create_pam_console_data_dirs'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_pids($1) allow $1 pam_var_console_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_create_pam_console_data_dirs'($*)) dnl ') ######################################## ## ## Relabel pam_console data directories. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabel_pam_console_data_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_pam_console_data_dirs'($*)) dnl gen_require(` type pam_var_console_t; ') relabel_dirs_pattern($1, pam_var_console_t, pam_var_console_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_pam_console_data_dirs'($*)) dnl ') ######################################## ## ## Read pam_console data files. ## ## ## ## Domain allowed access. ## ## # define(`auth_read_pam_console_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_pam_console_data'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_pids($1) allow $1 pam_var_console_t:dir list_dir_perms; allow $1 pam_var_console_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_pam_console_data'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## pam_console data files. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_pam_console_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_pam_console_data'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_pids($1) manage_files_pattern($1, pam_var_console_t, pam_var_console_t) manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t) files_pid_filetrans($1, pam_var_console_t, dir, "console") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_pam_console_data'($*)) dnl ') ####################################### ## ## Delete pam_console data. ## ## ## ## Domain allowed access. ## ## # define(`auth_delete_pam_console_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_delete_pam_console_data'($*)) dnl gen_require(` type pam_var_console_t; ') files_search_var($1) files_search_pids($1) delete_files_pattern($1, pam_var_console_t, pam_var_console_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_delete_pam_console_data'($*)) dnl ') ######################################## ## ## Create specified objects in ## pid directories with the pam var ## console pid file type using a ## file type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`auth_pid_filetrans_pam_var_console',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_pid_filetrans_pam_var_console'($*)) dnl gen_require(` type pam_var_console_t; ') files_pid_filetrans($1, pam_var_console_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_pid_filetrans_pam_var_console'($*)) dnl ') ######################################## ## ## Read all directories on the filesystem, except ## login files and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_read_all_dirs_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_dirs_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_list_non_auth_dirs() instead.') files_list_non_auth_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_dirs_except_auth_files'($*)) dnl ') ######################################## ## ## Read all directories on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_read_all_dirs_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_dirs_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_list_non_auth_dirs() instead.') files_list_non_auth_dirs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_dirs_except_shadow'($*)) dnl ') ######################################## ## ## Read all files on the filesystem, except ## login files and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # define(`auth_read_all_files_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_files_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_files() instead.') files_read_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_files_except_auth_files'($*)) dnl ') ######################################## ## ## Read all files on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## ## # define(`auth_read_all_files_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_files_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_files() instead.') files_read_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_files_except_shadow'($*)) dnl ') ######################################## ## ## Read all symbolic links on the filesystem, except ## login files and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_read_all_symlinks_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_symlinks_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_symlinks() instead.') files_read_non_auth_symlinks($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_symlinks_except_auth_files'($*)) dnl ') ######################################## ## ## Read all symbolic links on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_read_all_symlinks_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_all_symlinks_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_read_non_auth_symlinks() instead.') files_read_non_auth_symlinks($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_all_symlinks_except_shadow'($*)) dnl ') ####################################### ## ## Relabel all files on the filesystem, except ## login files and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_relabel_all_files_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_all_files_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_relabel_non_auth_files() instead.') files_relabel_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_all_files_except_auth_files'($*)) dnl ') ######################################## ## ## Relabel all files on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_relabel_all_files_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_all_files_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_relabel_non_auth_files() instead.') files_relabel_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_all_files_except_shadow'($*)) dnl ') ######################################## ## ## Read and write all files on the filesystem, except ## login files and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_rw_all_files_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_all_files_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_rw_non_auth_files() instead.') files_rw_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_all_files_except_auth_files'($*)) dnl ') ######################################## ## ## Read and write all files on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_rw_all_files_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_all_files_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_rw_non_auth_files() instead.') files_rw_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_all_files_except_shadow'($*)) dnl ') ######################################## ## ## Manage all files on the filesystem, except ## login files passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_manage_all_files_except_auth_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_all_files_except_auth_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_manage_non_auth_files() instead.') files_manage_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_all_files_except_auth_files'($*)) dnl ') ######################################## ## ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## ## ## ## Domain allowed access. ## ## ## ## ## The types to be excluded. Each type or attribute ## must be negated by the caller. ## ## # define(`auth_manage_all_files_except_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_all_files_except_shadow'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use files_manage_non_auth_files() instead.') files_manage_non_auth_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_all_files_except_shadow'($*)) dnl ') ######################################## ## ## Execute utempter programs in the utempter domain. ## ## ## ## Domain allowed to transition. ## ## # define(`auth_domtrans_utempter',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_domtrans_utempter'($*)) dnl gen_require(` type utempter_t, utempter_exec_t; ') domtrans_pattern($1, utempter_exec_t, utempter_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_domtrans_utempter'($*)) dnl ') ######################################## ## ## Execute utempter programs in the utempter domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the utempter domain. ## ## # define(`auth_run_utempter',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_run_utempter'($*)) dnl gen_require(` type utempter_t; ') auth_domtrans_utempter($1) role $2 types utempter_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_run_utempter'($*)) dnl ') ####################################### ## ## Do not audit attemps to execute utempter executable. ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_exec_utempter',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_exec_utempter'($*)) dnl gen_require(` type utempter_exec_t; ') dontaudit $1 utempter_exec_t:file { execute execute_no_trans }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_exec_utempter'($*)) dnl ') ######################################## ## ## Set the attributes of login record files. ## ## ## ## Domain allowed access. ## ## # define(`auth_setattr_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_setattr_login_records'($*)) dnl gen_require(` type wtmp_t; ') allow $1 wtmp_t:file setattr; logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_setattr_login_records'($*)) dnl ') ######################################## ## ## Relabel login record files. ## ## ## ## Domain allowed access. ## ## # define(`auth_relabel_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_relabel_login_records'($*)) dnl gen_require(` type wtmp_t; ') allow $1 wtmp_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_relabel_login_records'($*)) dnl ') ######################################## ## ## Read login records files (/var/log/wtmp). ## ## ## ## Domain allowed access. ## ## ## # define(`auth_read_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_login_records'($*)) dnl gen_require(` type wtmp_t; ') logging_search_logs($1) allow $1 wtmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_login_records'($*)) dnl ') ######################################## ## ## Do not audit attempts to read login records ## files (/var/log/wtmp). ## ## ## ## Domain to not audit. ## ## ## # define(`auth_dontaudit_read_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_login_records'($*)) dnl gen_require(` type wtmp_t; ') dontaudit $1 wtmp_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_login_records'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to ## login records files. ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_write_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_write_login_records'($*)) dnl gen_require(` type wtmp_t; ') dontaudit $1 wtmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_write_login_records'($*)) dnl ') ####################################### ## ## Append to login records (wtmp). ## ## ## ## Domain allowed access. ## ## # define(`auth_append_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_append_login_records'($*)) dnl gen_require(` type wtmp_t; ') allow $1 wtmp_t:file append_file_perms; logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_append_login_records'($*)) dnl ') ####################################### ## ## Write to login records (wtmp). ## ## ## ## Domain allowed access. ## ## # define(`auth_write_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_write_login_records'($*)) dnl gen_require(` type wtmp_t; ') allow $1 wtmp_t:file { write_file_perms lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_write_login_records'($*)) dnl ') ######################################## ## ## Read and write login records. ## ## ## ## Domain allowed access. ## ## # define(`auth_rw_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_rw_login_records'($*)) dnl gen_require(` type wtmp_t; ') allow $1 wtmp_t:file rw_file_perms; logging_search_logs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_rw_login_records'($*)) dnl ') ######################################## ## ## Create a login records in the log directory ## using a type transition. ## ## ## ## Domain allowed access. ## ## # define(`auth_log_filetrans_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_log_filetrans_login_records'($*)) dnl gen_require(` type wtmp_t; ') logging_log_filetrans($1, wtmp_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_log_filetrans_login_records'($*)) dnl ') ######################################## ## ## Create, read, write, and delete login ## records files. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_login_records',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_login_records'($*)) dnl gen_require(` type wtmp_t; ') logging_rw_generic_log_dirs($1) allow $1 wtmp_t:file manage_file_perms; logging_log_named_filetrans($1, wtmp_t, file, "wtmp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_login_records'($*)) dnl ') ######################################## ## ## Read access to the authlogin module. ## ## ##

## Read access to the authlogin module. ##

##

## Currently, this only allows assertions for ## the shadow passwords file (/etc/shadow) to ## be passed. No access is granted yet. ##

##
## ## ## Domain allowed access. ## ## # define(`auth_reader_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_reader_shadow'($*)) dnl gen_require(` attribute can_read_shadow_passwords; ') typeattribute $1 can_read_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_reader_shadow'($*)) dnl ') ######################################## ## ## Write access to the authlogin module. ## ## ##

## Write access to the authlogin module. ##

##

## Currently, this only allows assertions for ## the shadow passwords file (/etc/shadow) to ## be passed. No access is granted yet. ##

##
## ## ## Domain allowed access. ## ## # define(`auth_writer_shadow',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_writer_shadow'($*)) dnl gen_require(` attribute can_write_shadow_passwords; ') typeattribute $1 can_write_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_writer_shadow'($*)) dnl ') ######################################## ## ## Use nsswitch to look up user, password, group, or ## host information. ## ## ##

## Allow the specified domain to look up user, password, ## group, or host information using the name service. ## The most common use of this interface is for services ## that do host name resolution (usually DNS resolution). ##

##
## ## ## Domain allowed access. ## ## ## # define(`auth_use_nsswitch',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_use_nsswitch'($*)) dnl gen_require(` attribute nsswitch_domain; ') typeattribute $1 nsswitch_domain; corenet_all_recvfrom_netlabel($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_use_nsswitch'($*)) dnl ') ######################################## ## ## Unconfined access to the authlogin module. ## ## ##

## Unconfined access to the authlogin module. ##

##

## Currently, this only allows assertions for ## the shadow passwords file (/etc/shadow) to ## be passed. No access is granted yet. ##

##
## ## ## Domain allowed access. ## ## # define(`auth_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_unconfined'($*)) dnl gen_require(` attribute can_read_shadow_passwords; attribute can_write_shadow_passwords; attribute can_relabelto_shadow_passwords; ') typeattribute $1 can_read_shadow_passwords; typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_unconfined'($*)) dnl ') ######################################## ## ## Transition to authlogin named content ## ## ## ## Domain allowed access. ## ## # define(`auth_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_filetrans_named_content'($*)) dnl gen_require(` type shadow_t; type passwd_file_t; type faillog_t; type lastlog_t; type wtmp_t; type pam_var_console_t; type pam_var_run_t; type auth_cache_t; ') files_etc_filetrans($1, passwd_file_t, file, "group") files_etc_filetrans($1, passwd_file_t, file, "group-") #files_etc_filetrans($1, passwd_file_t, file, "group+") files_etc_filetrans($1, passwd_file_t, file, "passwd") files_etc_filetrans($1, passwd_file_t, file, "passwd-") #files_etc_filetrans($1, passwd_file_t, file, "passwd+") files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD") files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") files_etc_filetrans($1, passwd_file_t, file, "group.lock") files_etc_filetrans($1, passwd_file_t, file, "passwd.adjunct") files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") files_etc_filetrans($1, shadow_t, file, "shadow") files_etc_filetrans($1, shadow_t, file, "shadow-") files_etc_filetrans($1, shadow_t, file, "gshadow") files_etc_filetrans($1, shadow_t, file, "opasswd") logging_log_named_filetrans($1, lastlog_t, file, "lastlog") logging_log_named_filetrans($1, faillog_t, file, "tallylog") logging_log_named_filetrans($1, faillog_t, file, "faillog") logging_log_named_filetrans($1, faillog_t, file, "btmp") files_pid_filetrans($1, faillog_t, file, "faillog") files_pid_filetrans($1, faillog_t, dir, "faillock") files_pid_filetrans($1, pam_var_console_t, dir, "console") files_pid_filetrans($1, pam_var_run_t, dir, "pam_mount") files_pid_filetrans($1, pam_var_run_t, dir, "pam_ssh") files_pid_filetrans($1, pam_var_run_t, dir, "sepermit") files_pid_filetrans($1, pam_var_run_t, dir, "sudo") logging_log_named_filetrans($1, wtmp_t, file, "wtmp") files_var_filetrans($1, auth_cache_t, dir, "coolkey") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_filetrans_named_content'($*)) dnl ') ######################################## ## ## Get the attributes of the passwd passwords file. ## ## ## ## Domain allowed access. ## ## # define(`auth_getattr_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_getattr_passwd'($*)) dnl gen_require(` type passwd_file_t; ') files_search_etc($1) allow $1 passwd_file_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_getattr_passwd'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of the passwd passwords file. ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_getattr_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_getattr_passwd'($*)) dnl gen_require(` type passwd_file_t; ') dontaudit $1 passwd_file_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_getattr_passwd'($*)) dnl ') ######################################## ## ## Read the passwd passwords file (/etc/passwd) ## Allow to use sss nsswitch module for passwd and group. ## Allow to use systemd nsswitch module for passwd and group ## which is used for dynamic users. ## ## ## ## Domain allowed access. ## ## # define(`auth_read_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_passwd'($*)) dnl gen_require(` type passwd_file_t; ') allow $1 passwd_file_t:file read_file_perms; optional_policy(` sssd_read_public_files($1) sssd_stream_connect($1) ') init_dbus_chat($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_passwd'($*)) dnl ') ######################################## ## ## Mmap the passwd passwords file (/etc/passwd) ## ## ## ## Domain allowed access. ## ## # define(`auth_map_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_map_passwd'($*)) dnl gen_require(` type passwd_file_t; ') allow $1 passwd_file_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_map_passwd'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the passwd ## password file (/etc/passwd). ## ## ## ## Domain to not audit. ## ## # define(`auth_dontaudit_read_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_dontaudit_read_passwd'($*)) dnl gen_require(` type passwd_file_t; ') dontaudit $1 passwd_file_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_dontaudit_read_passwd'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the passwd ## password file. ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_passwd'($*)) dnl gen_require(` type passwd_file_t; ') files_rw_etc_dirs($1) allow $1 passwd_file_t:file manage_file_perms; files_etc_filetrans($1, passwd_file_t, file, "passwd") files_etc_filetrans($1, passwd_file_t, file, "passwd-") files_etc_filetrans($1, passwd_file_t, file, "ptmptmp") files_etc_filetrans($1, passwd_file_t, file, "group") files_etc_filetrans($1, passwd_file_t, file, "group-") files_etc_filetrans($1, passwd_file_t, file, ".pwd.lock") files_etc_filetrans($1, passwd_file_t, file, "passwd.lock") files_etc_filetrans($1, passwd_file_t, file, "group.lock") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_passwd'($*)) dnl ') ######################################## ## ## Watch the passwd passwords file. ## ## ## ## Domain allowed access. ## ## # define(`auth_watch_passwd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_watch_passwd'($*)) dnl gen_require(` type passwd_file_t; ') files_search_etc($1) allow $1 passwd_file_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_watch_passwd'($*)) dnl ') ######################################## ## ## Create auth directory in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`auth_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_filetrans_admin_home_content'($*)) dnl gen_require(` type auth_home_t; ') userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") userdom_admin_home_dir_filetrans($1, auth_home_t, dir, ".yubico") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Read the authorization data in the user home directory ## ## ## ## Domain allowed access. ## ## # define(`auth_read_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_read_home_content'($*)) dnl gen_require(` type auth_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, auth_home_t, auth_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_read_home_content'($*)) dnl ') ######################################## ## ## Read the authorization data in the user home directory ## ## ## ## Domain allowed access. ## ## # define(`auth_manage_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_manage_home_content'($*)) dnl gen_require(` type auth_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, auth_home_t, auth_home_t) manage_dirs_pattern($1, auth_home_t, auth_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_manage_home_content'($*)) dnl ') ######################################## ## ## Create auth directory in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`auth_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_filetrans_home_content'($*)) dnl gen_require(` type auth_home_t; ') userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator") userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~") userdom_user_home_dir_filetrans($1, auth_home_t, dir, ".yubico") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_filetrans_home_content'($*)) dnl ') ######################################## ## ## Create auth directory in the config home directory ## with a correct label. ## ## ## ## Domain allowed access. ## ## # define(`auth_filetrans_auth_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_filetrans_auth_home_content'($*)) dnl gen_require(` type auth_home_t; ') optional_policy(` gnome_config_filetrans($1, auth_home_t, dir, "Yubico") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_filetrans_auth_home_content'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to login programs. ## ## ## ## Domain allowed access. ## ## # define(`auth_login_pgm_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_login_pgm_sigchld'($*)) dnl gen_require(` attribute login_pgm; ') allow $1 login_pgm:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_login_pgm_sigchld'($*)) dnl ') ######################################## ## ## Manage the keyrings of all login programs ## ## ## ## Domain allowed access. ## ## # define(`auth_login_manage_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `auth_login_manage_key'($*)) dnl gen_require(` attribute login_pgm; ') allow $1 login_pgm:key manage_key_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `auth_login_manage_key'($*)) dnl ') ## Policy for reading and setting the hardware clock. ######################################## ## ## Execute hwclock in the clock domain. ## ## ## ## Domain allowed to transition. ## ## # define(`clock_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_domtrans'($*)) dnl gen_require(` type hwclock_t, hwclock_exec_t; ') domtrans_pattern($1, hwclock_exec_t, hwclock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_domtrans'($*)) dnl ') ######################################## ## ## Execute hwclock in the clock domain, and ## allow the specified role the hwclock domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`clock_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_run'($*)) dnl gen_require(` type hwclock_t; ') clock_domtrans($1) role $2 types hwclock_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_run'($*)) dnl ') ######################################## ## ## Execute hwclock in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`clock_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_exec'($*)) dnl gen_require(` type hwclock_exec_t; ') can_exec($1, hwclock_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_exec'($*)) dnl ') ######################################## ## ## Read clock drift adjustments. ## ## ## ## Domain allowed access. ## ## # define(`clock_read_adjtime',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_read_adjtime'($*)) dnl gen_require(` type adjtime_t; ') files_list_etc($1) allow $1 adjtime_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_read_adjtime'($*)) dnl ') ######################################## ## ## Do not audit attempts to write clock drift adjustments. ## ## ## ## Domain to not audit. ## ## # define(`clock_dontaudit_write_adjtime',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_dontaudit_write_adjtime'($*)) dnl gen_require(` type adjtime_t; ') dontaudit $1 adjtime_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_dontaudit_write_adjtime'($*)) dnl ') ######################################## ## ## Read and write clock drift adjustments. ## ## ## ## Domain allowed access. ## ## # define(`clock_rw_adjtime',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_rw_adjtime'($*)) dnl gen_require(` type adjtime_t; ') allow $1 adjtime_t:file rw_file_perms; files_list_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_rw_adjtime'($*)) dnl ') ######################################## ## ## Manage clock drift adjustments. ## ## ## ## Domain allowed access. ## ## # define(`clock_manage_adjtime',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_manage_adjtime'($*)) dnl gen_require(` type adjtime_t; ') allow $1 adjtime_t:file manage_file_perms; files_list_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_manage_adjtime'($*)) dnl ') ######################################## ## ## Transition to systemd clock content ## ## ## ## Domain allowed access. ## ## # define(`clock_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `clock_filetrans_named_content'($*)) dnl gen_require(` type adjtime_t; ') files_etc_filetrans($1, adjtime_t, file, "adjtime" ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `clock_filetrans_named_content'($*)) dnl ') ## Tools for filesystem management, such as mkfs and fsck. ######################################## ## ## Execute fs tools in the fstools domain. ## ## ## ## Domain allowed to transition. ## ## # define(`fstools_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_domtrans'($*)) dnl gen_require(` type fsadm_t, fsadm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, fsadm_exec_t, fsadm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_domtrans'($*)) dnl ') ######################################## ## ## Execute fs tools in the fstools domain, and ## allow the specified role the fs tools domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`fstools_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_run'($*)) dnl gen_require(` type fsadm_t; ') fstools_domtrans($1) role $2 types fsadm_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_run'($*)) dnl ') ######################################## ## ## Execute fsadm in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`fstools_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_exec'($*)) dnl gen_require(` type fsadm_exec_t; ') can_exec($1, fsadm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_exec'($*)) dnl ') ######################################## ## ## Send signal to fsadm process ## ## ## ## Domain allowed access. ## ## # define(`fstools_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_signal'($*)) dnl gen_require(` type fsadm_t; ') allow $1 fsadm_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_signal'($*)) dnl ') ######################################## ## ## Read fstools unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`fstools_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_read_pipes'($*)) dnl gen_require(` type fsadm_t; ') allow $1 fsadm_t:fifo_file read_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_read_pipes'($*)) dnl ') ######################################## ## ## Relabel a file to the type used by the ## filesystem tools programs. ## ## ## ## Domain allowed access. ## ## # define(`fstools_relabelto_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_relabelto_entry_files'($*)) dnl gen_require(` type fsadm_exec_t; ') allow $1 fsadm_exec_t:file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_relabelto_entry_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete a file used by the ## filesystem tools programs. ## ## ## ## Domain allowed access. ## ## # define(`fstools_manage_entry_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_manage_entry_files'($*)) dnl gen_require(` type fsadm_exec_t; ') allow $1 fsadm_exec_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_manage_entry_files'($*)) dnl ') ######################################## ## ## Getattr swapfile ## ## ## ## Domain allowed access. ## ## # define(`fstools_getattr_swap_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_getattr_swap_files'($*)) dnl gen_require(` type swapfile_t; ') allow $1 swapfile_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_getattr_swap_files'($*)) dnl ') ######################################## ## ## Read swapfile ## ## ## ## Domain allowed access. ## ## # define(`fstools_read_swap_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_read_swap_files'($*)) dnl gen_require(` type swapfile_t; ') allow $1 swapfile_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_read_swap_files'($*)) dnl ') ######################################## ## ## Read/Write swapfile ## ## ## ## Domain allowed access. ## ## # define(`fstools_rw_swap_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_rw_swap_files'($*)) dnl gen_require(` type swapfile_t; ') allow $1 swapfile_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_rw_swap_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the FSADM pid files. ## ## ## ## Domain allowed access. ## ## # define(`fsadm_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fsadm_manage_pid'($*)) dnl gen_require(` type fsadm_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, fsadm_var_run_t, fsadm_var_run_t) manage_files_pattern($1, fsadm_var_run_t, fsadm_var_run_t) fstools_filetrans_named_content_fsadm($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fsadm_manage_pid'($*)) dnl ') ######################################## ## ## Transition to systemd content ## ## ## ## Domain allowed access. ## ## # define(`fstools_filetrans_named_content_fsadm',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `fstools_filetrans_named_content_fsadm'($*)) dnl gen_require(` type fsadm_var_run_t; ') files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid") files_pid_filetrans($1, fsadm_var_run_t, dir, "fsck") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `fstools_filetrans_named_content_fsadm'($*)) dnl ') ## Policy for getty. ######################################## ## ## Execute gettys in the getty domain. ## ## ## ## Domain allowed to transition. ## ## # define(`getty_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_domtrans'($*)) dnl gen_require(` type getty_t, getty_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, getty_exec_t, getty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_domtrans'($*)) dnl ') ######################################## ## ## Inherit and use getty file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`getty_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_use_fds'($*)) dnl gen_require(` type getty_t; ') allow $1 getty_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_use_fds'($*)) dnl ') ######################################## ## ## Allow process to read getty log file. ## ## ## ## Domain allowed access. ## ## ## # define(`getty_read_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_read_log'($*)) dnl gen_require(` type getty_log_t; ') logging_search_logs($1) allow $1 getty_log_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_read_log'($*)) dnl ') ######################################## ## ## Allow process to read getty config file. ## ## ## ## Domain allowed access. ## ## ## # define(`getty_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_read_config'($*)) dnl gen_require(` type getty_etc_t; ') files_search_etc($1) allow $1 getty_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_read_config'($*)) dnl ') ######################################## ## ## Allow process to edit getty config file. ## ## ## ## Domain allowed access. ## ## ## # define(`getty_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_rw_config'($*)) dnl gen_require(` type getty_etc_t; ') files_search_etc($1) allow $1 getty_etc_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_rw_config'($*)) dnl ') ######################################## ## ## Execute getty server in the getty domain. ## ## ## ## Domain allowed to transition. ## ## # define(`getty_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_systemctl'($*)) dnl gen_require(` type getty_unit_file_t; type getty_t; ') systemd_exec_systemctl($1) allow $1 getty_unit_file_t:file read_file_perms; allow $1 getty_unit_file_t:service manage_service_perms; ps_process_pattern($1, getty_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_systemctl'($*)) dnl ') ######################################## ## ## Start getty unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`getty_start_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `getty_start_services'($*)) dnl gen_require(` type getty_unit_file_t; ') systemd_exec_systemctl($1) allow $1 getty_unit_file_t:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `getty_start_services'($*)) dnl ') ## Policy for changing the system host name. ######################################## ## ## Execute hostname in the hostname domain. ## ## ## ## Domain allowed to transition. ## ## # define(`hostname_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostname_domtrans'($*)) dnl gen_require(` type hostname_t, hostname_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, hostname_exec_t, hostname_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostname_domtrans'($*)) dnl ') ######################################## ## ## Execute hostname in the hostname domain, and ## allow the specified role the hostname domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`hostname_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostname_run'($*)) dnl gen_require(` type hostname_t; ') hostname_domtrans($1) role $2 types hostname_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostname_run'($*)) dnl ') ######################################## ## ## Execute hostname in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`hostname_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `hostname_exec'($*)) dnl gen_require(` type hostname_exec_t; ') corecmd_search_bin($1) can_exec($1, hostname_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `hostname_exec'($*)) dnl ') ## System initialization programs (init and init scripts). ###################################### ## ## initrc stub interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`init_stub_initrc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stub_initrc'($*)) dnl gen_require(` type initrc_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stub_initrc'($*)) dnl ') ######################################## ## ## Create a file type used for init scripts. ## ## ##

## Create a file type used for init scripts. It can not be ## used in conjunction with init_script_domain(). These ## script files are typically stored in the /etc/init.d directory. ##

##

## Typically this is used to constrain what services an ## admin can start/stop. For example, a policy writer may want ## to constrain a web administrator to only being able to ## restart the web server, not other services. This special type ## will help address that goal. ##

##

## This also makes the type usable for files; thus an ## explicit call to files_type() is redundant. ##

##
## ## ## Type to be used for a script file. ## ## ## # define(`init_script_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_file'($*)) dnl gen_require(` type initrc_t; attribute init_script_file_type, init_run_all_scripts_domain; ') typeattribute $1 init_script_file_type; domain_entry_file(initrc_t, $1) domtrans_pattern(init_run_all_scripts_domain, $1, initrc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_file'($*)) dnl ') ######################################## ## ## Create a domain used for init scripts. ## ## ##

## Create a domain used for init scripts. ## Can not be used in conjunction with ## init_script_file(). ##

##
## ## ## Type to be used as an init script domain. ## ## ## ## ## Type of the script file used as an entry point to this domain. ## ## # define(`init_script_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_domain'($*)) dnl gen_require(` attribute init_script_domain_type, init_script_file_type; attribute init_run_all_scripts_domain; ') typeattribute $1 init_script_domain_type; typeattribute $2 init_script_file_type; domain_type($1) domain_entry_file($1, $2) domtrans_pattern(init_run_all_scripts_domain, $2, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_domain'($*)) dnl ') ######################################## ## ## Create a domain which can be started by init. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`init_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_domain'($*)) dnl gen_require(` type init_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(init_t, $2, $1) allow init_t $1:unix_stream_socket create_stream_socket_perms; allow $1 init_t:unix_dgram_socket sendto; allow init_t $1:process2 { nnp_transition nosuid_transition }; ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray # fds open from the initrd ifdef(`distro_rhel4',` kernel_dontaudit_use_fds($1) ') ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_domain'($*)) dnl ') ######################################## ## ## Allow SELinux Domain trasition from sytemd ## into confined domain with NoNewPrivileges ## Systemd Security feature. ## ## ## ## Domain allowed access. ## ## # define(`init_nnp_daemon_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_nnp_daemon_domain'($*)) dnl gen_require(` type init_t; ') allow init_t $1:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_nnp_daemon_domain'($*)) dnl ') ######################################## ## ## Create a domain which can be started by init, ## with a range transition. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## # define(`init_ranged_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_ranged_domain'($*)) dnl gen_require(` type init_t; ') init_domain($1, $2) ifdef(`enable_mcs',` range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition init_t $2:process $3; mls_rangetrans_target($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_ranged_domain'($*)) dnl ') ######################################## ## ## Create a domain for long running processes ## (daemons/services) which are started by init scripts. ## ## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts. Short running processes ## should use the init_system_domain() interface instead. ## Typically all long running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##

## If the process must also run in a specific MLS/MCS level, ## the init_ranged_daemon_domain() should be used instead. ##

##
## ## ## Type to be used as a daemon domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## # define(`init_daemon_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_daemon_domain'($*)) dnl gen_require(` attribute direct_run_init, direct_init, direct_init_entry; type init_t; role system_r; attribute daemon; attribute initrc_transition_domain; attribute initrc_domain; ') typeattribute $1 daemon; typeattribute $2 direct_init_entry; domain_type($1) domain_entry_file($1, $2) type_transition initrc_domain $2:process $1; ifdef(`direct_sysadm_daemon',` type_transition direct_run_init $2:process $1; typeattribute $1 direct_init; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_daemon_domain'($*)) dnl ') ####################################### ## ## Create initrc domain. ## ## ## ## Type to be used as a initrc daemon domain. ## ## # define(`init_initrc_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_initrc_domain'($*)) dnl gen_require(` attribute initrc_domain; ') typeattribute $1 initrc_domain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_initrc_domain'($*)) dnl ') ######################################## ## ## Create a domain for long running processes ## (daemons/services) which are started by init scripts, ## running at a specified MLS/MCS range. ## ## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts, running at a specified ## MLS/MCS range. Short running processes ## should use the init_ranged_system_domain() interface instead. ## Typically all long running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface if they need to run in a specific MLS/MCS range. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##

## If the policy build option TYPE is standard (MLS and MCS disabled), ## this interface has the same behavior as init_daemon_domain(). ##

##
## ## ## Type to be used as a daemon domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## MLS/MCS range for the domain. ## ## ## # define(`init_ranged_daemon_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_ranged_daemon_domain'($*)) dnl gen_require(` type initrc_t; type init_t; ') # init_daemon_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; mls_rangetrans_target($1) range_transition init_t $2:process $3; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_ranged_daemon_domain'($*)) dnl ') ######################################## ## ## Create a domain for short running processes ## which are started by init scripts. ## ## ##

## Create a domain for short running processes ## which are started by init scripts. These are generally applications that ## are used to initialize the system during boot. ## Long running processes, such as daemons/services ## should use the init_daemon_domain() interface instead. ## Typically all short running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##

## If the process must also run in a specific MLS/MCS level, ## the init_ranged_system_domain() should be used instead. ##

##
## ## ## Type to be used as a system domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## # define(`init_system_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_system_domain'($*)) dnl gen_require(` type init_t; role system_r; attribute initrc_transition_domain; attribute systemprocess, systemprocess_entry; attribute initrc_domain; ') typeattribute $1 systemprocess; application_domain($1, $2) role system_r types $1; typeattribute $2 systemprocess_entry; type_transition initrc_domain $2:process $1; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_system_domain'($*)) dnl ') ######################################## ## ## Create a domain for short running processes ## which are started by init scripts. ## ## ##

## Create a domain for long running processes (daemons/services) ## which are started by init scripts. ## These are generally applications that ## are used to initialize the system during boot. ## Long running processes ## should use the init_ranged_system_domain() interface instead. ## Typically all short running processes started by an init ## script (usually in /etc/init.d) will need to use this ## interface if they need to run in a specific MLS/MCS range. ##

##

## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ##

##

## If the policy build option TYPE is standard (MLS and MCS disabled), ## this interface has the same behavior as init_system_domain(). ##

##
## ## ## Type to be used as a system domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## ## ## ## Range for the domain. ## ## ## # define(`init_ranged_system_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_ranged_system_domain'($*)) dnl gen_require(` type initrc_t; type init_t; ') init_system_domain($1, $2) ifdef(`enable_mcs',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; ') ifdef(`enable_mls',` range_transition initrc_t $2:process $3; range_transition init_t $2:process $3; mls_rangetrans_target($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_ranged_system_domain'($*)) dnl ') ###################################### ## ## Allow domain dyntransition to init_t domain. ## ## ## ## Domain allowed to transition. ## ## # define(`init_dyntrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dyntrans'($*)) dnl gen_require(` type init_t; ') dyntrans_pattern($1, init_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dyntrans'($*)) dnl ') ######################################## ## ## Mark the file type as a daemon run dir, allowing initrc_t ## to create it ## ## ## ## Type to mark as a daemon run dir ## ## ## ## ## Filename of the directory that the init script creates ## ## # define(`init_daemon_run_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_daemon_run_dir'($*)) dnl gen_require(` attribute daemonrundir; type initrc_t; ') typeattribute $1 daemonrundir; files_pid_filetrans(initrc_t, $1, dir, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_daemon_run_dir'($*)) dnl ') ######################################## ## ## Execute init (/sbin/init) with a domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`init_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_domtrans'($*)) dnl gen_require(` type init_t, init_exec_t; ') domtrans_pattern($1, init_exec_t, init_t) allow $1 init_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_domtrans'($*)) dnl ') ######################################## ## ## Allow any file point to be the entrypoint of this domain. ## ## ## ## Domain allowed access. ## ## # define(`init_entrypoint_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_entrypoint_exec'($*)) dnl gen_require(` type init_exec_t; ') allow $1 init_exec_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_entrypoint_exec'($*)) dnl ') ######################################## ## ## Execute the init program in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`init_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_exec'($*)) dnl gen_require(` type init_exec_t; ') corecmd_search_bin($1) can_exec($1, init_exec_t) optional_policy(` systemd_exec_systemctl($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_exec'($*)) dnl ') ####################################### ## ## Check access to the init/systemd executable. ## ## ## ## Domain allowed access. ## ## # define(`init_access_check',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_access_check'($*)) dnl gen_require(` type init_exec_t; ') corecmd_search_bin($1) allow $1 init_exec_t:file { getattr_file_perms execute }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_access_check'($*)) dnl ') ####################################### ## ## Dontaudit getattr on the init program. ## ## ## ## Domain allowed access. ## ## ## # define(`init_dontaudit_getattr_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_exec'($*)) dnl gen_require(` type init_exec_t; ') dontaudit $1 init_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_exec'($*)) dnl ') ######################################## ## ## Execute the rc application in the caller domain. ## ## ##

## This is only applicable to Gentoo or distributions that use the OpenRC ## init system. ##

##

## The OpenRC /sbin/rc binary is used for both init scripts as well as ## management applications and tools. When used for management purposes, ## calling /sbin/rc should never cause a transition to initrc_t. ##

##
## ## ## Domain allowed access. ## ## # define(`init_exec_rc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_exec_rc'($*)) dnl gen_require(` type rc_exec_t; ') corecmd_search_bin($1) can_exec($1, rc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_exec_rc'($*)) dnl ') ######################################## ## ## Get the process group of init. ## ## ## ## Domain allowed access. ## ## # define(`init_getpgid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getpgid'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getpgid'($*)) dnl ') ######################################## ## ## Send init a null signal. ## ## ## ## Domain allowed access. ## ## # define(`init_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_signull'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_signull'($*)) dnl ') ######################################## ## ## Send init a SIGCHLD signal. ## ## ## ## Domain allowed access. ## ## # define(`init_sigchld',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_sigchld'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_sigchld'($*)) dnl ') ######################################## ## ## Send generic signals to init. ## ## ## ## Domain allowed access. ## ## # define(`init_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_signal'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_signal'($*)) dnl ') ######################################## ## ## Create objects in the init_var_lib_t directories ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`init_var_lib_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_var_lib_filetrans'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) filetrans_pattern($1, init_var_lib_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_var_lib_filetrans'($*)) dnl ') ######################################### ## ## Abstract socket service activation (systemd). ## ## ## ## The domain to be started by systemd socket activation. ## ## # define(`init_abstract_socket_activation',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_abstract_socket_activation'($*)) dnl gen_require(` type init_t; ') allow init_t $1:unix_stream_socket create_stream_socket_perms; allow init_t $1:tcp_socket create_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_abstract_socket_activation'($*)) dnl ') ######################################### ## ## Named socket service activation (systemd). ## ## ## ## The domain to be started by systemd socket activation. ## ## ## ## ## The domain socket file type. ## ## ## ## ## The name of the object being created. ## ## # define(`init_named_socket_activation',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_named_socket_activation'($*)) dnl gen_require(` type init_t; ') allow init_t $1:unix_dgram_socket create_socket_perms; allow init_t $1:unix_stream_socket create_stream_socket_perms; allow init_t $2:dir manage_dir_perms; allow init_t $2:fifo_file manage_fifo_file_perms; allow init_t $2:sock_file manage_sock_file_perms; allow init_t $2:lnk_file manage_lnk_file_perms; files_pid_filetrans(init_t, $2, { dir lnk_file sock_file fifo_file }, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_named_socket_activation'($*)) dnl ') ######################################## ## ## Connect to init with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`init_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stream_connect'($*)) dnl gen_require(` type init_t, init_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t) allow $1 init_t:unix_stream_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stream_connect'($*)) dnl ') ######################################## ## ## Connect to init with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`init_stream_connectto',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stream_connectto'($*)) dnl gen_require(` type init_t; ') files_search_pids($1) allow $1 init_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stream_connectto'($*)) dnl ') ####################################### ## ## Dontaudit Connect to init with a unix socket. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect'($*)) dnl gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect'($*)) dnl ') ###################################### ## ## Dontaudit getattr to init with a unix socket. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_getattr_stream_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_stream_socket'($*)) dnl gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_stream_socket'($*)) dnl ') ###################################### ## ## Dontaudit read and write to init with a unix socket. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_rw_stream_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_stream_socket'($*)) dnl gen_require(` type init_t; ') dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_stream_socket'($*)) dnl ') ######################################## ## ## Inherit and use file descriptors from init. ## ## ##

## Allow the specified domain to inherit file ## descriptors from the init program (process ID 1). ## Typically the only file descriptors to be ## inherited from init are for the console. ## This does not allow the domain any access to ## the object to which the file descriptors references. ##

##

## Related interfaces: ##

##
    ##
  • init_dontaudit_use_fds()
  • ##
  • term_dontaudit_use_console()
  • ##
  • term_use_console()
  • ##
##

## Example usage: ##

##

## init_use_fds(mydomain_t) ## term_use_console(mydomain_t) ##

##

## Normally, processes that can inherit these file ## descriptors (usually services) write messages to the ## system log instead of writing to the console. ## Therefore, in many cases, this access should ## dontaudited instead. ##

##

## Example dontaudit usage: ##

##

## init_dontaudit_use_fds(mydomain_t) ## term_dontaudit_use_console(mydomain_t) ##

##
## ## ## Domain allowed access. ## ## ## # define(`init_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_use_fds'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit file ## descriptors from init. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_fds'($*)) dnl gen_require(` type init_t; ') dontaudit $1 init_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Send UDP network traffic to init. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`init_udp_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_udp_send'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_udp_send'($*)) dnl ') ######################################## ## ## Get the attributes of initctl. ## ## ## ## Domain allowed access. ## ## # define(`init_getattr_initctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getattr_initctl'($*)) dnl gen_require(` type initctl_t; ') allow $1 initctl_t:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getattr_initctl'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the ## attributes of initctl. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_getattr_initctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_initctl'($*)) dnl gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_initctl'($*)) dnl ') ######################################## ## ## Write to initctl. ## ## ## ## Domain allowed access. ## ## # define(`init_write_initctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_initctl'($*)) dnl gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_initctl'($*)) dnl ') ######################################## ## ## Use telinit (Read and write initctl). ## ## ## ## Domain allowed access. ## ## ## # define(`init_telinit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_telinit'($*)) dnl gen_require(` type initctl_t; type init_t; ') corecmd_exec_bin($1) dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; init_exec($1) ps_process_pattern($1, init_t) allow $1 init_t:process signal; dontaudit $1 self:capability net_admin; # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; allow $1 init_t:unix_dgram_socket sendto; #576913 allow $1 init_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_telinit'($*)) dnl ') ######################################## ## ## Read and write initctl. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_initctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_initctl'($*)) dnl gen_require(` type initctl_t; ') dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_initctl'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write initctl. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_rw_initctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_initctl'($*)) dnl gen_require(` type initctl_t; ') dontaudit $1 initctl_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_initctl'($*)) dnl ') ######################################## ## ## Make init scripts an entry point for ## the specified domain. ## ## ## ## Domain allowed access. ## ## # cjp: added for gentoo integrated run_init define(`init_script_file_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_file_entry_type'($*)) dnl gen_require(` type initrc_exec_t; ') domain_entry_file($1, initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_file_entry_type'($*)) dnl ') ######################################## ## ## Execute init scripts with a specified domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`init_spec_domtrans_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_spec_domtrans_script'($*)) dnl gen_require(` type initrc_t; attribute init_script_file_type; ') files_list_etc($1) spec_domtrans_pattern($1, init_script_file_type, initrc_t) ifdef(`distro_gentoo',` gen_require(` type rc_exec_t; ') domtrans_pattern($1, rc_exec_t, initrc_t) ') ifdef(`enable_mcs',` range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_spec_domtrans_script'($*)) dnl ') ######################################## ## ## Execute init scripts with an automatic domain transition. ## ## ## ## Domain allowed to transition. ## ## # define(`init_domtrans_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_domtrans_script'($*)) dnl gen_require(` type initrc_t; attribute init_script_file_type; attribute initrc_transition_domain; ') typeattribute $1 initrc_transition_domain; files_list_etc($1) domtrans_pattern($1, init_script_file_type, initrc_t) allow $1 initrc_t:process2 { nnp_transition nosuid_transition }; ifdef(`enable_mcs',` range_transition $1 init_script_file_type:process s0; ') ifdef(`enable_mls',` range_transition $1 init_script_file_type:process s0 - mls_systemhigh; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_domtrans_script'($*)) dnl ') ######################################## ## ## Execute a file in a bin directory ## in the initrc_t domain ## ## ## ## Domain allowed access. ## ## # define(`init_bin_domtrans_spec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_bin_domtrans_spec'($*)) dnl gen_require(` type initrc_t; ') corecmd_bin_domtrans($1, initrc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_bin_domtrans_spec'($*)) dnl ') ######################################## ## ## Execute a init script in a specified domain. ## ## ##

## Execute a init script in a specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # cjp: added for gentoo integrated run_init define(`init_script_file_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_file_domtrans'($*)) dnl gen_require(` type initrc_exec_t; ') files_list_etc($1) domain_auto_trans($1, initrc_exec_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_file_domtrans'($*)) dnl ') ######################################## ## ## Transition to the init script domain ## on a specified labeled init script. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Labeled init script file. ## ## # define(`init_labeled_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_labeled_script_domtrans'($*)) dnl gen_require(` type initrc_t; attribute initrc_transition_domain; ') typeattribute $1 initrc_transition_domain; # service script searches all filesystems via mountpoint fs_search_all($1) domtrans_pattern($1, $2, initrc_t) allow $1 $2:file ioctl; files_search_etc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_labeled_script_domtrans'($*)) dnl ') ######################################### ## ## Transition to the init script domain ## for all labeled init script types ## ## ## ## Domain allowed to transition. ## ## # define(`init_all_labeled_script_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_all_labeled_script_domtrans'($*)) dnl gen_require(` attribute init_script_file_type; ') init_labeled_script_domtrans($1, init_script_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_all_labeled_script_domtrans'($*)) dnl ') ######################################## ## ## Start and stop daemon programs directly. ## ## ##

## Start and stop daemon programs directly ## in the traditional "/etc/init.d/daemon start" ## style, and do not require run_init. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role to be performing this action. ## ## # define(`init_run_daemon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_run_daemon'($*)) dnl gen_require(` attribute direct_run_init, direct_init, direct_init_entry; role system_r; ') typeattribute $1 direct_run_init; role_transition $2 direct_init_entry system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_run_daemon'($*)) dnl ') ######################################## ## ## Allow execute all init daemon executables type without transition. ## ## ## ## Domain allowed access. ## ## # define(`init_exec_notrans_direct_init_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_exec_notrans_direct_init_entry'($*)) dnl gen_require(` attribute direct_init_entry; ') allow $1 direct_init_entry:file execute_no_trans; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_exec_notrans_direct_init_entry'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of init. ## ## ## ## Domain allowed access. ## ## # define(`init_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_state'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:dir search_dir_perms; allow $1 init_t:file read_file_perms; allow $1 init_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_state'($*)) dnl ') ######################################## ## ## Dontaudit read the process state (/proc/pid) of init. ## ## ## ## Domain allowed access. ## ## # define(`init_dontaudit_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_state'($*)) dnl gen_require(` type init_t; ') dontaudit $1 init_t:dir search_dir_perms; dontaudit $1 init_t:file read_file_perms; dontaudit $1 init_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_read_state'($*)) dnl ') ######################################## ## ## Read the process keyring of init. ## ## ## ## Domain allowed access. ## ## # define(`init_read_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_key'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:key read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_key'($*)) dnl ') ######################################## ## ## Allow view the init key ring. ## ## ## ## Domain allowed access. ## ## # define(`init_view_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_view_key'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:key view; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_view_key'($*)) dnl ') ######################################## ## ## Write the process keyring of init. ## ## ## ## Domain allowed access. ## ## # define(`init_write_key',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_key'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:key read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_key'($*)) dnl ') ######################################## ## ## Ptrace init ## ## ## ## Domain allowed access. ## ## ## # define(`init_ptrace',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_ptrace'($*)) dnl gen_require(` type init_t; ') tunable_policy(`deny_ptrace',`',` allow $1 init_t:process ptrace; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_ptrace'($*)) dnl ') ######################################## ## ## Write an init script unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`init_write_script_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_script_pipes'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_script_pipes'($*)) dnl ') ######################################## ## ## Get the attribute of init script entrypoint files. ## ## ## ## Domain allowed access. ## ## # define(`init_getattr_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getattr_script_files'($*)) dnl gen_require(` type initrc_exec_t; ') files_list_etc($1) allow $1 initrc_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getattr_script_files'($*)) dnl ') ######################################## ## ## Read init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_read_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_script_files'($*)) dnl gen_require(` type initrc_exec_t; ') files_search_etc($1) allow $1 initrc_exec_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_script_files'($*)) dnl ') ######################################## ## ## Execute init scripts in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`init_exec_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_exec_script_files'($*)) dnl gen_require(` type initrc_exec_t; ') files_list_etc($1) can_exec($1, initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_exec_script_files'($*)) dnl ') ######################################## ## ## Get the attribute of all init script entrypoint files. ## ## ## ## Domain allowed access. ## ## # define(`init_getattr_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getattr_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') files_list_etc($1) allow $1 init_script_file_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getattr_all_script_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## all init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_config_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_config_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') allow $1 init_script_file_type:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_config_all_script_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## transient scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_config_transient_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_config_transient_files'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_config_transient_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## transient scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_config_transient_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_config_transient_files'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_config_transient_files'($*)) dnl ') ######################################## ## ## Read all init script files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') files_search_etc($1) allow $1 init_script_file_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_all_script_files'($*)) dnl ') ####################################### ## ## Dontaudit getattr all init script files. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_getattr_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_getattr_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') dontaudit $1 init_script_file_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_getattr_all_script_files'($*)) dnl ') ####################################### ## ## Dontaudit read all init script files. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_read_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') dontaudit $1 init_script_file_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_read_all_script_files'($*)) dnl ') ######################################## ## ## Execute all init scripts in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`init_exec_all_script_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_exec_all_script_files'($*)) dnl gen_require(` attribute init_script_file_type; ') files_list_etc($1) can_exec($1, init_script_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_exec_all_script_files'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of the init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_read_script_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_script_state'($*)) dnl gen_require(` type initrc_t; ') kernel_search_proc($1) ps_process_pattern($1, initrc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_script_state'($*)) dnl ') ######################################## ## ## Inherit and use init script file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`init_use_script_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_use_script_fds'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_use_script_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit ## init script file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_use_script_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_fds'($*)) dnl gen_require(` type initrc_t; ') dontaudit $1 initrc_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_fds'($*)) dnl ') ######################################## ## ## Search init script keys. ## ## ## ## Domain allowed access. ## ## # define(`init_search_script_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_search_script_keys'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_search_script_keys'($*)) dnl ') ######################################## ## ## Get the process group ID of init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_getpgid_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getpgid_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:process getpgid; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getpgid_script'($*)) dnl ') ######################################## ## ## Send SIGCHLD signals to init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_sigchld_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_sigchld_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_sigchld_script'($*)) dnl ') ######################################## ## ## Send generic signals to init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_signal_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_signal_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_signal_script'($*)) dnl ') ######################################## ## ## Send kill signals to init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_sigkill_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_sigkill_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_sigkill_script'($*)) dnl ') ######################################## ## ## Send null signals to init scripts. ## ## ## ## Domain allowed access. ## ## # define(`init_signull_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_signull_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_signull_script'($*)) dnl ') ######################################## ## ## Read and write init script unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_script_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_script_pipes'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:fifo_file { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_script_pipes'($*)) dnl ') ######################################## ## ## Send UDP network traffic to init scripts. (Deprecated) ## ## ## ## Domain allowed access. ## ## # define(`init_udp_send_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_udp_send_script'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_udp_send_script'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to ## init scripts with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`init_stream_connect_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stream_connect_script'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stream_connect_script'($*)) dnl ') ######################################## ## ## Allow the specified domain to read/write to ## init scripts with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_script_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_script_stream_sockets'($*)) dnl gen_require(` type initrc_t; ') allow $1 initrc_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_script_stream_sockets'($*)) dnl ') ######################################## ## ## Dont audit the specified domain connecting to ## init scripts with a unix domain stream socket. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_stream_connect_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_stream_connect_script'($*)) dnl gen_require(` type initrc_t; ') dontaudit $1 initrc_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_stream_connect_script'($*)) dnl ') ######################################## ## ## Send messages to init scripts over dbus. ## ## ## ## Domain allowed access. ## ## # define(`init_dbus_send_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dbus_send_script'($*)) dnl gen_require(` type initrc_t; class dbus send_msg; ') allow $1 initrc_t:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dbus_send_script'($*)) dnl ') ######################################## ## ## Send and receive messages from ## init over dbus. ## ## ## ## Domain allowed access. ## ## # define(`init_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dbus_chat'($*)) dnl gen_require(` type init_t; class dbus send_msg; ') allow $1 init_t:dbus send_msg; allow init_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dbus_chat'($*)) dnl ') ######################################## ## ## Dontaudit attempts to send dbus domains chat messages ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_dbus_chat'($*)) dnl gen_require(` type init_t; class dbus send_msg; ') dontaudit $1 init_t:dbus send_msg; dontaudit init_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_dbus_chat'($*)) dnl ') ######################################## ## ## Send and receive messages from ## init scripts over dbus. ## ## ## ## Domain allowed access. ## ## # define(`init_dbus_chat_script',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dbus_chat_script'($*)) dnl gen_require(` type initrc_t; class dbus send_msg; ') allow $1 initrc_t:dbus send_msg; allow initrc_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dbus_chat_script'($*)) dnl ') ######################################## ## ## Read and write the init script pty. ## ## ##

## Read and write the init script pty. This ## pty is generally opened by the open_init_pty ## portion of the run_init program so that the ## daemon does not require direct access to ## the administrator terminal. ##

##
## ## ## Domain allowed access. ## ## # define(`init_use_script_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_use_script_ptys'($*)) dnl gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_use_script_ptys'($*)) dnl ') ######################################## ## ## Read and write inherited init script ptys. ## ## ## ## Domain allowed access. ## ## # define(`init_use_inherited_script_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_use_inherited_script_ptys'($*)) dnl gen_require(` type initrc_devpts_t; ') term_list_ptys($1) allow $1 initrc_devpts_t:chr_file { getattr read write ioctl }; init_use_fds($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_use_inherited_script_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write the init script pty. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_use_script_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_use_script_ptys'($*)) dnl gen_require(` type initrc_devpts_t; ') dontaudit $1 initrc_devpts_t:chr_file { rw_term_perms lock append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_use_script_ptys'($*)) dnl ') ######################################## ## ## Get the attributes of init script ## status files. ## ## ## ## Domain allowed access. ## ## # define(`init_getattr_script_status_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getattr_script_status_files'($*)) dnl gen_require(` type initrc_state_t; ') getattr_files_pattern($1, initrc_state_t, initrc_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getattr_script_status_files'($*)) dnl ') ######################################## ## ## Manage init script ## status files. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_script_status_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_script_status_files'($*)) dnl gen_require(` type initrc_state_t; ') manage_files_pattern($1, initrc_state_t, initrc_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_script_status_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read init script ## status files. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_read_script_status_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_script_status_files'($*)) dnl gen_require(` type initrc_state_t; ') dontaudit $1 initrc_state_t:dir search_dir_perms; dontaudit $1 initrc_state_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_read_script_status_files'($*)) dnl ') ######################################## ## ## Read init script temporary data. ## ## ## ## Domain allowed access. ## ## # define(`init_read_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_script_tmp_files'($*)) dnl gen_require(` type initrc_tmp_t; ') files_search_tmp($1) read_files_pattern($1, initrc_tmp_t, initrc_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_script_tmp_files'($*)) dnl ') ######################################## ## ## Read and write init script temporary data. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_script_tmp_files'($*)) dnl gen_require(` type initrc_tmp_t; ') files_search_tmp($1) rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_script_tmp_files'($*)) dnl ') ######################################## ## ## Manage init script temporary data. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_script_tmp_files'($*)) dnl gen_require(` type initrc_tmp_t; ') files_search_tmp($1) manage_dirs_pattern($1, initrc_tmp_t, initrc_tmp_t) manage_files_pattern($1, initrc_tmp_t, initrc_tmp_t) manage_lnk_files_pattern($1, initrc_tmp_t, initrc_tmp_t) allow $1 initrc_tmp_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_script_tmp_files'($*)) dnl ') ######################################## ## ## Allow caller doamin to write initrc_tmp_t pipes ## ## ## ## Domain to not audit. ## ## # define(`init_write_initrc_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_initrc_tmp_pipes'($*)) dnl gen_require(` type initrc_tmp_t; ') allow $1 initrc_tmp_t:fifo_file write_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_initrc_tmp_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to read initrc_tmp_t files ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_write_initrc_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_initrc_tmp'($*)) dnl gen_require(` type initrc_tmp_t; ') dontaudit $1 initrc_tmp_t:fifo_file write_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_write_initrc_tmp'($*)) dnl ') ######################################## ## ## Read and write init script inherited temporary data. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_inherited_script_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_inherited_script_tmp_files'($*)) dnl gen_require(` type initrc_tmp_t; ') allow $1 initrc_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_inherited_script_tmp_files'($*)) dnl ') ######################################## ## ## Create files in a init script ## temporary data directory. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`init_script_tmp_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_tmp_filetrans'($*)) dnl gen_require(` type initrc_tmp_t; ') files_search_tmp($1) filetrans_pattern($1, initrc_tmp_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_tmp_filetrans'($*)) dnl ') ######################################## ## ## Get the attributes of init script process id files. ## ## ## ## Domain allowed access. ## ## # define(`init_getattr_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_getattr_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') allow $1 initrc_var_run_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_getattr_utmp'($*)) dnl ') ######################################## ## ## Read utmp. ## ## ## ## Domain allowed access. ## ## # define(`init_read_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_utmp'($*)) dnl ') ######################################## ## ## Read utmp. ## ## ## ## Domain allowed access. ## ## # define(`init_read_machineid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_machineid'($*)) dnl gen_require(` type machineid_t; ') files_search_etc($1) allow $1 machineid_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_machineid'($*)) dnl ') ######################################## ## ## Do not audit attempts to read utmp. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_read_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_read_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_read_utmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to write utmp. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_write_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_write_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file { write lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_write_utmp'($*)) dnl ') ######################################## ## ## Write to utmp. ## ## ## ## Domain allowed access. ## ## # define(`init_write_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file { getattr open write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_utmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to lock ## init script pid files. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_lock_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_lock_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file lock; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_lock_utmp'($*)) dnl ') ######################################## ## ## Read and write utmp. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_list_pids($1) allow $1 initrc_var_run_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_utmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write utmp. ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_rw_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_rw_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') dontaudit $1 initrc_var_run_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_rw_utmp'($*)) dnl ') ######################################## ## ## Watch the utmp file. ## ## ## ## Domain allowed access. ## ## # define(`init_watch_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_watch_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_search_pids($1) allow $1 initrc_var_run_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_watch_utmp'($*)) dnl ') ######################################## ## ## Create, read, write, and delete utmp. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_search_pids($1) allow $1 initrc_var_run_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_utmp'($*)) dnl ') ######################################## ## ## Create files in /var/run with the ## utmp file type. ## ## ## ## Domain allowed access. ## ## # define(`init_pid_filetrans_utmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_pid_filetrans_utmp'($*)) dnl gen_require(` type initrc_var_run_t; ') files_pid_filetrans($1, initrc_var_run_t, file, "utmp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_pid_filetrans_utmp'($*)) dnl ') ###################################### ## ## Allow search directory in the /run/systemd directory. ## ## ## ## Domain allowed access. ## ## # define(`init_search_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_search_pid_dirs'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_search_pid_dirs'($*)) dnl ') ###################################### ## ## Allow listing of the /run/systemd directory. ## ## ## ## Domain allowed access. ## ## # define(`init_list_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_list_pid_dirs'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_list_pid_dirs'($*)) dnl ') ####################################### ## ## Create a directory in the /run/systemd directory. ## ## ## ## Domain allowed access. ## ## # define(`init_create_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_create_pid_dirs'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir list_dir_perms; create_dirs_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_create_pid_dirs'($*)) dnl ') ####################################### ## ## Remove entries from the /run/systemd directory. ## ## ## ## Domain allowed access. ## ## # define(`init_delete_pid_dir_entry',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_delete_pid_dir_entry'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir del_entry_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_delete_pid_dir_entry'($*)) dnl ') ####################################### ## ## Watch the /run/systemd directory. ## ## ## ## Domain allowed access. ## ## # define(`init_watch_pid_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_watch_pid_dir'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_watch_pid_dir'($*)) dnl ') ####################################### ## ## Create objects in /run/systemd directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`init_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_pid_filetrans'($*)) dnl gen_require(` type init_var_run_t; ') files_search_pids($1) filetrans_pattern($1, init_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_pid_filetrans'($*)) dnl ') ####################################### ## ## Create objects in /run/systemd directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`init_named_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_named_pid_filetrans'($*)) dnl gen_require(` type init_var_run_t; ') files_search_pids($1) filetrans_pattern($1, init_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_named_pid_filetrans'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to daemon with a tcp socket ## ## ## ## Domain allowed access. ## ## # define(`init_tcp_recvfrom_all_daemons',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_tcp_recvfrom_all_daemons'($*)) dnl gen_require(` attribute daemon; ') corenet_tcp_recvfrom_labeled($1, daemon) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_tcp_recvfrom_all_daemons'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to daemon with a udp socket ## ## ## ## Domain allowed access. ## ## # define(`init_udp_recvfrom_all_daemons',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_udp_recvfrom_all_daemons'($*)) dnl gen_require(` attribute daemon; ') corenet_udp_recvfrom_labeled($1, daemon) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_udp_recvfrom_all_daemons'($*)) dnl ') ######################################## ## ## Transition to system_r when execute an init script ## ## ##

## Execute a init script in a specified role ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Role to transition from. ## ## # define(`init_script_role_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_script_role_transition'($*)) dnl gen_require(` attribute init_script_file_type; ') role_transition $1 init_script_file_type system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_script_role_transition'($*)) dnl ') ######################################## ## ## dontaudit read and write an leaked init scrip file descriptors ## ## ## ## Domain to not audit. ## ## # define(`init_dontaudit_script_leaks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dontaudit_script_leaks'($*)) dnl gen_require(` type initrc_t; ') dontaudit $1 initrc_t:socket_class_set { read write }; dontaudit $1 initrc_t:shm rw_shm_perms; init_dontaudit_use_script_ptys($1) init_dontaudit_use_script_fds($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dontaudit_script_leaks'($*)) dnl ') ####################################### ## ## Allow the specified domain to ioctl an ## init with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`init_ioctl_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_ioctl_stream_sockets'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket ioctl; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_ioctl_stream_sockets'($*)) dnl ') ######################################## ## ## Allow the specified domain to read/write to ## init with a unix domain stream sockets. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_stream_sockets'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket rw_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_stream_sockets'($*)) dnl ') ####################################### ## ## Allow the specified domain to write to ## init sock file. ## ## ## ## Domain allowed access. ## ## # define(`init_write_pid_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_write_pid_socket'($*)) dnl gen_require(` type init_var_run_t; ') allow $1 init_var_run_t:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_write_pid_socket'($*)) dnl ') ######################################## ## ## Send a message to init over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`init_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_dgram_send'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_dgram_send'($*)) dnl ') ######################################## ## ## Send a message to init over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # define(`init_stream_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stream_send'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:unix_stream_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stream_send'($*)) dnl ') ######################################## ## ## Create a file type used for init socket files. ## ## ##

## This defines a type that init can create sock_file within for ## impersonation purposes ##

##
## ## ## Type to be used for a sock file. ## ## ## # define(`init_sock_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_sock_file'($*)) dnl gen_require(` attribute init_sock_file_type; ') typeattribute $1 init_sock_file_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_sock_file'($*)) dnl ') ######################################## ## ## Read init pid files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_pid_files'($*)) dnl gen_require(` type init_var_run_t; ') list_dirs_pattern($1, init_var_run_t, init_var_run_t) read_files_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_pid_files'($*)) dnl ') ######################################## ## ## Manage init pid files. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_pid_files'($*)) dnl gen_require(` type init_var_run_t; ') manage_files_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_pid_files'($*)) dnl ') ####################################### ## ## Read init pid lnk_files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_pid_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_pid_lnk_files'($*)) dnl gen_require(` type init_var_run_t; ') read_lnk_files_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_pid_lnk_files'($*)) dnl ') ######################################## ## ## Read init unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`init_read_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_pipes'($*)) dnl gen_require(` type init_var_run_t; ') read_fifo_files_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_pipes'($*)) dnl ') ######################################## ## ## Read/Write init unnamed pipes. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_pipes'($*)) dnl gen_require(` type init_var_run_t; ') rw_fifo_files_pattern($1, init_var_run_t, init_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_pipes'($*)) dnl ') ####################################### ## ## Read and write init TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`init_rw_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_rw_tcp_sockets'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:tcp_socket { read write getattr }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_rw_tcp_sockets'($*)) dnl ') ######################################## ## ## Get the system status information from init ## ## ## ## Domain allowed access. ## ## # define(`init_status',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_status'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system status; allow $1 init_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_status'($*)) dnl ') ######################################## ## ## Stop system from init ## ## ## ## Domain allowed access. ## ## # define(`init_stop',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stop'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system stop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stop'($*)) dnl ') ######################################## ## ## Start system from init ## ## ## ## Domain allowed access. ## ## # define(`init_start',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_start'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_start'($*)) dnl ') ######################################## ## ## Tell init to reboot the system. ## ## ## ## Domain allowed access. ## ## # define(`init_reboot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_reboot'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system reboot; systemd_config_power_services($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_reboot'($*)) dnl ') ######################################## ## ## Tell init to enable the services. ## ## ## ## Domain allowed access. ## ## # define(`init_enable_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_enable_services'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system enable; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_enable_services'($*)) dnl ') ######################################## ## ## Tell init to disable the services. ## ## ## ## Domain allowed access. ## ## # define(`init_disable_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_disable_services'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system disable; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_disable_services'($*)) dnl ') ######################################## ## ## Tell init to reload the services. ## ## ## ## Domain allowed access. ## ## # define(`init_reload_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_reload_services'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system reload; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_reload_services'($*)) dnl ') ######################################## ## ## Tell init to halt the system. ## ## ## ## Domain allowed access. ## ## # define(`init_halt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_halt'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system halt; systemd_config_power_services($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_halt'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_undefined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_undefined'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:system undefined; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_undefined'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_start_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_start_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_start_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_enable_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_enable_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service enable; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_enable_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_disable_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_disable_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service disable; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_disable_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_stop_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_stop_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service stop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_stop_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_reload_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_reload_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service reload; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_reload_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_status_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_status_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_status_transient_unit'($*)) dnl ') ######################################## ## ## Tell init to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`init_manage_transient_unit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_manage_transient_unit'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_manage_transient_unit'($*)) dnl ') ######################################## ## ## Transition to init named content ## ## ## ## Domain allowed access. ## ## # define(`init_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_filetrans_named_content'($*)) dnl gen_require(` type init_var_run_t; type initrc_var_run_t; type machineid_t; type initctl_t; type systemd_unit_file_t; ') files_pid_filetrans($1, initrc_var_run_t, file, "utmp") files_pid_filetrans($1, init_var_run_t, file, "random-seed") files_etc_filetrans($1, machineid_t, file, "machine-id" ) files_pid_filetrans($1, initctl_t, fifo_file, "fifo" ) init_pid_filetrans($1, systemd_unit_file_t, dir, "generator") init_pid_filetrans($1, systemd_unit_file_t, dir, "system") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_filetrans_named_content'($*)) dnl ') ######################################## ## ## Read systemd lib files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_var_lib_files'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, init_var_lib_t, init_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_var_lib_files'($*)) dnl ') ######################################## ## ## Mmap and read systemd lib files. ## ## ## ## Domain allowed access. ## ## # define(`init_mmap_read_var_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_mmap_read_var_lib_files'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) mmap_read_files_pattern($1, init_var_lib_t, init_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_mmap_read_var_lib_files'($*)) dnl ') ######################################## ## ## Search systemd lib files. ## ## ## ## Domain allowed access. ## ## # define(`init_search_var_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_search_var_lib_dirs'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) allow $1 init_var_lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_search_var_lib_dirs'($*)) dnl ') ######################################## ## ## Read systemd lib sock_files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_var_lib_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_var_lib_sock_files'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) read_sock_files_pattern($1, init_var_lib_t, init_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_var_lib_sock_files'($*)) dnl ') ######################################## ## ## Read systemd lib lnk_files. ## ## ## ## Domain allowed access. ## ## # define(`init_read_var_lib_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_read_var_lib_lnk_files'($*)) dnl gen_require(` type init_var_lib_t; ') files_search_var_lib($1) read_lnk_files_pattern($1, init_var_lib_t, init_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_read_var_lib_lnk_files'($*)) dnl ') ######################################## ## ## Allow caller domain to run bpftool. ## ## ## ## Domain allowed access. ## ## # define(`init_prog_run_bpf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_prog_run_bpf'($*)) dnl gen_require(` type init_t; ') allow $1 init_t:bpf { map_create map_read map_write prog_load prog_run }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_prog_run_bpf'($*)) dnl ') ####################################### ## ## Allow systemd to watch directories of given type. ## Intended for systemd path units - see systemd.path(5). (Deprecated) ## ## ## ## Type allowed to watch. ## ## # define(`init_watch_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `init_watch_dir'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `init_watch_dir'($*)) dnl ') ## TCP/IP encryption ######################################## ## ## Execute ipsec in the ipsec domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipsec_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_domtrans'($*)) dnl gen_require(` type ipsec_t, ipsec_exec_t; ') domtrans_pattern($1, ipsec_exec_t, ipsec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_domtrans'($*)) dnl ') ####################################### ## ## Allow read/write ipsec pipes ## ## ## ## Domain allowed access. ## ## # define(`ipsec_rw_inherited_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_rw_inherited_pipes'($*)) dnl gen_require(` type ipsec_t; ') allow $1 ipsec_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_rw_inherited_pipes'($*)) dnl ') ######################################## ## ## Connect to IPSEC using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect'($*)) dnl gen_require(` type ipsec_t, ipsec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_stream_connect'($*)) dnl ') ######################################## ## ## Execute ipsec in the ipsec mgmt domain. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_domtrans_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_mgmt'($*)) dnl gen_require(` type ipsec_mgmt_t, ipsec_mgmt_exec_t; ') domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_domtrans_mgmt'($*)) dnl ') ####################################### ## ## Allow to create OBJECT in /etc with ipsec_key_file_t. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_filetrans_key_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_filetrans_key_file'($*)) dnl gen_require(` type ipsec_key_file_t; ') files_etc_filetrans($1, ipsec_key_file_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_filetrans_key_file'($*)) dnl ') ####################################### ## ## Allow to manage ipsec key files. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_manage_key_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_manage_key_file'($*)) dnl gen_require(` type ipsec_key_file_t; ') manage_files_pattern($1, ipsec_key_file_t, ipsec_key_file_t) files_etc_filetrans($1, ipsec_key_file_t, file, "ipsec.secrets") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_manage_key_file'($*)) dnl ') ######################################## ## ## Read the ipsec_mgmt_var_run_t files. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_mgmt_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_read_pid'($*)) dnl gen_require(` type ipsec_var_run_t; type ipsec_mgmt_var_run_t; ') files_search_pids($1) read_files_pattern($1, ipsec_var_run_t, ipsec_mgmt_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_mgmt_read_pid'($*)) dnl ') ######################################## ## ## Connect to racoon using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_stream_connect_racoon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_stream_connect_racoon'($*)) dnl gen_require(` type racoon_t, ipsec_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_stream_connect_racoon'($*)) dnl ') ######################################## ## ## Get the attributes of an IPSEC key socket. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_getattr_key_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_getattr_key_sockets'($*)) dnl gen_require(` type ipsec_t; ') allow $1 ipsec_t:key_socket getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_getattr_key_sockets'($*)) dnl ') ######################################## ## ## Execute the IPSEC management program in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_exec_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_exec_mgmt'($*)) dnl gen_require(` type ipsec_exec_t; ') can_exec($1, ipsec_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_exec_mgmt'($*)) dnl ') ######################################## ## ## Send ipsec mgmt a general signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_signal_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_signal_mgmt'($*)) dnl gen_require(` type ipsec_mgmt_t; ') allow $1 ipsec_mgmt_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_signal_mgmt'($*)) dnl ') ######################################## ## ## Send ipsec mgmt a null signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_signull_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_signull_mgmt'($*)) dnl gen_require(` type ipsec_mgmt_t; ') allow $1 ipsec_mgmt_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_signull_mgmt'($*)) dnl ') ######################################## ## ## Send ipsec mgmt a kill signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_kill_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_kill_mgmt'($*)) dnl gen_require(` type ipsec_mgmt_t; ') allow $1 ipsec_mgmt_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_kill_mgmt'($*)) dnl ') ######################################## ## ## Send ipsec a general signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_signal'($*)) dnl gen_require(` type ipsec_t; ') allow $1 ipsec_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_signal'($*)) dnl ') ######################################## ## ## Send ipsec a null signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_signull'($*)) dnl gen_require(` type ipsec_t; ') allow $1 ipsec_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_signull'($*)) dnl ') ######################################## ## ## Send ipsec a kill signal. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_kill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_kill'($*)) dnl gen_require(` type ipsec_t; ') allow $1 ipsec_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_kill'($*)) dnl ') ###################################### ## ## Send and receive messages from ## ipsec-mgmt over dbus. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_mgmt_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_dbus_chat'($*)) dnl gen_require(` type ipsec_mgmt_t; class dbus send_msg; ') allow $1 ipsec_mgmt_t:dbus send_msg; allow ipsec_mgmt_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_mgmt_dbus_chat'($*)) dnl ') ######################################## ## ## Read the IPSEC configuration ## ## ## ## Domain allowed access. ## ## ## # define(`ipsec_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_read_config'($*)) dnl gen_require(` type ipsec_conf_file_t; ') files_search_etc($1) allow $1 ipsec_conf_file_t:file read_file_perms; allow $1 ipsec_conf_file_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_read_config'($*)) dnl ') ######################################## ## ## Match the default SPD entry. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_match_default_spd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_match_default_spd'($*)) dnl gen_require(` type ipsec_spd_t; ') allow $1 ipsec_spd_t:association polmatch; allow $1 self:association sendto; allow $1 self:peer recv; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_match_default_spd'($*)) dnl ') ######################################## ## ## Set the context of a SPD entry to ## the default context. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_setcontext_default_spd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_setcontext_default_spd'($*)) dnl gen_require(` type ipsec_spd_t; ') allow $1 ipsec_spd_t:association setcontext; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_setcontext_default_spd'($*)) dnl ') ######################################## ## ## write the ipsec_var_run_t files. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_write_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_write_pid'($*)) dnl gen_require(` type ipsec_var_run_t; ') files_search_pids($1) write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_write_pid'($*)) dnl ') ######################################## ## ## Allow read the IPSEC pid files. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_read_pid'($*)) dnl gen_require(` type ipsec_var_run_t; ') files_search_pids($1) read_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) read_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_read_pid'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the IPSEC pid files. ## ## ## ## Domain allowed access. ## ## # define(`ipsec_manage_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_manage_pid'($*)) dnl gen_require(` type ipsec_var_run_t; ') files_search_pids($1) manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_manage_pid'($*)) dnl ') ######################################## ## ## Execute racoon in the racoon domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipsec_domtrans_racoon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_racoon'($*)) dnl gen_require(` type racoon_t, racoon_exec_t; ') domtrans_pattern($1, racoon_exec_t, racoon_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_domtrans_racoon'($*)) dnl ') ######################################## ## ## Execute racoon and allow the specified role the domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`ipsec_run_racoon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_run_racoon'($*)) dnl gen_require(` type racoon_t; ') ipsec_domtrans_racoon($1) role $2 types racoon_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_run_racoon'($*)) dnl ') ######################################## ## ## Execute setkey in the setkey domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipsec_domtrans_setkey',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_domtrans_setkey'($*)) dnl gen_require(` type setkey_t, setkey_exec_t; ') domtrans_pattern($1, setkey_exec_t, setkey_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_domtrans_setkey'($*)) dnl ') ######################################## ## ## Execute setkey and allow the specified role the domains. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access.. ## ## ## # define(`ipsec_run_setkey',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_run_setkey'($*)) dnl gen_require(` type setkey_t; ') ipsec_domtrans_setkey($1) role $2 types setkey_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_run_setkey'($*)) dnl ') ####################################### ## ## Execute strongswan in the ipsec_mgmt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`ipsec_mgmt_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `ipsec_mgmt_systemctl'($*)) dnl gen_require(` type ipsec_mgmt_unit_file_t; type ipsec_mgmt_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 ipsec_mgmt_unit_file_t:file read_file_perms; allow $1 ipsec_mgmt_unit_file_t:service manage_service_perms; ps_process_pattern($1, ipsec_mgmt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `ipsec_mgmt_systemctl'($*)) dnl ') ## Policy for iptables. ######################################## ## ## Execute iptables in the iptables domain. ## ## ## ## Domain allowed to transition. ## ## # define(`iptables_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_domtrans'($*)) dnl gen_require(` type iptables_t, iptables_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, iptables_exec_t, iptables_t) allow $1 iptables_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_domtrans'($*)) dnl ') ######################################## ## ## Execute iptables in the iptables domain, and ## allow the specified role the iptables domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`iptables_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_run'($*)) dnl gen_require(` attribute_role iptables_roles; ') iptables_domtrans($1) roleattribute $2 iptables_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_run'($*)) dnl ') ######################################## ## ## Execute iptables in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`iptables_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_exec'($*)) dnl gen_require(` type iptables_exec_t; ') corecmd_search_bin($1) can_exec($1, iptables_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_exec'($*)) dnl ') ##################################### ## ## Execute iptables in the iptables domain. ## ## ## ## Domain allowed to transition. ## ## # define(`iptables_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_initrc_domtrans'($*)) dnl gen_require(` type iptables_initrc_exec_t; ') init_labeled_script_domtrans($1, iptables_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_initrc_domtrans'($*)) dnl ') ######################################## ## ## Execute iptables server in the iptables domain. ## ## ## ## Domain allowed to transition. ## ## # define(`iptables_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_systemctl'($*)) dnl gen_require(` type iptables_unit_file_t; type iptables_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 iptables_unit_file_t:file read_file_perms; allow $1 iptables_unit_file_t:service manage_service_perms; ps_process_pattern($1, iptables_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_systemctl'($*)) dnl ') ##################################### ## ## Set the attributes of iptables config files. ## ## ## ## Domain allowed access. ## ## # define(`iptables_setattr_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_setattr_config'($*)) dnl gen_require(` type iptables_conf_t; ') files_search_etc($1) allow $1 iptables_conf_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_setattr_config'($*)) dnl ') ##################################### ## ## Read iptables config files. ## ## ## ## Domain allowed access. ## ## # define(`iptables_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_read_config'($*)) dnl gen_require(` type iptables_conf_t; ') files_search_etc($1) allow $1 iptables_conf_t:dir list_dir_perms; read_files_pattern($1, iptables_conf_t, iptables_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_read_config'($*)) dnl ') ##################################### ## ## Create files in /etc with the type used for ## the iptables config files. ## ## ## ## Domain allowed access. ## ## # define(`iptables_etc_filetrans_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_etc_filetrans_config'($*)) dnl gen_require(` type iptables_conf_t; ') files_etc_filetrans($1, iptables_conf_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_etc_filetrans_config'($*)) dnl ') ################################### ## ## Manage iptables config files. ## ## ## ## Domain allowed access. ## ## # define(`iptables_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_manage_config'($*)) dnl gen_require(` type iptables_conf_t; type etc_t; ') files_search_etc($1) manage_files_pattern($1, iptables_conf_t, iptables_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_manage_config'($*)) dnl ') ######################################## ## ## Transition to iptables named content ## ## ## ## Domain allowed access. ## ## # define(`iptables_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_filetrans_named_content'($*)) dnl gen_require(` type iptables_var_run_t; ') files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_filetrans_named_content'($*)) dnl ') ##################################### ## ## Read iptables run files. ## ## ## ## Domain allowed access. ## ## # define(`iptables_read_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `iptables_read_var_run'($*)) dnl gen_require(` type iptables_var_run_t; ') allow $1 iptables_var_run_t:dir list_dir_perms; read_files_pattern($1, iptables_var_run_t, iptables_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `iptables_read_var_run'($*)) dnl ') ## Policy for system libraries. ######################################## ## ## Execute ldconfig in the ldconfig domain. ## ## ## ## Domain allowed to transition. ## ## # define(`libs_domtrans_ldconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_domtrans_ldconfig'($*)) dnl gen_require(` type ldconfig_t, ldconfig_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_domtrans_ldconfig'($*)) dnl ') ######################################## ## ## Execute ldconfig in the ldconfig domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the ldconfig domain. ## ## ## # define(`libs_run_ldconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_run_ldconfig'($*)) dnl gen_require(` type ldconfig_t; ') libs_domtrans_ldconfig($1) role $2 types ldconfig_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_run_ldconfig'($*)) dnl ') ######################################## ## ## Execute ldconfig in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`libs_exec_ldconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_exec_ldconfig'($*)) dnl gen_require(` type ldconfig_exec_t; ') corecmd_search_bin($1) can_exec($1, ldconfig_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_exec_ldconfig'($*)) dnl ') ######################################## ## ## Make ldconfig_exec_t entrypoint for ## the specified domain. ## ## ## ## The domain for which bin_t is an entrypoint. ## ## # define(`libs_ldconfig_exec_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_ldconfig_exec_entry_type'($*)) dnl gen_require(` type ldconfig_exec_t; ') domain_entry_file($1, ldconfig_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_ldconfig_exec_entry_type'($*)) dnl ') ######################################## ## ## Use the dynamic link/loader for automatic loading ## of shared libraries. ## ## ## ## Domain allowed access. ## ## # define(`libs_use_ld_so',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_use_ld_so'($*)) dnl gen_require(` type lib_t, ld_so_t, ld_so_cache_t; ') files_list_etc($1) allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) mmap_exec_files_pattern($1, lib_t, { lib_t ld_so_t }) allow $1 ld_so_cache_t:file { map read_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_use_ld_so'($*)) dnl ') ######################################## ## ## Use the dynamic link/loader for automatic loading ## of shared libraries with legacy support. ## ## ## ## Domain allowed access. ## ## # define(`libs_legacy_use_ld_so',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_legacy_use_ld_so'($*)) dnl gen_require(` type ld_so_t, ld_so_cache_t; ') libs_use_ld_so($1) allow $1 ld_so_t:file execmod; allow $1 ld_so_cache_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_legacy_use_ld_so'($*)) dnl ') ######################################## ## ## Execute the dynamic link/loader in the caller's domain. ## ## ## ## Domain allowed access. ## ## # define(`libs_exec_ld_so',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_exec_ld_so'($*)) dnl gen_require(` type lib_t, ld_so_t; ') allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, { lib_t ld_so_t }) exec_files_pattern($1, lib_t, ld_so_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_exec_ld_so'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the ## dynamic link/loader. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_manage_ld_so',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_manage_ld_so'($*)) dnl gen_require(` type lib_t, ld_so_t; ') read_lnk_files_pattern($1, lib_t, lib_t) manage_files_pattern($1, lib_t, ld_so_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_manage_ld_so'($*)) dnl ') ######################################## ## ## Relabel to and from the type used for ## the dynamic link/loader. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_relabel_ld_so',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_relabel_ld_so'($*)) dnl gen_require(` type lib_t, ld_so_t; ') relabel_files_pattern($1, lib_t, ld_so_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_relabel_ld_so'($*)) dnl ') ######################################## ## ## Modify the dynamic link/loader's cached listing ## of shared libraries. ## ## ## ## Domain allowed access. ## ## # define(`libs_rw_ld_so_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_rw_ld_so_cache'($*)) dnl gen_require(` type ld_so_cache_t; ') files_list_etc($1) allow $1 ld_so_cache_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_rw_ld_so_cache'($*)) dnl ') ######################################## ## ## Search library directories. ## ## ## ## Domain allowed access. ## ## # define(`libs_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_search_lib'($*)) dnl gen_require(` type lib_t; ') read_lnk_files_pattern($1, lib_t, lib_t) allow $1 lib_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_search_lib'($*)) dnl ') ######################################## ## ## dontaudit attempts to setattr on library files ## ## ## ## Domain to not audit. ## ## # define(`libs_dontaudit_setattr_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_dontaudit_setattr_lib_files'($*)) dnl gen_require(` type lib_t; ') dontaudit $1 lib_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_dontaudit_setattr_lib_files'($*)) dnl ') ######################################## ## ## dontaudit attempts to setattr on library dirs ## ## ## ## Domain to not audit. ## ## # define(`libs_dontaudit_setattr_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_dontaudit_setattr_lib_dirs'($*)) dnl gen_require(` type lib_t; ') dontaudit $1 lib_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_dontaudit_setattr_lib_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write to library directories. ## ## ##

## Do not audit attempts to write to library directories. ## Typically this is used to quiet attempts to recompile ## python byte code. ##

##
## ## ## Domain to not audit. ## ## # define(`libs_dontaudit_write_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_dontaudit_write_lib_dirs'($*)) dnl gen_require(` type lib_t; ') dontaudit $1 lib_t:dir write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_dontaudit_write_lib_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete library directories. ## ## ## ## Domain allowed access. ## ## # define(`libs_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_manage_lib_dirs'($*)) dnl gen_require(` type lib_t; ') read_lnk_files_pattern($1, lib_t, lib_t) allow $1 lib_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Watch library directories. ## ## ## ## Domain allowed access. ## ## # define(`libs_watch_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_watch_lib_dirs'($*)) dnl gen_require(` type lib_t; ') allow $1 lib_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_watch_lib_dirs'($*)) dnl ') ######################################## ## ## Read files in the library directories, such ## as static libraries. ## ## ## ## Domain allowed access. ## ## # define(`libs_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_read_lib_files'($*)) dnl gen_require(` type lib_t; ') files_list_usr($1) list_dirs_pattern($1, lib_t, lib_t) read_files_pattern($1, lib_t, lib_t) read_lnk_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_read_lib_files'($*)) dnl ') ######################################## ## ## Execute library scripts in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`libs_exec_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_exec_lib_files'($*)) dnl gen_require(` type lib_t; ') files_search_usr($1) allow $1 lib_t:dir list_dir_perms; read_lnk_files_pattern($1, lib_t, lib_t) exec_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_exec_lib_files'($*)) dnl ') ######################################## ## ## Load and execute functions from generic ## lib files as shared libraries. ## ## ## ## Domain allowed access. ## ## # define(`libs_use_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_use_lib_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use libs_use_shared_libs() instead.') libs_use_shared_libs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_use_lib_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete generic ## files in library directories. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_manage_lib_files'($*)) dnl gen_require(` type lib_t; ') read_lnk_files_pattern($1, lib_t, lib_t) manage_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_manage_lib_files'($*)) dnl ') ######################################## ## ## Relabel files to the type used in library directories. ## ## ## ## Domain allowed access. ## ## # define(`libs_relabelto_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_relabelto_lib_files'($*)) dnl gen_require(` type lib_t; ') relabelto_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_relabelto_lib_files'($*)) dnl ') ######################################## ## ## Relabel to and from the type used ## for generic lib files. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_relabel_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_relabel_lib_files'($*)) dnl gen_require(` type lib_t; ') relabel_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_relabel_lib_files'($*)) dnl ') ######################################## ## ## Delete generic symlinks in library directories. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_delete_lib_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_delete_lib_symlinks'($*)) dnl gen_require(` type lib_t; ') delete_lnk_files_pattern($1, lib_t, lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_delete_lib_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete shared libraries. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_manage_shared_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_manage_shared_libs'($*)) dnl gen_require(` type lib_t, textrel_shlib_t; ') read_lnk_files_pattern($1, lib_t, lib_t) manage_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_manage_shared_libs'($*)) dnl ') ######################################## ## ## Load and execute functions from shared libraries. ## ## ## ## Domain allowed access. ## ## # define(`libs_use_shared_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_use_shared_libs'($*)) dnl gen_require(` type lib_t, textrel_shlib_t; ') files_search_usr($1) allow $1 { textrel_shlib_t lib_t }:dir list_dir_perms; read_lnk_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) mmap_exec_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) # allow $1 lib_t:file execmod; allow $1 textrel_shlib_t:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_use_shared_libs'($*)) dnl ') ######################################## ## ## Load and execute functions from shared libraries, ## with legacy support. ## ## ## ## Domain allowed access. ## ## # define(`libs_legacy_use_shared_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_legacy_use_shared_libs'($*)) dnl gen_require(` type lib_t; ') libs_use_shared_libs($1) allow $1 lib_t:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_legacy_use_shared_libs'($*)) dnl ') ######################################## ## ## Relabel to and from the type used for ## shared libraries. ## ## ## ## Domain allowed access. ## ## # # cjp: added for prelink define(`libs_relabel_shared_libs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_relabel_shared_libs'($*)) dnl gen_require(` type lib_t, textrel_shlib_t; ') relabel_files_pattern($1, { textrel_shlib_t lib_t }, { lib_t textrel_shlib_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_relabel_shared_libs'($*)) dnl ') ######################################## ## ## Create an object in lib directories, with ## the shared libraries type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The object class of the object being created. ## ## # define(`lib_filetrans_shared_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lib_filetrans_shared_lib'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lib_filetrans_shared_lib'($*)) dnl ') ######################################## ## ## Create an object in lib directories, with ## the shared libraries type using a type transition. (Deprecated) ## ## ##

## Create an object in lib directories, with ## the shared libraries type using a type transition. (Deprecated) ##

##

## lib_filetrans_shared_lib() should be used instead. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The object class of the object being created. ## ## # define(`files_lib_filetrans_shared_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `files_lib_filetrans_shared_lib'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `files_lib_filetrans_shared_lib'($*)) dnl ') ######################################## ## ## Transition to lib named content ## ## ## ## Domain allowed access. ## ## # define(`libs_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `libs_filetrans_named_content'($*)) dnl gen_require(` type ld_so_cache_t; type ldconfig_cache_t; ') files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig") files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache") files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~") files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload") files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `libs_filetrans_named_content'($*)) dnl ') ## Policy for local logins. ######################################## ## ## Execute local logins in the local login domain. ## ## ## ## Domain allowed to transition. ## ## # define(`locallogin_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_domtrans'($*)) dnl gen_require(` type local_login_t; ') auth_domtrans_login_program($1, local_login_t) ifdef(`enable_mcs',` auth_ranged_domtrans_login_program($1, local_login_t, s0 - mcs_systemhigh) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_domtrans'($*)) dnl ') ######################################## ## ## Allow processes to inherit local login file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`locallogin_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_use_fds'($*)) dnl gen_require(` type local_login_t; ') allow $1 local_login_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit local login file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`locallogin_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_dontaudit_use_fds'($*)) dnl gen_require(` type local_login_t; ') dontaudit $1 local_login_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Send a null signal to local login processes. ## ## ## ## Domain allowed access. ## ## # define(`locallogin_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_signull'($*)) dnl gen_require(` type local_login_t; ') allow $1 local_login_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_signull'($*)) dnl ') ######################################## ## ## Search for key. ## ## ## ## Domain allowed access. ## ## # define(`locallogin_search_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_search_keys'($*)) dnl gen_require(` type local_login_t; ') allow $1 local_login_t:key search; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_search_keys'($*)) dnl ') ######################################## ## ## Allow link to the local_login key ring. ## ## ## ## Domain allowed access. ## ## # define(`locallogin_link_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_link_keys'($*)) dnl gen_require(` type local_login_t; ') allow $1 local_login_t:key link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_link_keys'($*)) dnl ') ######################################## ## ## Execute local logins in the local login domain. ## ## ## ## Domain allowed to transition. ## ## # define(`locallogin_domtrans_sulogin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_domtrans_sulogin'($*)) dnl gen_require(` type sulogin_exec_t, sulogin_t; ') domtrans_pattern($1, sulogin_exec_t, sulogin_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_domtrans_sulogin'($*)) dnl ') ####################################### ## ## Allow domain to gettatr local login home content ## ## ## ## Domain allowed access. ## ## # define(`locallogin_getattr_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_getattr_home_content'($*)) dnl gen_require(` type local_login_home_t; ') getattr_files_pattern($1, local_login_home_t, local_login_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_getattr_home_content'($*)) dnl ') ######################################## ## ## create local login content in the in the /root directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # define(`locallogin_filetrans_admin_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_filetrans_admin_home_content'($*)) dnl gen_require(` type local_login_home_t; ') userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_filetrans_admin_home_content'($*)) dnl ') ######################################## ## ## Transition to local login named content ## ## ## ## Domain allowed access. ## ## # define(`locallogin_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `locallogin_filetrans_home_content'($*)) dnl gen_require(` type local_login_home_t; ') userdom_user_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `locallogin_filetrans_home_content'($*)) dnl ') ## Policy for the kernel message logger and system logging daemon. ######################################## ## ## Make the specified type usable for log files ## in a filesystem. ## ## ##

## Make the specified type usable for log files in a filesystem. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a log file type may result in problems with log ## rotation, log analysis, and log monitoring programs. ##

##

## Related interfaces: ##

##
    ##
  • logging_log_filetrans()
  • ##
##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Type to be used for files. ## ## ## # define(`logging_log_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_log_file'($*)) dnl gen_require(` attribute logfile; ') files_type($1) files_associate_tmp($1) fs_associate_tmpfs($1) typeattribute $1 logfile; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_log_file'($*)) dnl ') ####################################### ## ## Send audit messages. ## ## ## ## Domain allowed access. ## ## # define(`logging_send_audit_msgs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_send_audit_msgs'($*)) dnl allow $1 self:capability audit_write; allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay nlmsg_tty_audit }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_send_audit_msgs'($*)) dnl ') ####################################### ## ## dontaudit attempts to send audit messages. ## ## ## ## Domain to not audit. ## ## # define(`logging_dontaudit_send_audit_msgs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_send_audit_msgs'($*)) dnl dontaudit $1 self:capability audit_write; dontaudit $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_send_audit_msgs'($*)) dnl ') ######################################## ## ## Create netlink audit socket ## ## ## ## Domain allowed access. ## ## # define(`logging_create_syslog_netlink_audit_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_create_syslog_netlink_audit_socket'($*)) dnl gen_require(` type syslogd_t; ') allow $1 syslogd_t:netlink_audit_socket create_netlink_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_create_syslog_netlink_audit_socket'($*)) dnl ') ######################################## ## ## Set login uid ## ## ## ## Domain allowed access. ## ## # define(`logging_set_loginuid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_set_loginuid'($*)) dnl allow $1 self:capability audit_control; allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_set_loginuid'($*)) dnl ') ######################################## ## ## Set tty auditing ## ## ## ## Domain allowed access. ## ## # define(`logging_set_tty_audit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_set_tty_audit'($*)) dnl allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_set_tty_audit'($*)) dnl ') ######################################## ## ## Set up audit ## ## ## ## Domain allowed access. ## ## # define(`logging_set_audit_parameters',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_set_audit_parameters'($*)) dnl allow $1 self:capability { audit_write audit_control }; allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_set_audit_parameters'($*)) dnl ') ######################################## ## ## Read the audit log. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_read_audit_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_audit_log'($*)) dnl gen_require(` type auditd_log_t; ') files_search_var($1) read_files_pattern($1, auditd_log_t, auditd_log_t) allow $1 auditd_log_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_audit_log'($*)) dnl ') ######################################## ## ## Watch the audit log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_watch_audit_log_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_watch_audit_log_files'($*)) dnl gen_require(` type var_log_t, auditd_log_t; ') watch_files_pattern($1, auditd_log_t, auditd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_watch_audit_log_files'($*)) dnl ') ######################################## ## ## Watch the audit log directories. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_watch_audit_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_watch_audit_log_dirs'($*)) dnl gen_require(` type var_log_t, auditd_log_t; ') allow $1 var_log_t:dir search_dir_perms; watch_dirs_pattern($1, auditd_log_t, auditd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_watch_audit_log_dirs'($*)) dnl ') ######################################## ## ## Map the audit log. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_map_audit_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_map_audit_log'($*)) dnl gen_require(` type auditd_log_t; ') allow $1 auditd_log_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_map_audit_log'($*)) dnl ') ######################################## ## ## Execute auditctl in the auditctl domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_domtrans_auditctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditctl'($*)) dnl gen_require(` type auditctl_t, auditctl_exec_t; ') domtrans_pattern($1, auditctl_exec_t, auditctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_domtrans_auditctl'($*)) dnl ') ######################################## ## ## Execute auditctl in the auditctl domain, and ## allow the specified role the auditctl domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`logging_run_auditctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_run_auditctl'($*)) dnl gen_require(` type auditctl_t; ') logging_domtrans_auditctl($1) role $2 types auditctl_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_run_auditctl'($*)) dnl ') ######################################## ## ## Execute auditd in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_domtrans_auditd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_domtrans_auditd'($*)) dnl gen_require(` type auditd_t, auditd_exec_t; ') domtrans_pattern($1, auditd_exec_t, auditd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_domtrans_auditd'($*)) dnl ') ######################################## ## ## Execute auditd in the auditd domain, and ## allow the specified role the auditd domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`logging_run_auditd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_run_auditd'($*)) dnl gen_require(` type auditd_t; ') logging_domtrans_auditd($1) role $2 types auditd_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_run_auditd'($*)) dnl ') ######################################## ## ## Connect to auditdstored over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`logging_stream_connect_auditd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_stream_connect_auditd'($*)) dnl refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') logging_stream_connect_dispatcher($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_stream_connect_auditd'($*)) dnl ') ######################################## ## ## Execute a domain transition to run the audit dispatcher. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_domtrans_dispatcher',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_domtrans_dispatcher'($*)) dnl gen_require(` type audisp_t, audisp_exec_t; ') domtrans_pattern($1, audisp_exec_t, audisp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_domtrans_dispatcher'($*)) dnl ') ######################################## ## ## Signal the audit dispatcher. ## ## ## ## Domain allowed access. ## ## # define(`logging_signal_dispatcher',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_signal_dispatcher'($*)) dnl gen_require(` type audisp_t; ') allow $1 audisp_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_signal_dispatcher'($*)) dnl ') ######################################## ## ## Create a domain for processes ## which can be started by the system audit dispatcher ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`logging_dispatcher_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dispatcher_domain'($*)) dnl gen_require(` type audisp_t; type auditd_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(audisp_t, $2, $1) domtrans_pattern(auditd_t, $2, $1) allow audisp_t $1:process { sigkill sigstop signull signal }; allow audisp_t $2:file getattr; allow $1 audisp_t:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dispatcher_domain'($*)) dnl ') ######################################## ## ## Connect to the audit dispatcher over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`logging_stream_connect_dispatcher',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_stream_connect_dispatcher'($*)) dnl gen_require(` type audisp_t, audisp_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_stream_connect_dispatcher'($*)) dnl ') ######################################## ## ## Manage the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_manage_audit_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_audit_config'($*)) dnl gen_require(` type auditd_etc_t; ') files_search_etc($1) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_audit_config'($*)) dnl ') ######################################## ## ## Manage the audit log. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_manage_audit_log',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_audit_log'($*)) dnl gen_require(` type auditd_log_t; ') files_search_var($1) manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_audit_log'($*)) dnl ') ######################################## ## ## Execute klogd in the klog domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_domtrans_klog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_domtrans_klog'($*)) dnl gen_require(` type klogd_t, klogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, klogd_exec_t, klogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_domtrans_klog'($*)) dnl ') ######################################## ## ## Check if syslogd is executable. ## ## ## ## Domain allowed access. ## ## # define(`logging_check_exec_syslog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_check_exec_syslog'($*)) dnl gen_require(` type syslogd_exec_t; ') corecmd_list_bin($1) corecmd_read_bin_symlinks($1) allow $1 syslogd_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_check_exec_syslog'($*)) dnl ') ######################################## ## ## Execute syslogd in the syslog domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_domtrans_syslog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_domtrans_syslog'($*)) dnl gen_require(` type syslogd_t, syslogd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, syslogd_exec_t, syslogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_domtrans_syslog'($*)) dnl ') ######################################## ## ## Create an object in the log directory, with a private type. ## ## ##

## Allow the specified domain to create an object ## in the general system log directories (e.g., /var/log) ## with a private type. Typically this is used for creating ## private log files in /var/log with the private type instead ## of the general system log type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • logging_log_file()
  • ##
##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # define(`logging_log_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_log_filetrans'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) filetrans_pattern($1, var_log_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_log_filetrans'($*)) dnl ') ####################################### ## ## Create an object in the log directory, with a private type. ## ## ##

## Allow the specified domain to create an object ## in the general system log directories (e.g., /var/log) ## with a private type. Typically this is used for creating ## private log files in /var/log with the private type instead ## of the general system log type. To accomplish this goal, ## either the program must be SELinux-aware, or use this interface. ##

##

## Related interfaces: ##

##
    ##
  • logging_log_file()
  • ##
##

## Example usage with a domain that can create ## and append to a private log file stored in the ## general directories (e.g., /var/log): ##

##

## type mylogfile_t; ## logging_log_file(mylogfile_t) ## allow mydomain_t mylogfile_t:file { create_file_perms append_file_perms }; ## logging_log_filetrans(mydomain_t, mylogfile_t, file) ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## ## # define(`logging_log_named_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_log_named_filetrans'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) filetrans_pattern($1, var_log_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_log_named_filetrans'($*)) dnl ') ######################################## ## ## Send system log messages. ## ## ##

## Allow the specified domain to connect to the ## system log service (syslog), to send messages be added to ## the system logs. Typically this is used by services ## that do not have their own log file in /var/log. ##

##

## This does not allow messages to be sent to ## the auditing system. ##

##

## Programs which use the libc function syslog() will ## require this access. ##

##

## Related interfaces: ##

##
    ##
  • logging_send_audit_msgs()
  • ##
##
## ## ## Domain allowed access. ## ## # define(`logging_send_syslog_msg',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_send_syslog_msg'($*)) dnl gen_require(` attribute syslog_client_type; ') typeattribute $1 syslog_client_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_send_syslog_msg'($*)) dnl ') ######################################## ## ## Connect to the syslog control unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`logging_create_devlog_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_create_devlog_dev'($*)) dnl gen_require(` type devlog_t; ') allow $1 devlog_t:lnk_file manage_lnk_file_perms; allow $1 devlog_t:sock_file manage_sock_file_perms; dev_filetrans($1, devlog_t, lnk_file, "log") init_pid_filetrans($1, devlog_t, sock_file, "syslog") logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_create_devlog_dev'($*)) dnl ') ######################################## ## ## Relabel the devlog sock_file. ## ## ## ## Domain allowed access. ## ## # define(`logging_relabel_devlog_dev',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_relabel_devlog_dev'($*)) dnl gen_require(` type devlog_t; ') allow $1 devlog_t:sock_file relabel_sock_file_perms; allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_relabel_devlog_dev'($*)) dnl ') ######################################## ## ## Allow domain to read the syslog pid files. ## ## ## ## Domain allowed access. ## ## # define(`logging_read_syslog_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_syslog_pid'($*)) dnl gen_require(` type syslogd_var_run_t; ') read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_syslog_pid'($*)) dnl ') ######################################## ## ## Relabel the syslog pid sock_file. ## ## ## ## Domain allowed access. ## ## # define(`logging_relabel_syslog_pid_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_relabel_syslog_pid_socket'($*)) dnl gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_relabel_syslog_pid_socket'($*)) dnl ') ######################################## ## ## Connect to the syslog control unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`logging_stream_connect_syslog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_stream_connect_syslog'($*)) dnl gen_require(` type syslogd_t, syslogd_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, syslogd_var_run_t, syslogd_var_run_t, syslogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_stream_connect_syslog'($*)) dnl ') ######################################## ## ## Read the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_read_audit_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_audit_config'($*)) dnl gen_require(` type auditd_etc_t; ') files_search_etc($1) read_files_pattern($1, auditd_etc_t, auditd_etc_t) allow $1 auditd_etc_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_audit_config'($*)) dnl ') ######################################## ## ## Map the auditd configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_map_audit_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_map_audit_config'($*)) dnl gen_require(` type auditd_etc_t; ') allow $1 auditd_etc_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_map_audit_config'($*)) dnl ') ######################################## ## ## dontaudit search of auditd log files. ## ## ## ## Domain to not audit. ## ## ## # define(`logging_dontaudit_search_audit_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_logs'($*)) dnl gen_require(` type auditd_log_t; ') dontaudit $1 auditd_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_logs'($*)) dnl ') ######################################## ## ## dontaudit search of auditd configuration files. ## ## ## ## Domain to not audit. ## ## ## # define(`logging_dontaudit_search_audit_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_audit_config'($*)) dnl gen_require(` type auditd_etc_t; ') dontaudit $1 auditd_etc_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_audit_config'($*)) dnl ') ######################################## ## ## Read syslog configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_read_syslog_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_syslog_config'($*)) dnl gen_require(` type syslog_conf_t; ') allow $1 syslog_conf_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_syslog_config'($*)) dnl ') ######################################## ## ## Manage syslog configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_manage_syslog_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_syslog_config'($*)) dnl gen_require(` type syslog_conf_t; ') manage_files_pattern($1, syslog_conf_t, syslog_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_syslog_config'($*)) dnl ') ######################################## ## ## Allows the domain to open a file in the ## log directory, but does not allow the listing ## of the contents of the log directory. ## ## ## ## Domain allowed access. ## ## # define(`logging_search_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_search_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_search_logs'($*)) dnl ') ####################################### ## ## Do not audit attempts to search the var log directory. ## ## ## ## Domain not to audit. ## ## # define(`logging_dontaudit_search_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_search_logs'($*)) dnl gen_require(` type var_log_t; ') dontaudit $1 var_log_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_search_logs'($*)) dnl ') ####################################### ## ## List the contents of the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # define(`logging_list_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_list_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_list_logs'($*)) dnl ') ####################################### ## ## Read and write the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # define(`logging_rw_generic_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_rw_generic_log_dirs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_rw_generic_log_dirs'($*)) dnl ') ####################################### ## ## Watch the generic log directory (/var/log). ## ## ## ## Domain allowed access. ## ## # define(`logging_watch_generic_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_watch_generic_log_dirs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_watch_generic_log_dirs'($*)) dnl ') ####################################### ## ## Search through all log dirs. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_search_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_search_all_logs'($*)) dnl gen_require(` attribute logfile; ') allow $1 logfile:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_search_all_logs'($*)) dnl ') ####################################### ## ## Set attributes on all log dirs. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_setattr_all_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_setattr_all_log_dirs'($*)) dnl gen_require(` attribute logfile; ') allow $1 logfile:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_setattr_all_log_dirs'($*)) dnl ') ####################################### ## ## Relabel on all log dirs. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_relabel_all_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_relabel_all_log_dirs'($*)) dnl gen_require(` attribute logfile; ') relabel_dirs_pattern($1, logfile, logfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_relabel_all_log_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes ## of any log files. ## ## ## ## Domain to not audit. ## ## # define(`logging_dontaudit_getattr_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_getattr_all_logs'($*)) dnl gen_require(` attribute logfile; ') dontaudit $1 logfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_getattr_all_logs'($*)) dnl ') ######################################## ## ## Read the atttributes of any log file ## ## ## ## Domain allowed access ## ## # define(`logging_getattr_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_getattr_all_logs'($*)) dnl gen_require(` attribute logfile; ') allow $1 logfile:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_getattr_all_logs'($*)) dnl ') ######################################## ## ## Append to all log files. ## ## ## ## Domain allowed access. ## ## # define(`logging_append_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_append_all_logs'($*)) dnl gen_require(` attribute logfile; type var_log_t; ') files_search_var($1) append_files_pattern($1, logfile, logfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_append_all_logs'($*)) dnl ') ######################################## ## ## Append to all log files. ## ## ## ## Domain allowed access. ## ## # define(`logging_inherit_append_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_inherit_append_all_logs'($*)) dnl gen_require(` attribute logfile; ') allow $1 logfile:file { getattr append ioctl lock }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_inherit_append_all_logs'($*)) dnl ') ######################################## ## ## Read all log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_read_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_all_logs'($*)) dnl gen_require(` attribute logfile; ') files_search_var($1) allow $1 logfile:dir list_dir_perms; allow $1 logfile:file map; read_files_pattern($1, logfile, logfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_all_logs'($*)) dnl ') ######################################## ## ## Execute all log files in the caller domain. ## ## ## ## Domain allowed access. ## ## # # cjp: not sure why this is needed. This was added # because of logrotate. define(`logging_exec_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_exec_all_logs'($*)) dnl gen_require(` attribute logfile; ') files_search_var($1) allow $1 logfile:dir list_dir_perms; can_exec($1, logfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_exec_all_logs'($*)) dnl ') ######################################## ## ## read/write to all log files. ## ## ## ## Domain allowed access. ## ## # define(`logging_rw_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_rw_all_logs'($*)) dnl gen_require(` attribute logfile; ') files_search_var($1) rw_files_pattern($1, logfile, logfile) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_rw_all_logs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete all log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_manage_all_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_all_logs'($*)) dnl gen_require(` attribute logfile; ') files_search_var($1) manage_dirs_pattern($1, logfile, logfile) manage_files_pattern($1, logfile, logfile) manage_lnk_files_pattern($1, logfile, logfile) allow $1 logfile:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_all_logs'($*)) dnl ') ####################################### ## ## Watch all directories in the path for log directories. ## ## ## ## Domain allowed access. ## ## # define(`logging_watch_all_log_dirs_path',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_watch_all_log_dirs_path'($*)) dnl gen_require(` attribute logfile; ') files_watch_root_dirs($1) files_search_var($1) files_watch_var_dirs($1) allow $1 logfile:dir { search_dir_perms watch_dir_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_watch_all_log_dirs_path'($*)) dnl ') ######################################## ## ## Read generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_read_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_read_generic_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; allow $1 var_log_t:file map; read_files_pattern($1, var_log_t, var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_read_generic_logs'($*)) dnl ') ######################################## ## ## Create generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_create_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_create_generic_logs'($*)) dnl gen_require(` type var_log_t; ') allow $1 var_log_t:file create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_create_generic_logs'($*)) dnl ') ######################################## ## ## Link generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_link_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_link_generic_logs'($*)) dnl gen_require(` type var_log_t; ') allow $1 var_log_t:file link; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_link_generic_logs'($*)) dnl ') ######################################## ## ## Delete generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_delete_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_delete_generic_logs'($*)) dnl gen_require(` type var_log_t; ') allow $1 var_log_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_delete_generic_logs'($*)) dnl ') ######################################## ## ## Map generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_mmap_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_mmap_generic_logs'($*)) dnl gen_require(` type var_log_t; ') allow $1 var_log_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_mmap_generic_logs'($*)) dnl ') ######################################## ## ## Write generic log files. ## ## ## ## Domain allowed access. ## ## # define(`logging_write_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_write_generic_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; write_files_pattern($1, var_log_t, var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_write_generic_logs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic ## links in the /var/log directory. ## ## ## ## Domain allowed access. ## ## # define(`logging_manage_var_log_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_var_log_symlinks'($*)) dnl gen_require(` type var_log_t; ') manage_lnk_files_pattern($1, var_log_t, var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_var_log_symlinks'($*)) dnl ') ######################################## ## ## Allow attempts to write to /var/log ## ## ## ## Domain allowed access. ## ## # define(`logging_write_var_log_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_write_var_log_dirs'($*)) dnl gen_require(` type var_log_t; ') allow $1 var_log_t:dir { setattr write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_write_var_log_dirs'($*)) dnl ') ######################################## ## ## Dontaudit read/Write inherited generic log files. ## ## ## ## Domain to not audit. ## ## # define(`logging_dontaudit_rw_inherited_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_rw_inherited_generic_logs'($*)) dnl gen_require(` type var_log_t; ') dontaudit $1 var_log_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_rw_inherited_generic_logs'($*)) dnl ') ######################################## ## ## Dontaudit Write generic log files. ## ## ## ## Domain to not audit. ## ## # define(`logging_dontaudit_write_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dontaudit_write_generic_logs'($*)) dnl gen_require(` type var_log_t; ') dontaudit $1 var_log_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dontaudit_write_generic_logs'($*)) dnl ') ######################################## ## ## Read and write generic log files. ## ## ## ## Domain allowed access. ## ## # define(`logging_rw_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_rw_generic_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir list_dir_perms; rw_files_pattern($1, var_log_t, var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_rw_generic_logs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## generic log files. ## ## ## ## Domain allowed access. ## ## ## # define(`logging_manage_generic_logs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_manage_generic_logs'($*)) dnl gen_require(` type var_log_t; ') files_search_var($1) manage_files_pattern($1, var_log_t, var_log_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_manage_generic_logs'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## the audit environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # define(`logging_admin_audit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_admin_audit'($*)) dnl gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; type auditd_initrc_exec_t; type auditd_unit_file_t; ') allow $1 auditd_t:process signal_perms; ps_process_pattern($1, auditd_t) tunable_policy(`deny_ptrace',`',` allow $1 auditd_t:process ptrace; ') manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) logging_run_auditctl($1, $2) init_labeled_script_domtrans($1, auditd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 auditd_initrc_exec_t system_r; allow $2 system_r; logging_systemctl_audit($1) admin_pattern($1, auditd_unit_file_t) allow $1 auditd_unit_file_t:service all_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_admin_audit'($*)) dnl ') ######################################## ## ## Execute auditd server in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_systemctl_audit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_systemctl_audit'($*)) dnl gen_require(` type auditd_t; type auditd_unit_file_t; ') systemd_exec_systemctl($1) allow $1 auditd_unit_file_t:file read_file_perms; allow $1 auditd_unit_file_t:service manage_service_perms; ps_process_pattern($1, auditd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_systemctl_audit'($*)) dnl ') ######################################## ## ## Execute auditd server in the auditd domain. ## ## ## ## Domain allowed to transition. ## ## # define(`logging_systemctl_syslogd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_systemctl_syslogd'($*)) dnl gen_require(` type syslogd_t; type syslogd_unit_file_t; ') systemd_exec_systemctl($1) allow $1 syslogd_unit_file_t:file read_file_perms; allow $1 syslogd_unit_file_t:service manage_service_perms; ps_process_pattern($1, syslogd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_systemctl_syslogd'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## the syslog environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # define(`logging_admin_syslog',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_admin_syslog'($*)) dnl gen_require(` type syslogd_t, klogd_t, syslog_conf_t; type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; type syslogd_initrc_exec_t; ') allow $1 self:capability2 syslog; allow $1 syslogd_t:process signal_perms; allow $1 klogd_t:process signal_perms; ps_process_pattern($1, syslogd_t) ps_process_pattern($1, klogd_t) tunable_policy(`deny_ptrace',`',` allow $1 syslogd_t:process ptrace; allow $1 klogd_t:process ptrace; ') manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t) manage_dirs_pattern($1, klogd_tmp_t, klogd_tmp_t) manage_files_pattern($1, klogd_tmp_t, klogd_tmp_t) manage_dirs_pattern($1, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern($1, syslogd_tmp_t, syslogd_tmp_t) manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) manage_files_pattern($1, syslog_conf_t, syslog_conf_t) files_etc_filetrans($1, syslog_conf_t, file) manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t) manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) allow $1 logfile:dir relabel_dir_perms; allow $1 logfile:file relabel_file_perms; init_labeled_script_domtrans($1, syslogd_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 syslogd_initrc_exec_t system_r; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_admin_syslog'($*)) dnl ') ######################################## ## ## All of the rules required to administrate ## the logging environment ## ## ## ## Domain allowed access. ## ## ## ## ## User role allowed access. ## ## ## # define(`logging_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_admin'($*)) dnl logging_admin_audit($1, $2) logging_admin_syslog($1, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_admin'($*)) dnl ') ######################################## ## ## Transition to syslog.conf ## ## ## ## Domain allowed access. ## ## # define(`logging_filetrans_named_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_filetrans_named_conf'($*)) dnl gen_require(` type syslog_conf_t; ') files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_filetrans_named_conf'($*)) dnl ') ######################################## ## ## Transition to logging named content ## ## ## ## Domain allowed access. ## ## # define(`logging_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_filetrans_named_content'($*)) dnl gen_require(` type var_log_t; type audit_spool_t; type syslogd_var_run_t; type syslog_conf_t; ') files_pid_filetrans($1, syslogd_var_run_t, dir, "log") files_spool_filetrans($1, var_log_t, dir, "rsyslog") files_spool_filetrans($1, var_log_t, dir, "log") files_spool_filetrans($1, audit_spool_t, dir, "audit") files_var_filetrans($1, var_log_t, dir, "webmin") files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal") logging_log_filetrans($1, var_log_t, dir, "anaconda") logging_log_filetrans($1, var_log_t, dir, "remote") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_filetrans_named_content'($*)) dnl ') ####################################### ## ## Create objects in /run/systemd/journal/ directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`logging_syslogd_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_syslogd_pid_filetrans'($*)) dnl gen_require(` type syslogd_var_run_t; ') files_search_pids($1) filetrans_pattern($1, syslogd_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_syslogd_pid_filetrans'($*)) dnl ') ####################################### ## ## Map files in /run/log/journal/ directory. ## ## ## ## Domain allowed access. ## ## # define(`logging_mmap_journal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_mmap_journal'($*)) dnl gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_mmap_journal'($*)) dnl ') ####################################### ## ## Watch the /run/log/journal directory. ## ## ## ## Domain allowed access. ## ## # define(`logging_watch_journal_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_watch_journal_dir'($*)) dnl gen_require(` type syslogd_var_run_t; ') allow $1 syslogd_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_watch_journal_dir'($*)) dnl ') ######################################## ## ## Send a message to syslogd over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`logging_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `logging_dgram_send'($*)) dnl gen_require(` type syslogd_t; ') allow $1 syslogd_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `logging_dgram_send'($*)) dnl ') ## Policy for logical volume management programs. ##################################### ## ## lvm stub domain interface. No access allowed. ## ## ## ## Domain allowed access ## ## # define(`lvm_stub',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_stub'($*)) dnl gen_require(` type lvm_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_stub'($*)) dnl ') ######################################## ## ## Get the attribute of lvm entrypoint files. ## ## ## ## Domain allowed access. ## ## # define(`lvm_getattr_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_getattr_exec_files'($*)) dnl gen_require(` type lvm_exec_t; ') files_list_etc($1) allow $1 lvm_exec_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_getattr_exec_files'($*)) dnl ') ######################################## ## ## Execute lvm programs in the lvm domain. ## ## ## ## Domain allowed to transition. ## ## # define(`lvm_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_domtrans'($*)) dnl gen_require(` type lvm_t, lvm_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, lvm_exec_t, lvm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_domtrans'($*)) dnl ') ######################################## ## ## Execute lvm programs in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`lvm_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_exec'($*)) dnl gen_require(` type lvm_exec_t; ') corecmd_search_bin($1) can_exec($1, lvm_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_exec'($*)) dnl ') ######################################## ## ## Execute lvm programs in the lvm domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## The role to allow the LVM domain. ## ## ## # define(`lvm_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_run'($*)) dnl gen_require(` type lvm_t; ') lvm_domtrans($1) role $2 types lvm_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_run'($*)) dnl ') ######################################## ## ## Read LVM configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_read_config'($*)) dnl gen_require(` type lvm_etc_t; ') files_search_etc($1) allow $1 lvm_etc_t:dir list_dir_perms; read_files_pattern($1, lvm_etc_t, lvm_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_read_config'($*)) dnl ') ######################################## ## ## Mmap LVM configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_map_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_map_config'($*)) dnl gen_require(` type lvm_etc_t; ') allow $1 lvm_etc_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_map_config'($*)) dnl ') ######################################## ## ## Read LVM configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_read_metadata',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_read_metadata'($*)) dnl gen_require(` type lvm_etc_t; type lvm_metadata_t; ') files_search_etc($1) allow $1 lvm_etc_t:dir list_dir_perms; read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_read_metadata'($*)) dnl ') ######################################## ## ## Read LVM configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_write_metadata',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_write_metadata'($*)) dnl gen_require(` type lvm_etc_t; type lvm_metadata_t; ') files_search_etc($1) allow $1 lvm_etc_t:dir list_dir_perms; write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_write_metadata'($*)) dnl ') ######################################## ## ## Manage LVM metadata files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_manage_metadata',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_manage_metadata'($*)) dnl gen_require(` type lvm_metadata_t; ') allow $1 lvm_metadata_t:dir list_dir_perms; manage_dirs_pattern($1, lvm_metadata_t, lvm_metadata_t) manage_files_pattern($1, lvm_metadata_t, lvm_metadata_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_manage_metadata'($*)) dnl ') ######################################## ## ## Manage LVM configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`lvm_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_manage_config'($*)) dnl gen_require(` type lvm_etc_t; ') files_search_etc($1) manage_dirs_pattern($1, lvm_etc_t, lvm_etc_t) manage_files_pattern($1, lvm_etc_t, lvm_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_manage_config'($*)) dnl ') ######################################## ## ## Connect to lvm using a unix domain stream socket. ## ## ## ## Domain allowed access. ## ## # define(`lvm_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_stream_connect'($*)) dnl gen_require(` type lvm_t, lvm_var_run_t; ') files_search_pids($1) stream_connect_pattern($1, lvm_var_run_t, lvm_var_run_t, lvm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_stream_connect'($*)) dnl ') ###################################### ## ## Execute a domain transition to run clvmd. ## ## ## ## Domain allowed to transition. ## ## # define(`lvm_domtrans_clvmd',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_domtrans_clvmd'($*)) dnl gen_require(` type clvmd_t, clvmd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, clvmd_exec_t, clvmd_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_domtrans_clvmd'($*)) dnl ') ######################################## ## ## Read and write to lvm temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`lvm_rw_clvmd_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_rw_clvmd_tmpfs_files'($*)) dnl gen_require(` type clvmd_tmpfs_t; ') allow $1 clvmd_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_rw_clvmd_tmpfs_files'($*)) dnl ') ######################################## ## ## Delete lvm temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`lvm_delete_clvmd_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_delete_clvmd_tmpfs_files'($*)) dnl gen_require(` type clvmd_tmpfs_t; ') allow $1 clvmd_tmpfs_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_delete_clvmd_tmpfs_files'($*)) dnl ') ######################################## ## ## Send lvm a null signal. ## ## ## ## Domain allowed access. ## ## # define(`lvm_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_signull'($*)) dnl gen_require(` type lvm_t; ') allow $1 lvm_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_signull'($*)) dnl ') ######################################## ## ## Send a message to lvm over the ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`lvm_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_dgram_send'($*)) dnl gen_require(` type lvm_t; ') allow $1 lvm_t:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_dgram_send'($*)) dnl ') ######################################## ## ## Read and write a lvm unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`lvm_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_rw_pipes'($*)) dnl gen_require(` type lvm_var_run_t; ') allow $1 lvm_var_run_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_rw_pipes'($*)) dnl ') ######################################## ## ## Dontaudit Read and write a lvm unnamed pipe. ## ## ## ## Domain allowed access. ## ## # define(`lvm_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_rw_pipes'($*)) dnl gen_require(` type lvm_var_run_t; ') dontaudit $1 lvm_var_run_t:fifo_file rw_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_dontaudit_rw_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to access check cert dirs/files. ## ## ## ## Domain to not audit. ## ## # define(`lvm_dontaudit_access_check_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_access_check_lock'($*)) dnl gen_require(` type lvm_lock_t; ') dontaudit $1 lvm_lock_t:dir audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_dontaudit_access_check_lock'($*)) dnl ') ######################################## ## ## Dontaudit read and write to lvm_lock_t dir. ## ## ## ## Domain allowed access. ## ## # define(`lvm_dontaudit_rw_lock_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_dontaudit_rw_lock_dir'($*)) dnl gen_require(` type lvm_lock_t; ') dontaudit $1 lvm_lock_t:dir rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_dontaudit_rw_lock_dir'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of lvm. ## ## ## ## Domain allowed access. ## ## # define(`lvm_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_read_state'($*)) dnl gen_require(` type lvm_t; ') ps_process_pattern($1, lvm_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_read_state'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## lvm lock files. ## ## ## ## Domain allowed access. ## ## # define(`lvm_manage_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_manage_lock'($*)) dnl gen_require(` type lvm_lock_t; ') files_lock_filetrans($1, lvm_lock_t, dir, "lvm") files_search_locks($1) manage_files_pattern($1, lvm_lock_t, lvm_lock_t) manage_dirs_pattern($1, lvm_lock_t, lvm_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_manage_lock'($*)) dnl ') ######################################## ## ## Allow dbus send for lvm dbus API (only send needed) ## ## ## ## Domain allowed access. ## ## # define(`lvm_dbus_send_msg',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_dbus_send_msg'($*)) dnl gen_require(` type lvm_t; class dbus send_msg; ') allow $1 lvm_t:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_dbus_send_msg'($*)) dnl ') ######################################## ## ## Allow lvm hints file access ## ## ## ## Domain allowed access. ## ## # define(`lvm_rw_var_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `lvm_rw_var_run'($*)) dnl gen_require(` type lvm_t; type lvm_var_run_t; ') allow $1 lvm_var_run_t:file { rw_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `lvm_rw_var_run'($*)) dnl ') ## Miscelaneous files. ######################################## ## ## Make the specified type usable as a cert file. ## ## ##

## Make the specified type usable for cert files. ## This will also make the type usable for files, making ## calls to files_type() redundant. Failure to use this interface ## for a temporary file may result in problems with ## cert management tools. ##

##

## Related interfaces: ##

##
    ##
  • files_type()
  • ##
##

## Example: ##

##

## type mycertfile_t; ## cert_type(mycertfile_t) ## allow mydomain_t mycertfile_t:file read_file_perms; ## files_search_etc(mydomain_t) ##

##
## ## ## Type to be used for files. ## ## ## # define(`miscfiles_cert_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_cert_type'($*)) dnl gen_require(` attribute cert_type; ') typeattribute $1 cert_type; files_type($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_cert_type'($*)) dnl ') ######################################## ## ## Read all SSL certificates. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_all_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_all_certs'($*)) dnl gen_require(` attribute cert_type; ') allow $1 cert_type:dir list_dir_perms; read_files_pattern($1, cert_type, cert_type) read_lnk_files_pattern($1, cert_type, cert_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_all_certs'($*)) dnl ') ######################################## ## ## Read all SSL certificates. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_all_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_all_certs'($*)) dnl gen_require(` attribute cert_type; ') manage_dirs_pattern($1, cert_type, cert_type) manage_files_pattern($1, cert_type, cert_type) manage_lnk_files_pattern($1, cert_type, cert_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_all_certs'($*)) dnl ') ######################################## ## ## Read generic SSL certificates. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_generic_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_generic_certs'($*)) dnl gen_require(` type cert_t; ') allow $1 cert_t:dir list_dir_perms; read_files_pattern($1, cert_t, cert_t) read_lnk_files_pattern($1, cert_t, cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_generic_certs'($*)) dnl ') ######################################## ## ## mmap generic SSL certificates. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_map_generic_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_map_generic_certs'($*)) dnl gen_require(` type cert_t; ') allow $1 cert_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_map_generic_certs'($*)) dnl ') ######################################## ## ## Do not audit attempts to mmap generic SSL certificates. ## ## ## ## Domain to not audit. ## ## ## # define(`miscfiles_dontaudit_map_generic_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_map_generic_certs'($*)) dnl gen_require(` type cert_t; ') dontaudit $1 cert_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_map_generic_certs'($*)) dnl ') ######################################## ## ## Manage generic SSL certificates. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_manage_generic_cert_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_dirs'($*)) dnl gen_require(` type cert_t; ') manage_dirs_pattern($1, cert_t, cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_dirs'($*)) dnl ') ######################################## ## ## Allow process to relabel cert_t ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_relabel_generic_cert',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_generic_cert'($*)) dnl gen_require(` type cert_t; ') files_search_usr($1) relabel_files_pattern($1, cert_t, cert_t) relabel_dirs_pattern($1, cert_t, cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_relabel_generic_cert'($*)) dnl ') ######################################## ## ## Dontaudit attempts to write generic SSL certificates. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_dontaudit_write_generic_cert_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_write_generic_cert_files'($*)) dnl gen_require(` type cert_t; ') dontaudit $1 cert_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_write_generic_cert_files'($*)) dnl ') ######################################## ## ## Manage generic SSL certificates. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_generic_cert_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_generic_cert_files'($*)) dnl gen_require(` type cert_t; ') manage_files_pattern($1, cert_t, cert_t) manage_lnk_files_pattern($1, cert_t, cert_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_generic_cert_files'($*)) dnl ') ######################################## ## ## Read SSL certificates. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_read_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_certs'($*)) dnl miscfiles_read_generic_certs($1) refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_certs'($*)) dnl ') ######################################## ## ## Manage SSL certificates. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_manage_cert_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_cert_dirs'($*)) dnl miscfiles_manage_generic_cert_dirs($1) refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_cert_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to access check cert dirs/files. ## ## ## ## Domain to not audit. ## ## # define(`miscfiles_dontaudit_access_check_cert',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_access_check_cert'($*)) dnl gen_require(` type cert_t; ') dontaudit $1 cert_t:file audit_access; dontaudit $1 cert_t:dir audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_access_check_cert'($*)) dnl ') ######################################## ## ## Manage SSL certificates. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_manage_cert_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_cert_files'($*)) dnl miscfiles_manage_generic_cert_files($1) refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_cert_files'($*)) dnl ') ######################################## ## ## Read fonts. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_fonts'($*)) dnl gen_require(` type fonts_t, fonts_cache_t; ') # cjp: fonts can be in either of these dirs files_search_usr($1) libs_search_lib($1) allow $1 fonts_t:dir list_dir_perms; read_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_t:file map; read_lnk_files_pattern($1, fonts_t, fonts_t) allow $1 fonts_cache_t:dir list_dir_perms; read_files_pattern($1, fonts_cache_t, fonts_cache_t) read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) allow $1 fonts_cache_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_fonts'($*)) dnl ') ######################################## ## ## Set the attributes on a fonts directory. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_setattr_fonts_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_dirs'($*)) dnl gen_require(` type fonts_t; ') allow $1 fonts_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## on a fonts directory. ## ## ## ## Domain to not audit. ## ## ## # define(`miscfiles_dontaudit_setattr_fonts_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl gen_require(` type fonts_t; ') dontaudit $1 fonts_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to write fonts. ## ## ## ## Domain to not audit. ## ## ## # define(`miscfiles_dontaudit_write_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_write_fonts'($*)) dnl gen_require(` type fonts_t; ') dontaudit $1 fonts_t:dir { write setattr }; dontaudit $1 fonts_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_write_fonts'($*)) dnl ') ######################################## ## ## Watch fonts directories. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_watch_fonts_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_watch_fonts_dirs'($*)) dnl gen_require(` type fonts_t; ') allow $1 fonts_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_watch_fonts_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete fonts. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_fonts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts'($*)) dnl gen_require(` type fonts_t; ') # cjp: fonts can be in either of these dirs files_search_usr($1) libs_search_lib($1) manage_dirs_pattern($1, fonts_t, fonts_t) manage_files_pattern($1, fonts_t, fonts_t) manage_lnk_files_pattern($1, fonts_t, fonts_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts'($*)) dnl ') ######################################## ## ## Set the attributes on a fonts cache directory. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_setattr_fonts_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_fonts_cache_dirs'($*)) dnl gen_require(` type fonts_cache_t; ') allow $1 fonts_cache_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_setattr_fonts_cache_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes ## on a fonts cache directory. ## ## ## ## Domain to not audit. ## ## # define(`miscfiles_dontaudit_setattr_fonts_cache_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl gen_require(` type fonts_cache_t; ') dontaudit $1 fonts_cache_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_setattr_fonts_cache_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete fonts cache. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_fonts_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_fonts_cache'($*)) dnl gen_require(` type fonts_cache_t; ') files_search_var($1) manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t) manage_files_pattern($1, fonts_cache_t, fonts_cache_t) manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_fonts_cache'($*)) dnl ') ######################################## ## ## Read hardware identification data. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_read_hwdata',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_hwdata'($*)) dnl gen_require(` type hwdata_t; ') allow $1 hwdata_t:dir list_dir_perms; read_files_pattern($1, hwdata_t, hwdata_t) read_lnk_files_pattern($1, hwdata_t, hwdata_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_hwdata'($*)) dnl ') ######################################## ## ## Allow process to setattr localization info ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_setattr_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_localization'($*)) dnl gen_require(` type locale_t; ') files_search_usr($1) allow $1 locale_t:dir list_dir_perms; allow $1 locale_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_setattr_localization'($*)) dnl ') ######################################## ## ## Allow process to read localization information. ## ## ##

## Allow the specified domain to read the localization files. ## This is typically for time zone configuration files, such as ## /etc/localtime and files in /usr/share/zoneinfo. ## Typically, any domain which needs to know the GMT/UTC ## offset of the current timezone will need access ## to these files. Generally, it should be safe for any ## domain to read these files. ##

##
## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_localization'($*)) dnl gen_require(` type locale_t; ') files_read_etc_symlinks($1) files_search_usr($1) allow $1 locale_t:dir list_dir_perms; read_files_pattern($1, locale_t, locale_t) read_lnk_files_pattern($1, locale_t, locale_t) allow $1 locale_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_localization'($*)) dnl ') ######################################## ## ## Allow process to watch localization files. ## ## ##

## Allow the specified domain to watch localization files ## (e.g. /usr/share/zoneinfo/UTC) for changes. ##

##
## ## ## Domain allowed access. ## ## # define(`miscfiles_watch_localization_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_watch_localization_files'($*)) dnl gen_require(` type locale_t; ') watch_files_pattern($1, locale_t, locale_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_watch_localization_files'($*)) dnl ') ######################################## ## ## Allow process to watch localization symlinks. ## ## ##

## Allow the specified domain to watch localization symlinks ## (e.g. /etc/localtime) for changes. ##

##
## ## ## Domain allowed access. ## ## # define(`miscfiles_watch_localization_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_watch_localization_symlinks'($*)) dnl gen_require(` type locale_t; ') watch_lnk_files_pattern($1, locale_t, locale_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_watch_localization_symlinks'($*)) dnl ') ######################################## ## ## Allow process to write localization info ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_rw_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_rw_localization'($*)) dnl gen_require(` type locale_t; ') files_search_usr($1) allow $1 locale_t:dir list_dir_perms; rw_files_pattern($1, locale_t, locale_t) manage_lnk_files_pattern($1, locale_t, locale_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_rw_localization'($*)) dnl ') ######################################## ## ## Allow process to relabel localization info ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_relabel_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_localization'($*)) dnl gen_require(` type locale_t; ') files_search_usr($1) relabel_files_pattern($1, locale_t, locale_t) relabel_lnk_files_pattern($1, locale_t, locale_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_relabel_localization'($*)) dnl ') ######################################## ## ## Allow process to read legacy time localization info ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_legacy_read_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_legacy_read_localization'($*)) dnl gen_require(` type locale_t; ') allow $1 locale_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_legacy_read_localization'($*)) dnl ') ######################################## ## ## Search man pages. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_search_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_search_man_pages'($*)) dnl gen_require(` type man_t, man_cache_t; ') allow $1 { man_cache_t man_t }:dir search_dir_perms; files_search_usr($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_search_man_pages'($*)) dnl ') ######################################## ## ## Do not audit attempts to search man pages. ## ## ## ## Domain to not audit. ## ## # define(`miscfiles_dontaudit_search_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_dontaudit_search_man_pages'($*)) dnl gen_require(` type man_t, man_cache_t; ') dontaudit $1 { man_cache_t man_t }:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_dontaudit_search_man_pages'($*)) dnl ') ######################################## ## ## Read man pages ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_pages'($*)) dnl gen_require(` type man_t, man_cache_t; ') files_search_usr($1) allow $1 { man_cache_t man_t }:dir list_dir_perms; read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) optional_policy(` mandb_read_cache_files($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_man_pages'($*)) dnl ') ######################################## ## ## Delete man pages ## ## ## ## Domain allowed access. ## ## # cjp: added for tmpreaper # define(`miscfiles_delete_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_delete_man_pages'($*)) dnl gen_require(` type man_t, man_cache_t; ') files_search_usr($1) allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms }; delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) optional_policy(` mandb_setattr_cache_dirs($1) mandb_delete_cache($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_delete_man_pages'($*)) dnl ') ####################################### ## ## Create, read, write, and delete man pages ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_setattr_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_setattr_man_pages'($*)) dnl gen_require(` type man_t; ') files_search_usr($1) allow $1 man_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_setattr_man_pages'($*)) dnl ') ######################################## ## ## Create, read, write, and delete man pages ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_manage_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_pages'($*)) dnl gen_require(` type man_t, man_cache_t; ') files_search_usr($1) manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_pages'($*)) dnl ') ######################################## ## ## Read man cache content. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_read_man_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_man_cache'($*)) dnl gen_require(` type man_cache_t; ') files_search_var($1) allow $1 man_cache_t:dir list_dir_perms; allow $1 man_cache_t:file read_file_perms; allow $1 man_cache_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_man_cache'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## man cache content. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_manage_man_cache',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_man_cache'($*)) dnl gen_require(` type man_cache_t; ') files_search_var($1) allow $1 man_cache_t:dir manage_dir_perms; allow $1 man_cache_t:file manage_file_perms; allow $1 man_cache_t:lnk_file manage_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_man_cache'($*)) dnl ') ######################################## ## ## Allow process to relabel man_pages info ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_relabel_man_pages',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_relabel_man_pages'($*)) dnl gen_require(` type man_t; ') files_search_usr($1) relabel_dirs_pattern($1, man_t, man_t) relabel_files_pattern($1, man_t, man_t) optional_policy(` mandb_relabel_cache($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_relabel_man_pages'($*)) dnl ') ######################################## ## ## Read public files used for file ## transfer services. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_public_files'($*)) dnl gen_require(` type public_content_t, public_content_rw_t; ') allow $1 { public_content_t public_content_rw_t }:dir list_dir_perms; allow $1 { public_content_t public_content_rw_t }:file map; read_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) read_lnk_files_pattern($1, { public_content_t public_content_rw_t }, { public_content_t public_content_rw_t }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_public_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete public files ## and directories used for file transfer services. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_public_files'($*)) dnl gen_require(` type public_content_rw_t; ') manage_dirs_pattern($1, public_content_rw_t, public_content_rw_t) manage_files_pattern($1, public_content_rw_t, public_content_rw_t) manage_lnk_files_pattern($1, public_content_rw_t, public_content_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_public_files'($*)) dnl ') ######################################## ## ## Append to public files used for file transfer services ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_append_public_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_append_public_files'($*)) dnl gen_require(` type public_content_rw_t; ') append_files_pattern($1, public_content_rw_t, public_content_rw_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_append_public_files'($*)) dnl ') ######################################## ## ## Read TeX data ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_read_tetex_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_tetex_data'($*)) dnl gen_require(` type tetex_data_t; ') files_search_var($1) files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir list_dir_perms; read_files_pattern($1, tetex_data_t, tetex_data_t) read_lnk_files_pattern($1, tetex_data_t, tetex_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_tetex_data'($*)) dnl ') ######################################## ## ## Execute TeX data programs in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_exec_tetex_data',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_exec_tetex_data'($*)) dnl gen_require(` type fonts_t; type tetex_data_t; ') files_search_var($1) files_search_var_lib($1) # cjp: TeX data can be in either of the above dirs allow $1 tetex_data_t:dir list_dir_perms; exec_files_pattern($1, tetex_data_t, tetex_data_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_exec_tetex_data'($*)) dnl ') ######################################## ## ## Let test files be an entry point for ## a specified domain. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_domain_entry_test_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_domain_entry_test_files'($*)) dnl gen_require(` type test_file_t; ') domain_entry_file($1, test_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_domain_entry_test_files'($*)) dnl ') ######################################## ## ## Read test files and directories. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_read_test_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_test_files'($*)) dnl gen_require(` type test_file_t; ') read_files_pattern($1, test_file_t, test_file_t) read_lnk_files_pattern($1, test_file_t, test_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_test_files'($*)) dnl ') ######################################## ## ## Execute test files. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_exec_test_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_exec_test_files'($*)) dnl gen_require(` type test_file_t; ') exec_files_pattern($1, test_file_t, test_file_t) read_lnk_files_pattern($1, test_file_t, test_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_exec_test_files'($*)) dnl ') ######################################## ## ## Execute test files. ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_etc_filetrans_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_etc_filetrans_localization'($*)) dnl gen_require(` type locale_t; ') files_etc_filetrans($1, locale_t, { file lnk_file }) files_etc_filetrans($1, locale_t, {lnk_file file}, "localtime" ) files_etc_filetrans($1, locale_t, file, "locale.conf" ) files_etc_filetrans($1, locale_t, file, "timezone" ) files_etc_filetrans($1, locale_t, file, "vconsole.conf" ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_etc_filetrans_localization'($*)) dnl ') ######################################## ## ## Create, read, write, and delete localization ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_manage_localization',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_manage_localization'($*)) dnl gen_require(` type locale_t; ') manage_dirs_pattern($1, locale_t, locale_t) manage_files_pattern($1, locale_t, locale_t) manage_lnk_files_pattern($1, locale_t, locale_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_manage_localization'($*)) dnl ') ######################################## ## ## Transition to miscfiles locale named content ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_filetrans_locale_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_locale_named_content'($*)) dnl gen_require(` type locale_t; ') files_etc_filetrans($1, locale_t, { lnk_file file }, "localtime") files_etc_filetrans($1, locale_t, file, "locale.conf") files_etc_filetrans($1, locale_t, file, "vconsole.conf") files_etc_filetrans($1, locale_t, file, "locale.conf.new") files_etc_filetrans($1, locale_t, file, "timezone") files_etc_filetrans($1, locale_t, file, "clock") files_usr_filetrans($1, locale_t, dir, "locale") files_usr_filetrans($1, locale_t, dir, "zoneinfo") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_locale_named_content'($*)) dnl ') ######################################## ## ## Transition to miscfiles named content ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_named_content'($*)) dnl gen_require(` type man_t; type cert_t; type fonts_t; type fonts_cache_t; type hwdata_t; type tetex_data_t; type public_content_t; ') miscfiles_filetrans_locale_named_content($1) files_var_filetrans($1, man_t, dir, "man") files_etc_filetrans($1, cert_t, dir, "pki") files_usr_filetrans($1, cert_t, dir, "certs") files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") files_usr_filetrans($1, fonts_t, dir, "fonts") files_usr_filetrans($1, hwdata_t, dir, "hwdata") files_var_filetrans($1, fonts_cache_t, dir, "fontconfig") files_var_filetrans($1, tetex_data_t, dir, "fonts") files_spool_filetrans($1, tetex_data_t, dir, "texmf") files_var_lib_filetrans($1, tetex_data_t, dir, "texmf") files_var_filetrans($1, public_content_t, dir, "ftp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_named_content'($*)) dnl ') ######################################## ## ## Transition to miscfiles named content ## ## ## ## Domain allowed access. ## ## # define(`miscfiles_filetrans_named_content_letsencrypt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_filetrans_named_content_letsencrypt'($*)) dnl gen_require(` type cert_t; ') files_var_lib_filetrans($1, cert_t, dir, "letsencrypt") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_filetrans_named_content_letsencrypt'($*)) dnl ') ######################################## ## ## Read all pkcs11 modules configurations. ## ## ## ## Domain allowed access. ## ## ## # define(`miscfiles_read_pkcs11_modules',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `miscfiles_read_pkcs11_modules'($*)) dnl gen_require(` type pkcs11_modules_conf_t; ') allow $1 pkcs11_modules_conf_t:dir list_dir_perms; read_files_pattern($1, pkcs11_modules_conf_t, pkcs11_modules_conf_t) allow $1 pkcs11_modules_conf_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `miscfiles_read_pkcs11_modules'($*)) dnl ') ## Policy for kernel module utilities ###################################### ## ## Getattr the dependencies of kernel modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_getattr_module_deps',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_getattr_module_deps'($*)) dnl gen_require(` type modules_dep_t, modules_object_t; ') getattr_files_pattern($1, modules_object_t, modules_dep_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_getattr_module_deps'($*)) dnl ') ######################################## ## ## Read the dependencies of kernel modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_read_module_deps_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps_files'($*)) dnl gen_require(` type modules_dep_t; ') allow $1 modules_dep_t:file { map read_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_read_module_deps_files'($*)) dnl ') ######################################## ## ## Read the dependencies of kernel modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_read_module_deps',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_read_module_deps'($*)) dnl gen_require(` type modules_dep_t; ') files_list_kernel_modules($1) files_read_kernel_modules($1) allow $1 modules_dep_t:file { map read_file_perms }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_read_module_deps'($*)) dnl ') ######################################## ## ## Read the dependencies of kernel modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_delete_module_deps',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_delete_module_deps'($*)) dnl gen_require(` type modules_dep_t; ') delete_files_pattern($1, modules_dep_t, modules_dep_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_delete_module_deps'($*)) dnl ') ######################################## ## ## list the configuration options used when ## loading modules. ## ## ## ## Domain allowed access. ## ## ## # define(`modutils_list_module_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_list_module_config'($*)) dnl gen_require(` type modules_conf_t; ') list_dirs_pattern($1, modules_conf_t, modules_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_list_module_config'($*)) dnl ') ######################################## ## ## Read the configuration options used when ## loading modules. ## ## ## ## Domain allowed access. ## ## ## # define(`modutils_read_module_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_read_module_config'($*)) dnl gen_require(` type modules_conf_t; ') # This file type can be in /etc or # /lib(64)?/modules files_search_etc($1) files_search_boot($1) allow $1 modules_conf_t:dir list_dir_perms; allow $1 modules_conf_t:file read_file_perms; allow $1 modules_conf_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_read_module_config'($*)) dnl ') ######################################## ## ## Rename a file with the configuration options used when ## loading modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_rename_module_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_rename_module_config'($*)) dnl gen_require(` type modules_conf_t; ') rename_files_pattern($1, modules_conf_t, modules_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_rename_module_config'($*)) dnl ') ######################################## ## ## Unlink a file with the configuration options used when ## loading modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_delete_module_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_delete_module_config'($*)) dnl gen_require(` type modules_conf_t; ') delete_files_pattern($1, modules_conf_t, modules_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_delete_module_config'($*)) dnl ') ######################################## ## ## Manage files with the configuration options used when ## loading modules. ## ## ## ## Domain allowed access. ## ## # define(`modutils_manage_module_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_manage_module_config'($*)) dnl gen_require(` type modules_conf_t; ') manage_files_pattern($1, modules_conf_t, modules_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_manage_module_config'($*)) dnl ') ######################################## ## ## Execute insmod in the kmod domain. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_domtrans_kmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_domtrans_kmod'($*)) dnl gen_require(` type kmod_t, kmod_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, kmod_exec_t, kmod_t) allow $1 kmod_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_domtrans_kmod'($*)) dnl ') ######################################## ## ## Unconditionally execute insmod in the insmod domain. ## ## ## ## Domain allowed to transition. ## ## # # cjp: this is added for pppd, due to nested # conditionals not working. define(`modutils_domtrans_insmod_uncond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod_uncond'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod_uncond'($*)) dnl ') ######################################## ## ## Execute insmod in the insmod domain. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_domtrans_insmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_domtrans_insmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_domtrans_insmod'($*)) dnl ') ######################################## ## ## Execute depmod in the depmod domain. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_domtrans_depmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_domtrans_depmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_domtrans_depmod'($*)) dnl ') ######################################## ## ## Execute depmod in the depmod domain. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_domtrans_update_mods',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_domtrans_update_mods'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_domtrans_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_domtrans_update_mods'($*)) dnl ') ######################################## ## ## Allow send signal to insmod. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_signal_kmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_signal_kmod'($*)) dnl gen_require(` type kmod_t; ') allow $1 kmod_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_signal_kmod'($*)) dnl ') ######################################## ## ## Allow send signal to insmod. ## ## ## ## Domain allowed to transition. ## ## # define(`modutils_signal_insmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_signal_insmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_signal_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_signal_insmod'($*)) dnl ') ######################################## ## ## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain, ## and use the caller's terminal. Has a sigchld ## backchannel. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`modutils_run_kmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_run_kmod'($*)) dnl gen_require(` type kmod_t; ') modutils_domtrans_kmod($1) role $2 types kmod_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_run_kmod'($*)) dnl ') ######################################## ## ## Execute insmod in the insmod domain, and ## allow the specified role the insmod domain, ## and use the caller's terminal. Has a sigchld ## backchannel. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`modutils_run_insmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_run_insmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_run_insmod'($*)) dnl ') ######################################## ## ## Execute depmod in the depmod domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`modutils_run_depmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_run_depmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_run_depmod'($*)) dnl ') ######################################## ## ## Execute update_modules in the update_modules domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`modutils_run_update_mods',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_run_update_mods'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_run_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_run_update_mods'($*)) dnl ') ####################################### ## ## Execute insmod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_exec_kmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_exec_kmod'($*)) dnl gen_require(` type kmod_exec_t; ') corecmd_search_bin($1) can_exec($1, kmod_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_exec_kmod'($*)) dnl ') ####################################### ## ## Execute insmod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_exec_insmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_exec_insmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_exec_insmod'($*)) dnl ') ######################################## ## ## Execute depmod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_exec_depmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_exec_depmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_exec_depmod'($*)) dnl ') ######################################## ## ## Execute update_modules in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_exec_update_mods',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_exec_update_mods'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_exec_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_exec_update_mods'($*)) dnl ') ####################################### ## ## Don't audit execute insmod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_dontaudit_exec_kmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_dontaudit_exec_kmod'($*)) dnl gen_require(` type kmod_exec_t; ') dontaudit $1 kmod_exec_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_dontaudit_exec_kmod'($*)) dnl ') ####################################### ## ## Don't audit execute insmod in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`modutils_dontaudit_exec_insmod',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modutils_dontaudit_exec_insmod'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use modutils_dontaudit_exec_kmod() instead.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modutils_dontaudit_exec_insmod'($*)) dnl ') ######################################## ## ## Transition to modutils named content ## ## ## ## Domain allowed access. ## ## # define(`modules_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `modules_filetrans_named_content'($*)) dnl gen_require(` type modules_dep_t; type modules_conf_t; ') files_etc_filetrans($1, modules_conf_t, file, "modprobe.conf") files_etc_filetrans($1, modules_conf_t, file, "modules.conf") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.alias.bin") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.block") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.builtin.bin") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.devname") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.drm") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.modesetting") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.networking") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.order") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.softdep") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols") #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `modules_filetrans_named_content'($*)) dnl ') ## Policy for mount. ######################################## ## ## Execute mount in the mount domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mount_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_domtrans'($*)) dnl gen_require(` type mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, mount_t) mount_domtrans_fusermount($1) allow $1 mount_t:fd use; ps_process_pattern(mount_t, $1) allow mount_t $1:key write; allow mount_t $1:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_domtrans'($*)) dnl ') ######################################## ## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`mount_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_run'($*)) dnl gen_require(` attribute_role mount_roles; type mount_t; ') mount_domtrans($1) roleattribute $2 mount_roles; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_run'($*)) dnl ') ######################################## ## ## Execute fusermount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the mount domain. ## ## ## # define(`mount_run_fusermount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_run_fusermount'($*)) dnl gen_require(` type mount_t; ') mount_domtrans_fusermount($1) role $2 types mount_t; fstools_run(mount_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_run_fusermount'($*)) dnl ') ######################################## ## ## Read mount PID files. ## ## ## ## Domain allowed access. ## ## # define(`mount_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_read_pid_files'($*)) dnl gen_require(` type mount_var_run_t; ') read_files_pattern($1, mount_var_run_t, mount_var_run_t) list_dirs_pattern($1, mount_var_run_t, mount_var_run_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_read_pid_files'($*)) dnl ') ######################################## ## ## Read/write mount PID files. ## ## ## ## Domain allowed access. ## ## # define(`mount_rw_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_rw_pid_files'($*)) dnl gen_require(` type mount_var_run_t; ') rw_files_pattern($1, mount_var_run_t, mount_var_run_t) files_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_rw_pid_files'($*)) dnl ') ####################################### ## ## Do not audit attemps to write mount PID files. ## ## ## ## Domain to not audit. ## ## # define(`mount_dontaudit_write_mount_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_dontaudit_write_mount_pid'($*)) dnl gen_require(` type mount_var_run_t; ') dontaudit $1 mount_var_run_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_dontaudit_write_mount_pid'($*)) dnl ') ######################################## ## ## Manage mount PID files. ## ## ## ## Domain allowed access. ## ## # define(`mount_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_manage_pid_files'($*)) dnl gen_require(` type mount_var_run_t; ') files_search_pids($1) manage_files_pattern($1, mount_var_run_t, mount_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_manage_pid_files'($*)) dnl ') ######################################## ## ## Watch mount PID directories. ## ## ## ## Domain allowed access. ## ## # define(`mount_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_watch_pid_dirs'($*)) dnl gen_require(` type mount_var_run_t; ') files_search_pids($1) watch_dirs_pattern($1, mount_var_run_t, mount_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Watch_reads mount PID directories. ## ## ## ## Domain allowed access. ## ## # define(`mount_watch_reads_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_watch_reads_pid_dirs'($*)) dnl gen_require(` type mount_var_run_t; ') files_search_pids($1) watch_reads_dirs_pattern($1, mount_var_run_t, mount_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_watch_reads_pid_dirs'($*)) dnl ') ######################################## ## ## Watch mount PID files. ## ## ## ## Domain allowed access. ## ## # define(`mount_watch_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_watch_pid_files'($*)) dnl gen_require(` type mount_var_run_t; ') files_search_pids($1) allow $1 mount_var_run_t:file watch_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_watch_pid_files'($*)) dnl ') ######################################## ## ## Watch_reads mount PID files. ## ## ## ## Domain allowed access. ## ## # define(`mount_watch_reads_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_watch_reads_pid_files'($*)) dnl gen_require(` type mount_var_run_t; ') files_search_pids($1) allow $1 mount_var_run_t:file watch_reads_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_watch_reads_pid_files'($*)) dnl ') ######################################## ## ## Execute mount in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`mount_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_exec'($*)) dnl gen_require(` type mount_exec_t; ') # cjp: this should be removed: allow $1 mount_exec_t:dir list_dir_perms; allow $1 mount_exec_t:lnk_file read_lnk_file_perms; can_exec($1, mount_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_exec'($*)) dnl ') ######################################## ## ## Send a generic signal to mount. ## ## ## ## Domain allowed access. ## ## # define(`mount_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_signal'($*)) dnl gen_require(` type mount_t; ') allow $1 mount_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_signal'($*)) dnl ') ######################################## ## ## Send a generic sigkill to mount. ## ## ## ## Domain allowed access. ## ## # define(`mount_sigkill',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_sigkill'($*)) dnl gen_require(` type mount_t; ') allow $1 mount_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_sigkill'($*)) dnl ') ######################################## ## ## Use file descriptors for mount. ## ## ## ## Domain allowed access. ## ## # define(`mount_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_use_fds'($*)) dnl gen_require(` type mount_t; ') allow $1 mount_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_use_fds'($*)) dnl ') ######################################## ## ## Allow the mount domain to send nfs requests for mounting ## network drives ## ## ##

## Allow the mount domain to send nfs requests for mounting ## network drives ##

##

## This interface has been deprecated as these rules were ## a side effect of leaked mount file descriptors. This ## interface has no effect. ##

##
## ## ## Domain allowed access. ## ## # define(`mount_send_nfs_client_request',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_send_nfs_client_request'($*)) dnl refpolicywarn(`$0($*) has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_send_nfs_client_request'($*)) dnl ') ######################################## ## ## Read the mount tmp directory ## ## ## ## Domain allowed access. ## ## # define(`mount_list_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_list_tmp'($*)) dnl gen_require(` type mount_tmp_t; ') allow $1 mount_tmp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_list_tmp'($*)) dnl ') ######################################## ## ## Execute fusermount in the mount domain. ## ## ## ## Domain allowed access. ## ## # define(`mount_domtrans_fusermount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_domtrans_fusermount'($*)) dnl gen_require(` type mount_t, fusermount_exec_t; ') domtrans_pattern($1, fusermount_exec_t, mount_t) ps_process_pattern(mount_t, $1) allow mount_t $1:unix_stream_socket { read write }; allow $1 mount_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_domtrans_fusermount'($*)) dnl ') ######################################## ## ## Execute fusermount. ## ## ## ## Domain allowed access. ## ## # define(`mount_exec_fusermount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_exec_fusermount'($*)) dnl gen_require(` type fusermount_exec_t; ') can_exec($1, fusermount_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_exec_fusermount'($*)) dnl ') ######################################## ## ## dontaudit Execute fusermount. ## ## ## ## Domain to not audit. ## ## # define(`mount_dontaudit_exec_fusermount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_dontaudit_exec_fusermount'($*)) dnl gen_require(` type fusermount_exec_t; ') dontaudit $1 fusermount_exec_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_dontaudit_exec_fusermount'($*)) dnl ') ###################################### ## ## Execute a domain transition to run showmount. ## ## ## ## Domain allowed to transition. ## ## # define(`mount_domtrans_showmount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_domtrans_showmount'($*)) dnl gen_require(` type showmount_t, showmount_exec_t; ') domtrans_pattern($1, showmount_exec_t, showmount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_domtrans_showmount'($*)) dnl ') ###################################### ## ## Execute showmount in the showmount domain, and ## allow the specified role the showmount domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the showmount domain. ## ## # define(`mount_run_showmount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_run_showmount'($*)) dnl gen_require(` type showmount_t; ') mount_domtrans_showmount($1) role $2 types showmount_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_run_showmount'($*)) dnl ') ####################################### ## ## Transition to ecryptmount. ## ## ## ## Domain allowed to transition. ## ## # define(`mount_domtrans_ecryptmount',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_domtrans_ecryptmount'($*)) dnl gen_require(` type mount_ecryptfs_t, mount_ecryptfs_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_domtrans_ecryptmount'($*)) dnl ') ####################################### ## ## Execute mount in the unconfined mount domain. ## ## ## ## Domain allowed to transition. ## ## # define(`mount_domtrans_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_domtrans_unconfined'($*)) dnl gen_require(` type unconfined_mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, unconfined_mount_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_domtrans_unconfined'($*)) dnl ') ####################################### ## ## Execute mount in the unconfined mount domain, and ## allow the specified role the unconfined mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`mount_run_unconfined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_run_unconfined'($*)) dnl gen_require(` type unconfined_mount_t; ') mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_run_unconfined'($*)) dnl ') ######################################## ## ## Allow mount programs to be an entrypoint for ## the specified domain. ## ## ## ## The domain for which mount programs is an entrypoint. ## ## # define(`mount_entry_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `mount_entry_type'($*)) dnl gen_require(` type mount_ecryptfs_exec_t; type mount_exec_t; ') domain_entry_file($1, mount_ecryptfs_exec_t) domain_entry_file($1, mount_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `mount_entry_type'($*)) dnl ') ## NetLabel/CIPSO labeled networking management ######################################## ## ## Execute netlabel_mgmt in the netlabel_mgmt domain. ## ## ## ## Domain allowed to transition. ## ## # define(`netlabel_domtrans_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netlabel_domtrans_mgmt'($*)) dnl gen_require(` type netlabel_mgmt_t, netlabel_mgmt_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, netlabel_mgmt_exec_t, netlabel_mgmt_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netlabel_domtrans_mgmt'($*)) dnl ') ######################################## ## ## Execute netlabel_mgmt in the netlabel_mgmt domain, and ## allow the specified role the netlabel_mgmt domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`netlabel_run_mgmt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `netlabel_run_mgmt'($*)) dnl gen_require(` type netlabel_mgmt_t; ') netlabel_domtrans_mgmt($1) role $2 types netlabel_mgmt_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `netlabel_run_mgmt'($*)) dnl ') ## Policy for SELinux policy and userland applications. ####################################### ## ## Execute checkpolicy in the checkpolicy domain. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_checkpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_checkpolicy'($*)) dnl gen_require(` type checkpolicy_t, checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, checkpolicy_exec_t, checkpolicy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_checkpolicy'($*)) dnl ') ######################################## ## ## Execute checkpolicy in the checkpolicy domain, and ## allow the specified role the checkpolicy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_checkpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_checkpolicy'($*)) dnl gen_require(` type checkpolicy_t; ') seutil_domtrans_checkpolicy($1) role $2 types checkpolicy_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_checkpolicy'($*)) dnl ') ######################################## ## ## Execute checkpolicy in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_exec_checkpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_checkpolicy'($*)) dnl gen_require(` type checkpolicy_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, checkpolicy_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_checkpolicy'($*)) dnl ') ####################################### ## ## Execute load_policy in the load_policy domain. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_loadpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_loadpolicy'($*)) dnl gen_require(` type load_policy_t, load_policy_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, load_policy_exec_t, load_policy_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_loadpolicy'($*)) dnl ') ######################################## ## ## Execute load_policy in the load_policy domain, and ## allow the specified role the load_policy domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_loadpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_loadpolicy'($*)) dnl gen_require(` type load_policy_t; ') seutil_domtrans_loadpolicy($1) role $2 types load_policy_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_loadpolicy'($*)) dnl ') ######################################## ## ## Execute load_policy in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`seutil_exec_loadpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_loadpolicy'($*)) dnl gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) can_exec($1, load_policy_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_loadpolicy'($*)) dnl ') ######################################## ## ## Allow access check on load_policy. ## ## ## ## Domain allowed access. ## ## # define(`seutil_access_check_load_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_access_check_load_policy'($*)) dnl gen_require(` type load_policy_exec_t; ') allow $1 load_policy_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_access_check_load_policy'($*)) dnl ') ######################################## ## ## Dontaudit access check on load_policy. ## ## ## ## Domain allowed access. ## ## # define(`seutil_dontaudit_access_check_load_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_load_policy'($*)) dnl gen_require(` type load_policy_exec_t; ') dontaudit $1 load_policy_exec_t:file audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_load_policy'($*)) dnl ') ######################################## ## ## Read the load_policy program file. ## ## ## ## Domain allowed access. ## ## # define(`seutil_read_loadpolicy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_loadpolicy'($*)) dnl gen_require(` type load_policy_exec_t; ') corecmd_search_bin($1) allow $1 load_policy_exec_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_loadpolicy'($*)) dnl ') ####################################### ## ## Execute newrole in the newole domain. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_newrole',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_newrole'($*)) dnl gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, newrole_exec_t, newrole_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_newrole'($*)) dnl ') ######################################## ## ## Execute newrole in the newrole domain, and ## allow the specified role the newrole domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_newrole',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_newrole'($*)) dnl gen_require(` type newrole_t; #attribute_role newrole_roles; ') #seutil_domtrans_newrole($1) #roleattribute $2 newrole_roles; seutil_domtrans_newrole($1) role $2 types newrole_t; auth_run_upd_passwd(newrole_t, $2) optional_policy(` namespace_init_run(newrole_t, $2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_newrole'($*)) dnl ') ######################################## ## ## Execute newrole in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`seutil_exec_newrole',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_newrole'($*)) dnl gen_require(` type newrole_t, newrole_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, newrole_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_newrole'($*)) dnl ') ######################################## ## ## Do not audit the caller attempts to send ## a signal to newrole. ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_signal_newrole',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_signal_newrole'($*)) dnl gen_require(` type newrole_t; ') dontaudit $1 newrole_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_signal_newrole'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to newrole. ## ## ##

## Allow the specified domain to send a SIGCHLD ## signal to newrole. This signal is automatically ## sent from a process that is terminating to ## its parent. This may be needed by domains ## that are executed from newrole. ##

##
## ## ## Domain allowed access. ## ## ## # define(`seutil_sigchld_newrole',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_sigchld_newrole'($*)) dnl gen_require(` type newrole_t; ') allow $1 newrole_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_sigchld_newrole'($*)) dnl ') ######################################## ## ## Inherit and use newrole file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`seutil_use_newrole_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_use_newrole_fds'($*)) dnl gen_require(` type newrole_t; ') allow $1 newrole_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_use_newrole_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit and use ## newrole file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_use_newrole_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_use_newrole_fds'($*)) dnl gen_require(` type newrole_t; ') dontaudit $1 newrole_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_use_newrole_fds'($*)) dnl ') ####################################### ## ## Execute restorecon in the restorecon domain. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_restorecon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_restorecon'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use seutil_domtrans_setfiles() instead.') seutil_domtrans_setfiles($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_restorecon'($*)) dnl ') ######################################## ## ## Execute restorecon in the restorecon domain, and ## allow the specified role the restorecon domain, ## and use the caller's terminal. (Deprecated) ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_restorecon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_restorecon'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use seutil_run_setfiles() instead.') seutil_run_setfiles($1,$2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_restorecon'($*)) dnl ') ######################################## ## ## Execute restorecon in the caller domain. (Deprecated) ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_exec_restorecon',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_restorecon'($*)) dnl refpolicywarn(`$0($*) has been deprecated, please use seutil_exec_setfiles() instead.') seutil_exec_setfiles($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_restorecon'($*)) dnl ') ######################################## ## ## Execute restorecond in the caller domain. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_exec_restorecond',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_restorecond'($*)) dnl gen_require(` type restorecond_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, restorecond_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_restorecond'($*)) dnl ') ######################################## ## ## Execute run_init in the run_init domain. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_runinit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_runinit'($*)) dnl gen_require(` type run_init_t, run_init_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, run_init_exec_t, run_init_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_runinit'($*)) dnl ') ######################################## ## ## Execute init scripts in the run_init domain. ## ## ##

## Execute init scripts in the run_init domain. ## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## # define(`seutil_init_script_domtrans_runinit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_init_script_domtrans_runinit'($*)) dnl gen_require(` type run_init_t; ') init_script_file_domtrans($1, run_init_t) allow run_init_t $1:fd use; allow run_init_t $1:fifo_file rw_file_perms; allow run_init_t $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_init_script_domtrans_runinit'($*)) dnl ') ######################################## ## ## Execute run_init in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_runinit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_runinit'($*)) dnl gen_require(` #attribute_role run_init_roles; type run_init_t; role system_r; ') #seutil_domtrans_runinit($1) #roleattribute $2 run_init_roles; auth_run_chk_passwd(run_init_t, $2) seutil_domtrans_runinit($1) role $2 types run_init_t; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_runinit'($*)) dnl ') ######################################## ## ## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ## ## ##

## Execute init scripts in the run_init domain, and ## allow the specified role the run_init domain, ## and use the caller's terminal. ##

##

## This is used for the Gentoo integrated run_init. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # define(`seutil_init_script_run_runinit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_init_script_run_runinit'($*)) dnl gen_require(` #attribute_role run_init_roles; type run_init_t; role system_r; ') #seutil_init_script_domtrans_runinit($1) #roleattribute $2 run_init_roles; auth_run_chk_passwd(run_init_t, $2) seutil_init_script_domtrans_runinit($1) role $2 types run_init_t; allow $2 system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_init_script_run_runinit'($*)) dnl ') ######################################## ## ## Inherit and use run_init file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`seutil_use_runinit_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_use_runinit_fds'($*)) dnl gen_require(` type run_init_t; ') allow $1 run_init_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_use_runinit_fds'($*)) dnl ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles'($*)) dnl gen_require(` type setfiles_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles'($*)) dnl ') ######################################## ## ## Execute setfiles in the setfiles domain, and ## allow the specified role the setfiles domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles'($*)) dnl gen_require(` type setfiles_t; ') seutil_domtrans_setfiles($1) role $2 types setfiles_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_setfiles'($*)) dnl ') ######################################## ## ## Execute setfiles in the setfiles domain. ## ## ## ## Domain allowed access. ## ## # define(`seutil_domtrans_setfiles_mac',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setfiles_mac'($*)) dnl gen_require(` type setfiles_mac_t, setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setfiles_exec_t, setfiles_mac_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_setfiles_mac'($*)) dnl ') ######################################## ## ## Allow caller nnp_transition and nosuid_transition to setfiles_mac_t ## ## ## ## Domain allowed access. ## ## # define(`seutil_nnp_domtrans_setfiles_mac',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_nnp_domtrans_setfiles_mac'($*)) dnl gen_require(` type setfiles_mac_t; ') allow $1 setfiles_mac_t:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_nnp_domtrans_setfiles_mac'($*)) dnl ') ######################################## ## ## Execute setfiles in the setfiles_mac domain, and ## allow the specified role the setfiles_mac domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the setfiles_mac domain. ## ## ## # define(`seutil_run_setfiles_mac',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_setfiles_mac'($*)) dnl gen_require(` type setfiles_mac_t; ') seutil_domtrans_setfiles_mac($1) role $2 types setfiles_mac_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_setfiles_mac'($*)) dnl ') ######################################## ## ## Execute setfiles in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`seutil_exec_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_exec_setfiles'($*)) dnl gen_require(` type setfiles_exec_t; ') files_search_usr($1) corecmd_search_bin($1) can_exec($1, setfiles_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_exec_setfiles'($*)) dnl ') ######################################## ## ## Allow access check on setfiles. ## ## ## ## Domain allowed access. ## ## # define(`seutil_access_check_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_access_check_setfiles'($*)) dnl gen_require(` type setfiles_exec_t; ') allow $1 setfiles_exec_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_access_check_setfiles'($*)) dnl ') ######################################## ## ## Dontaudit access check on setfiles. ## ## ## ## Domain allowed access. ## ## # define(`seutil_dontaudit_access_check_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_setfiles'($*)) dnl gen_require(` type setfiles_exec_t; ') dontaudit $1 setfiles_exec_t:file audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_setfiles'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_config'($*)) dnl gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_config'($*)) dnl ') ######################################## ## ## Allow attempts to search the SELinux ## configuration directory (/etc/selinux). ## ## ## ## Domain allowed access. ## ## # define(`seutil_search_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_search_config'($*)) dnl gen_require(` type selinux_config_t; ') allow $1 selinux_config_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_search_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the SELinux ## userland configuration (/etc/selinux). ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_config'($*)) dnl gen_require(` type selinux_config_t; ') dontaudit $1 selinux_config_t:dir search_dir_perms; dontaudit $1 selinux_config_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_config'($*)) dnl ') ######################################## ## ## Read the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_config'($*)) dnl gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; read_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_config'($*)) dnl ') ######################################## ## ## Read and write the general SELinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_rw_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_rw_config'($*)) dnl gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; rw_files_pattern($1, selinux_config_t, selinux_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_rw_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. (Deprecated) ## ## ##

## Create, read, write, and delete ## the general selinux configuration files. ##

##

## This interface has been deprecated, please ## use the seutil_manage_config() interface instead. ##

##
## ## ## Domain allowed access. ## ## ## # define(`seutil_manage_selinux_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_selinux_config'($*)) dnl refpolicywarn(`$0($*) has been deprecated. Please use seutil_manage_config() instead.') seutil_manage_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_selinux_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_config'($*)) dnl gen_require(` type selinux_config_t; ') files_search_etc($1) manage_dirs_pattern($1, selinux_config_t, selinux_config_t) manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_config'($*)) dnl ') ###################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_manage_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_config_dirs'($*)) dnl gen_require(` type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_config_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search the SELinux ## login configuration directory. ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_search_login_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_search_login_config'($*)) dnl gen_require(` type selinux_login_config_t; ') dontaudit $1 selinux_login_config_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_search_login_config'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the SELinux ## login configuration. ## ## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_read_login_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_login_config'($*)) dnl gen_require(` type selinux_login_config_t; ') dontaudit $1 selinux_login_config_t:dir search_dir_perms; dontaudit $1 selinux_login_config_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_login_config'($*)) dnl ') ######################################## ## ## Read the SELinux login configuration files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_read_login_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_login_config'($*)) dnl gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir list_dir_perms; read_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_login_config'($*)) dnl ') ######################################## ## ## Read and write the SELinux login configuration files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_rw_login_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_rw_login_config'($*)) dnl gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir list_dir_perms; rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_rw_login_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_rw_login_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_rw_login_config_dirs'($*)) dnl gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 selinux_login_config_t:dir rw_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_rw_login_config_dirs'($*)) dnl ') ###################################### ## ## Create, read, write, and delete ## the general selinux configuration files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_manage_login_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_login_config'($*)) dnl gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t) manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_login_config'($*)) dnl ') ###################################### ## ## manage the login selinux configuration files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_manage_login_config_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_login_config_files'($*)) dnl gen_require(` type selinux_config_t; type selinux_login_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t) read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_login_config_files'($*)) dnl ') ######################################## ## ## Search the policy directory with default_context files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_search_default_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_search_default_contexts'($*)) dnl gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) search_dirs_pattern($1, selinux_config_t, default_context_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_search_default_contexts'($*)) dnl ') ######################################## ## ## Read the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_read_default_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_default_contexts'($*)) dnl gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; allow $1 default_context_t:dir list_dir_perms; read_files_pattern($1, default_context_t, default_context_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_default_contexts'($*)) dnl ') ####################################### ## ## Read and write the default_contexts files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_rw_default_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_rw_default_contexts'($*)) dnl gen_require(` type default_context_t; type selinux_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir list_dir_perms; allow $1 default_context_t:dir list_dir_perms; rw_files_pattern($1, default_context_t, default_context_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_rw_default_contexts'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the default_contexts files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_manage_default_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_default_contexts'($*)) dnl gen_require(` type selinux_config_t, default_context_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, default_context_t, default_context_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_default_contexts'($*)) dnl ') ######################################## ## ## Read the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_read_file_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_file_contexts'($*)) dnl gen_require(` type selinux_config_t, default_context_t, file_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; list_dirs_pattern($1, file_context_t, file_context_t) read_files_pattern($1, file_context_t, file_context_t) read_lnk_files_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_file_contexts'($*)) dnl ') ######################################## ## ## Do not audit attempts to read the file_contexts files. ## ## ## ## Domain to not audit. ## ## ## # define(`seutil_dontaudit_read_file_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_file_contexts'($*)) dnl gen_require(` type selinux_config_t, default_context_t, file_context_t; ') dontaudit $1 { selinux_config_t default_context_t file_context_t }:dir search_dir_perms; dontaudit $1 file_context_t:file read_file_perms; dontaudit $1 file_context_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_file_contexts'($*)) dnl ') ######################################## ## ## Read and write the file_contexts files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_rw_file_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_rw_file_contexts'($*)) dnl gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; rw_files_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_rw_file_contexts'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the file_contexts files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_manage_file_contexts',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_file_contexts'($*)) dnl gen_require(` type selinux_config_t, file_context_t, default_context_t; ') files_search_etc($1) allow $1 { selinux_config_t default_context_t }:dir search_dir_perms; manage_files_pattern($1, file_context_t, file_context_t) manage_dirs_pattern($1, file_context_t, file_context_t) allow $1 file_context_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_file_contexts'($*)) dnl ') ######################################## ## ## Read the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # define(`seutil_read_bin_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_bin_policy'($*)) dnl gen_require(` type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; read_files_pattern($1, policy_config_t, policy_config_t) allow $1 policy_config_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_bin_policy'($*)) dnl ') ######################################## ## ## Create the SELinux binary policy. ## ## ## ## Domain allowed access. ## ## # define(`seutil_create_bin_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_create_bin_policy'($*)) dnl gen_require(` # attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; create_files_pattern($1, policy_config_t, policy_config_t) write_files_pattern($1, policy_config_t, policy_config_t) # typeattribute $1 can_write_binary_policy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_create_bin_policy'($*)) dnl ') ######################################## ## ## Allow the caller to relabel a file to the binary policy type. ## ## ## ## Domain allowed access. ## ## # define(`seutil_relabelto_bin_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_relabelto_bin_policy'($*)) dnl gen_require(` attribute can_relabelto_binary_policy; type policy_config_t; ') allow $1 policy_config_t:file relabelto; typeattribute $1 can_relabelto_binary_policy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_relabelto_bin_policy'($*)) dnl ') ######################################## ## ## Create, read, write, and delete the SELinux ## binary policy. ## ## ## ## Domain allowed access. ## ## # define(`seutil_manage_bin_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_bin_policy'($*)) dnl gen_require(` attribute can_write_binary_policy; type selinux_config_t, policy_config_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_files_pattern($1, policy_config_t, policy_config_t) typeattribute $1 can_write_binary_policy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_bin_policy'($*)) dnl ') ######################################## ## ## Read SELinux policy source files. ## ## ## ## Domain allowed access. ## ## # define(`seutil_read_src_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_src_policy'($*)) dnl gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) list_dirs_pattern($1, selinux_config_t, policy_src_t) read_files_pattern($1, policy_src_t, policy_src_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_src_policy'($*)) dnl ') ######################################## ## ## Create, read, write, and delete SELinux ## policy source files. ## ## ## ## Domain allowed access. ## ## ## # define(`seutil_manage_src_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_src_policy'($*)) dnl gen_require(` type selinux_config_t, policy_src_t; ') files_search_etc($1) allow $1 selinux_config_t:dir search_dir_perms; manage_dirs_pattern($1, policy_src_t, policy_src_t) manage_files_pattern($1, policy_src_t, policy_src_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_src_policy'($*)) dnl ') ######################################## ## ## Execute a domain transition to run semanage. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_semanage',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_semanage'($*)) dnl gen_require(` type semanage_t, semanage_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, semanage_exec_t, semanage_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_semanage'($*)) dnl ') ######################################## ## ## Execute a domain transition to run setsebool. ## ## ## ## Domain allowed to transition. ## ## # define(`seutil_domtrans_setsebool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_domtrans_setsebool'($*)) dnl gen_require(` type setsebool_t, setsebool_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, setsebool_exec_t, setsebool_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_domtrans_setsebool'($*)) dnl ') ######################################## ## ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`seutil_run_semanage',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_semanage'($*)) dnl gen_require(` #attribute_role semanage_roles; type semanage_t; ') #seutil_domtrans_semanage($1) #roleattribute $2 semanage_roles; seutil_domtrans_semanage($1) seutil_run_setfiles(semanage_t, $2) seutil_run_loadpolicy(semanage_t, $2) role $2 types semanage_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_semanage'($*)) dnl ') ######################################## ## ## Execute setsebool in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the setsebool domain. ## ## ## # define(`seutil_run_setsebool',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_run_setsebool'($*)) dnl gen_require(` type semanage_t; ') seutil_domtrans_setsebool($1) role $2 types setsebool_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_run_setsebool'($*)) dnl ') ######################################## ## ## List of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # define(`seutil_access_check_module_store',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_access_check_module_store'($*)) dnl gen_require(` type semanage_store_t; ') files_search_etc($1) allow $1 semanage_store_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_access_check_module_store'($*)) dnl ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # define(`seutil_read_module_store',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_read_module_store'($*)) dnl gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) list_dirs_pattern($1, selinux_config_t, semanage_store_t) read_files_pattern($1, semanage_store_t, semanage_store_t) read_lnk_files_pattern($1, semanage_store_t, semanage_store_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_read_module_store'($*)) dnl ') ######################################## ## ## Dontaudit read selinux module store ## module store. ## ## ## ## Domain allowed access. ## ## # define(`seutil_dontaudit_read_module_store',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_read_module_store'($*)) dnl gen_require(` type semanage_store_t; ') dontaudit $1 semanage_store_t:dir list_dir_perms; dontaudit $1 semanage_store_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_read_module_store'($*)) dnl ') ####################################### ## ## Dontaudit access check on module store ## ## ## ## Domain allowed access. ## ## # define(`seutil_dontaudit_access_check_semanage_module_store',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_semanage_module_store'($*)) dnl gen_require(` type semanage_store_t; ') dontaudit $1 semanage_store_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_semanage_module_store'($*)) dnl ') ######################################## ## ## Full management of the semanage ## module store. ## ## ## ## Domain allowed access. ## ## # define(`seutil_manage_module_store',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_manage_module_store'($*)) dnl gen_require(` type selinux_config_t, semanage_store_t; ') files_search_etc($1) files_search_var($1) manage_dirs_pattern($1, selinux_config_t, semanage_store_t) manage_dirs_pattern($1, semanage_store_t, semanage_store_t) manage_files_pattern($1, semanage_store_t, semanage_store_t) manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t) filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_manage_module_store'($*)) dnl ') ####################################### ## ## Get read lock on module store ## ## ## ## Domain allowed access. ## ## # define(`seutil_get_semanage_read_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_read_lock'($*)) dnl gen_require(` type selinux_config_t, semanage_read_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_read_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_get_semanage_read_lock'($*)) dnl ') ####################################### ## ## Dontaudit access check on module store ## ## ## ## Domain allowed access. ## ## # define(`seutil_dontaudit_access_check_semanage_read_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_access_check_semanage_read_lock'($*)) dnl gen_require(` type semanage_read_lock_t; ') dontaudit $1 semanage_read_lock_t:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_access_check_semanage_read_lock'($*)) dnl ') ####################################### ## ## Get trans lock on module store ## ## ## ## Domain allowed access. ## ## # define(`seutil_get_semanage_trans_lock',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_get_semanage_trans_lock'($*)) dnl gen_require(` type selinux_config_t, semanage_trans_lock_t; ') files_search_etc($1) rw_files_pattern($1, selinux_config_t, semanage_trans_lock_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_get_semanage_trans_lock'($*)) dnl ') ######################################## ## ## SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will allow access required for ## the libselinux constructor to function. ##

##
## ## ## Domain allowed access. ## ## # define(`seutil_libselinux_linked',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_libselinux_linked'($*)) dnl selinux_get_fs_mount($1) seutil_read_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_libselinux_linked'($*)) dnl ') ######################################## ## ## Do not audit SELinux-enabled program access for ## libselinux-linked programs. ## ## ##

## SELinux-enabled programs are typically ## linked to the libselinux library. This ## interface will dontaudit access required for ## the libselinux constructor to function. ##

##

## Generally this should not be used on anything ## but simple SELinux-enabled programs that do not ## rely on data initialized by the libselinux ## constructor. ##

##
## ## ## Domain to not audit. ## ## # define(`seutil_dontaudit_libselinux_linked',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dontaudit_libselinux_linked'($*)) dnl selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dontaudit_libselinux_linked'($*)) dnl ') ####################################### ## ## All rules necessary to run semanage command ## ## ## ## Domain allowed access. ## ## # define(`seutil_semanage_policy',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_semanage_policy'($*)) dnl gen_require(` type semanage_tmp_t; type policy_config_t; attribute policy_manager_domain; ') typeattribute $1 policy_manager_domain; kernel_read_system_state($1) # Running genhomedircon requires this for finding all users auth_use_nsswitch($1) mls_file_write_all_levels($1) mls_file_read_all_levels($1) selinux_get_enforce_mode($1) seutil_manage_bin_policy($1) logging_send_syslog_msg($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_semanage_policy'($*)) dnl ') ####################################### ## ## All rules necessary to run setfiles command ## ## ## ## Domain allowed access. ## ## # define(`seutil_setfiles',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_setfiles'($*)) dnl gen_require(` attribute setfiles_domain; ') typeattribute $1 setfiles_domain; kernel_read_system_state($1) seutil_libselinux_linked($1) files_relabel_all_files($1) mls_file_read_all_levels($1) mls_file_write_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) # this is to satisfy the assertion: auth_relabelto_shadow($1) logging_send_syslog_msg($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_setfiles'($*)) dnl ') ##################################### ## ## File name transition for selinux utility content ## ## ## ## Domain allowed access. ## ## # define(`seutil_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_filetrans_named_content'($*)) dnl gen_require(` type default_context_t, semanage_store_t; type selinux_config_t, semanage_trans_lock_t; type file_context_t, selinux_login_config_t; ') filetrans_pattern($1, selinux_config_t, default_context_t, dir, "contexts") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "policy") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp") filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous") filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.read.LOCK") filetrans_pattern($1, selinux_config_t, semanage_trans_lock_t, file, "semanage.trans.LOCK") filetrans_pattern($1, selinux_config_t, selinux_login_config_t, dir, "logins") filetrans_pattern($1, default_context_t, file_context_t, dir, "files") userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_filetrans_named_content'($*)) dnl ') ######################################## ## ## Send and receive messages from ## semanage dbus server over dbus. ## ## ## ## Domain allowed access. ## ## # define(`seutil_dbus_chat_semanage',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `seutil_dbus_chat_semanage'($*)) dnl gen_require(` type semanage_t; class dbus send_msg; ') ps_process_pattern(semanage_t, $1) allow $1 semanage_t:dbus send_msg; allow semanage_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `seutil_dbus_chat_semanage'($*)) dnl ') ## SELinux MLS/MCS label translation service. ######################################## ## ## Execute setrans server in the setrans domain. ## ## ## ## Domain allowed to transition. ## ## # # define(`setrans_initrc_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setrans_initrc_domtrans'($*)) dnl gen_require(` type setrans_initrc_exec_t; ') init_labeled_script_domtrans($1, setrans_initrc_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setrans_initrc_domtrans'($*)) dnl ') ####################################### ## ## Allow a domain to translate contexts. ## ## ## ## Domain allowed access. ## ## # define(`setrans_translate_context',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setrans_translate_context'($*)) dnl gen_require(` type setrans_t, setrans_var_run_t; class context translate; ') allow $1 self:unix_stream_socket create_stream_socket_perms; allow $1 setrans_t:context translate; stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) files_list_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setrans_translate_context'($*)) dnl ') ####################################### ## ## Allow a domain to manage pid files ## ## ## ## Domain allowed access. ## ## # define(`setrans_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `setrans_manage_pid_files'($*)) dnl gen_require(` type setrans_var_run_t; ') files_search_pids($1) manage_files_pattern($1, setrans_var_run_t, setrans_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `setrans_manage_pid_files'($*)) dnl ') ## Policy for network configuration: ifconfig and dhcp client. ####################################### ## ## Execute dhcp client in dhcpc domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sysnet_domtrans_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_dhcpc'($*)) dnl gen_require(` type dhcpc_t, dhcpc_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, dhcpc_exec_t, dhcpc_t) allow $1 dhcpc_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_domtrans_dhcpc'($*)) dnl ') ######################################## ## ## Execute DHCP clients in the dhcpc domain, and ## allow the specified role the dhcpc domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`sysnet_run_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_run_dhcpc'($*)) dnl gen_require(` type dhcpc_t; attribute_role dhcpc_roles; ') sysnet_domtrans_dhcpc($1) roleattribute $2 dhcpc_roles; optional_policy(` networkmanager_run(dhcpc_t, $2) ') optional_policy(` nis_run_ypbind(dhcpc_t, $2) ') optional_policy(` nscd_run(dhcpc_t, $2) ') optional_policy(` ntp_run(dhcpc_t, $2) ') seutil_run_setfiles(dhcpc_t, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_run_dhcpc'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and ## write dhcpc udp socket descriptors. ## ## ## ## Domain to not audit. ## ## # define(`sysnet_dontaudit_rw_dhcpc_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:udp_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_udp_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## the dhcp file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`sysnet_dontaudit_use_dhcpc_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_use_dhcpc_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to read/write to the ## dhcp unix stream socket descriptors. ## ## ## ## Domain to not audit. ## ## # define(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:unix_stream_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_rw_dhcpc_unix_stream_sockets'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_sigchld_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_sigchld_dhcpc'($*)) dnl gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_sigchld_dhcpc'($*)) dnl ') ######################################## ## ## Send a kill signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_kill_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_kill_dhcpc'($*)) dnl gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_kill_dhcpc'($*)) dnl ') ######################################## ## ## Send a SIGSTOP signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_sigstop_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_sigstop_dhcpc'($*)) dnl gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process sigstop; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_sigstop_dhcpc'($*)) dnl ') ######################################## ## ## Send a null signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_signull_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_signull_dhcpc'($*)) dnl gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_signull_dhcpc'($*)) dnl ') ######################################## ## ## Send a generic signal to the dhcp client. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_signal_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_signal_dhcpc'($*)) dnl gen_require(` type dhcpc_t; ') allow $1 dhcpc_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_signal_dhcpc'($*)) dnl ') ######################################## ## ## Send and receive messages from ## dhcpc over dbus. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_dbus_chat_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dbus_chat_dhcpc'($*)) dnl gen_require(` type dhcpc_t; class dbus send_msg; ') allow $1 dhcpc_t:dbus send_msg; allow dhcpc_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dbus_chat_dhcpc'($*)) dnl ') ######################################## ## ## Read and write dhcp configuration files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_rw_dhcp_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_rw_dhcp_config'($*)) dnl gen_require(` type dhcp_etc_t; ') files_search_etc($1) rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_rw_dhcp_config'($*)) dnl ') ######################################## ## ## Search the DHCP client state ## directories. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_search_dhcpc_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcpc_state'($*)) dnl gen_require(` type dhcpc_state_t; ') files_search_var_lib($1) allow $1 dhcpc_state_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_search_dhcpc_state'($*)) dnl ') ######################################## ## ## Read dhcp client state files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_read_dhcpc_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_state'($*)) dnl gen_require(` type dhcpc_state_t; ') list_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t) read_files_pattern($1, dhcpc_state_t, dhcpc_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_state'($*)) dnl ') ####################################### ## ## Delete the dhcp client state files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_delete_dhcpc_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_state'($*)) dnl gen_require(` type dhcpc_state_t; ') delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_state'($*)) dnl ') ######################################## ## ## Allow caller to relabel dhcpc_state files ## ## ## ## Domain allowed access. ## ## # define(`sysnet_relabelfrom_dhcpc_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_relabelfrom_dhcpc_state'($*)) dnl gen_require(` type dhcpc_state_t; ') allow $1 dhcpc_state_t:file relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_relabelfrom_dhcpc_state'($*)) dnl ') ####################################### ## ## Manage the dhcp client state files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_manage_dhcpc_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_manage_dhcpc_state'($*)) dnl gen_require(` type dhcpc_state_t; ') manage_files_pattern($1, dhcpc_state_t, dhcpc_state_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_manage_dhcpc_state'($*)) dnl ') ####################################### ## ## Set the attributes of network config files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_setattr_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_setattr_config'($*)) dnl gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file setattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_setattr_config'($*)) dnl ') ####################################### ## ## Allow caller to relabel net_conf files ## ## ## ## Domain allowed access. ## ## # define(`sysnet_relabelfrom_net_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_relabelfrom_net_conf'($*)) dnl gen_require(` type net_conf_t; ') allow $1 net_conf_t:file relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_relabelfrom_net_conf'($*)) dnl ') ###################################### ## ## Allow caller to relabel net_conf files ## ## ## ## Domain allowed access. ## ## # define(`sysnet_relabelto_net_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_relabelto_net_conf'($*)) dnl gen_require(` type net_conf_t; ') allow $1 net_conf_t:file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_relabelto_net_conf'($*)) dnl ') ####################################### ## ## Read network config files. ## ## ##

## Allow the specified domain to read the ## general network configuration files. A ## common example of this is the ## /etc/resolv.conf file, which has domain ## name system (DNS) server IP addresses. ## Typically, most networking processes will ## require the access provided by this interface. ##

##

## Higher-level interfaces which involve ## networking will generally call this interface, ## for example: ##

##
    ##
  • sysnet_dns_name_resolve()
  • ##
  • sysnet_use_ldap()
  • ##
  • sysnet_use_portmap()
  • ##
##
## ## ## Domain allowed access. ## ## # define(`sysnet_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_read_config'($*)) dnl gen_require(` type net_conf_t; ') files_search_etc($1) read_files_pattern($1, net_conf_t, net_conf_t) read_lnk_files_pattern($1, net_conf_t, net_conf_t) ifdef(`distro_debian',` files_search_pids($1) list_dirs_pattern($1, net_conf_t, net_conf_t) ') ifdef(`distro_redhat',` files_search_all_pids($1) init_search_pid_dirs($1) list_dirs_pattern($1, net_conf_t, net_conf_t) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_read_config'($*)) dnl ') ####################################### ## ## Do not audit attempts to read network config files. ## ## ## ## Domain to not audit. ## ## # define(`sysnet_dontaudit_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_read_config'($*)) dnl gen_require(` type net_conf_t; ') dontaudit $1 net_conf_t:file read_file_perms; dontaudit $1 net_conf_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_read_config'($*)) dnl ') ####################################### ## ## Write network config files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_write_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_write_config'($*)) dnl gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_write_config'($*)) dnl ') ####################################### ## ## Create network config files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_create_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_create_config'($*)) dnl gen_require(` type net_conf_t; ') files_rw_etc_dirs($1) allow $1 net_conf_t:file create_file_perms; allow $1 net_conf_t:lnk_file create_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_create_config'($*)) dnl ') ####################################### ## ## Watch network config files and lnk_files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_watch_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_watch_config'($*)) dnl gen_require(` type net_conf_t; ') files_search_etc($1) allow $1 net_conf_t:file watch_file_perms; allow $1 net_conf_t:lnk_file watch_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_watch_config'($*)) dnl ') ####################################### ## ## Create files in /etc with the type used for ## the network config files. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`sysnet_etc_filetrans_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_etc_filetrans_config'($*)) dnl gen_require(` type net_conf_t; ') files_etc_filetrans($1, net_conf_t, file, $2) files_etc_filetrans($1, net_conf_t, lnk_file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_etc_filetrans_config'($*)) dnl ') ######################################## ## ## Transition content to the type used for ## the network config files. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the directory to which the object will be created. ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`sysnet_filetrans_config_fromdir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_config_fromdir'($*)) dnl gen_require(` type net_conf_t; ') filetrans_pattern($1, $2, net_conf_t, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_config_fromdir'($*)) dnl ') ####################################### ## ## Create, read, write, and delete network config files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_manage_config'($*)) dnl gen_require(` type net_conf_t; ') sysnet_read_config($1) manage_files_pattern($1, net_conf_t, net_conf_t) manage_lnk_files_pattern($1, net_conf_t, net_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_manage_config'($*)) dnl ') ####################################### ## ## Create, read, write, and delete network config dirs. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_manage_config_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_manage_config_dirs'($*)) dnl gen_require(` type net_conf_t; ') sysnet_read_config($1) manage_dirs_pattern($1, net_conf_t, net_conf_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_manage_config_dirs'($*)) dnl ') ####################################### ## ## Read the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_read_dhcpc_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcpc_pid'($*)) dnl gen_require(` type dhcpc_var_run_t; ') files_list_pids($1) allow $1 dhcpc_var_run_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_read_dhcpc_pid'($*)) dnl ') ####################################### ## ## Delete the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_delete_dhcpc_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_delete_dhcpc_pid'($*)) dnl gen_require(` type dhcpc_var_run_t; ') files_rw_pid_dirs($1) allow $1 dhcpc_var_run_t:file unlink; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_delete_dhcpc_pid'($*)) dnl ') ####################################### ## ## Manage the dhcp client pid file. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_manage_dhcpc_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_manage_dhcpc_pid'($*)) dnl gen_require(` type dhcpc_var_run_t; ') files_rw_pid_dirs($1) manage_files_pattern($1, dhcpc_var_run_t, dhcpc_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_manage_dhcpc_pid'($*)) dnl ') ######################################## ## ## Create specified objects in generic ## pid directories with the dhcpc pid file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`sysnet_filetrans_dhcpc_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_dhcpc_pid'($*)) dnl gen_require(` type dhcpc_var_run_t; ') files_pid_filetrans($1, dhcpc_var_run_t, file, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_dhcpc_pid'($*)) dnl ') ####################################### ## ## Execute ifconfig in the ifconfig domain. ## ## ## ## Domain allowed to transition. ## ## # define(`sysnet_domtrans_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_domtrans_ifconfig'($*)) dnl gen_require(` type ifconfig_t, ifconfig_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, ifconfig_exec_t, ifconfig_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_domtrans_ifconfig'($*)) dnl ') ######################################## ## ## NNP Transition to ifconfig_t. ## ## ## ## Domain allowed to transition. ## ## # define(`sysnet_nnp_domtrans_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_nnp_domtrans_ifconfig'($*)) dnl gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process2 { nnp_transition nosuid_transition }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_nnp_domtrans_ifconfig'($*)) dnl ') ######################################## ## ## Execute ifconfig in the ifconfig domain, and ## allow the specified role the ifconfig domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # define(`sysnet_run_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_run_ifconfig'($*)) dnl gen_require(` type ifconfig_t; ') corecmd_search_bin($1) sysnet_domtrans_ifconfig($1) role $2 types ifconfig_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_run_ifconfig'($*)) dnl ') ####################################### ## ## Execute ifconfig in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_exec_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_exec_ifconfig'($*)) dnl gen_require(` type ifconfig_exec_t; ') corecmd_search_bin($1) can_exec($1, ifconfig_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_exec_ifconfig'($*)) dnl ') ######################################## ## ## Send a generic signal to ifconfig. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_signal_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_signal_ifconfig'($*)) dnl gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_signal_ifconfig'($*)) dnl ') ######################################## ## ## Send null signals to ifconfig. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_signull_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_signull_ifconfig'($*)) dnl gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_signull_ifconfig'($*)) dnl ') ######################################## ## ## Send a kill signal to iconfig. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_kill_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_kill_ifconfig'($*)) dnl gen_require(` type ifconfig_t; ') allow $1 ifconfig_t:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_kill_ifconfig'($*)) dnl ') ######################################## ## ## Read the DHCP configuration files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_read_dhcp_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_read_dhcp_config'($*)) dnl gen_require(` type dhcp_etc_t; ') files_search_etc($1) allow $1 dhcp_etc_t:dir list_dir_perms; read_files_pattern($1, dhcp_etc_t, dhcp_etc_t) allow $1 dhcp_etc_t:file map; allow $1 dhcp_etc_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_read_dhcp_config'($*)) dnl ') ######################################## ## ## Search the DHCP state data directory. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_search_dhcp_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_search_dhcp_state'($*)) dnl gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_search_dhcp_state'($*)) dnl ') ####################################### ## ## Set the attributes of network config files. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_setattr_dhcp_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_setattr_dhcp_state'($*)) dnl gen_require(` type dhcp_state_t; ') files_search_var_lib($1) allow $1 dhcp_state_t:file setattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_setattr_dhcp_state'($*)) dnl ') ######################################## ## ## Create DHCP state data. ## ## ##

## Create DHCP state data. ##

##

## This is added for DHCP server, as ## the server and client put their state ## files in the same directory. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created ## ## ## ## ## The object class. ## ## ## ## ## The name of the object being created. ## ## # define(`sysnet_dhcp_state_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dhcp_state_filetrans'($*)) dnl gen_require(` type dhcp_state_t; ') files_search_var_lib($1) filetrans_pattern($1, dhcp_state_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dhcp_state_filetrans'($*)) dnl ') ######################################## ## ## Perform a DNS name resolution. ## ## ## ## Domain allowed access. ## ## ## # define(`sysnet_dns_name_resolve',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dns_name_resolve'($*)) dnl gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; allow $1 self:netlink_route_socket r_netlink_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_dns_port($1) corenet_udp_sendrecv_dns_port($1) corenet_tcp_connect_dns_port($1) corenet_tcp_connect_dnssec_port($1) corenet_sendrecv_dns_client_packets($1) files_search_all_pids($1) miscfiles_read_generic_certs($1) miscfiles_map_generic_certs($1) sysnet_read_config($1) optional_policy(` avahi_stream_connect($1) ') optional_policy(` dbus_stream_connect_system_dbusd($1) ') optional_policy(` nscd_use($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dns_name_resolve'($*)) dnl ') ######################################## ## ## Connect and use a LDAP server. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_use_ldap',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_use_ldap'($*)) dnl gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_tcp_sendrecv_ldap_port($1) corenet_tcp_connect_ldap_port($1) corenet_sendrecv_ldap_client_packets($1) # Support for LDAPS dev_read_rand($1) # LDAP Configuration using encrypted requires dev_read_urand($1) sysnet_read_config($1) optional_policy(` ldap_read_certs($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_use_ldap'($*)) dnl ') ######################################## ## ## Connect and use remote port mappers. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_use_portmap',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_use_portmap'($*)) dnl gen_require(` type net_conf_t; ') allow $1 self:tcp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_all_recvfrom_unlabeled($1) corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_portmap_port($1) corenet_udp_sendrecv_portmap_port($1) corenet_tcp_connect_portmap_port($1) corenet_sendrecv_portmap_client_packets($1) sysnet_read_config($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_use_portmap'($*)) dnl ') ######################################## ## ## Do not audit attempts to use ## the dhcp file descriptors. ## ## ## ## Domain to not audit. ## ## # define(`sysnet_dontaudit_dhcpc_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_dontaudit_dhcpc_use_fds'($*)) dnl gen_require(` type dhcpc_t; ') dontaudit $1 dhcpc_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_dontaudit_dhcpc_use_fds'($*)) dnl ') ######################################## ## ## Transition to system_r when execute an dhclient script ## ## ##

## Execute dhclient script in a specified role ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Role to transition from. ## ## define(`sysnet_role_transition_dhcpc',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_role_transition_dhcpc'($*)) dnl gen_require(` type dhcpc_exec_t; ') role_transition $1 dhcpc_exec_t system_r; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_role_transition_dhcpc'($*)) dnl ') ######################################## ## ## Set up filename transitions for systemd-resolved network ## configuration content. ## ## ## ## Domain allowed access. ## ## # define(`sysnet_filetrans_systemd_resolved',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_systemd_resolved'($*)) dnl gen_require(` type net_conf_t; ') optional_policy(` systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf") systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") systemd_resolved_pid_filetrans($1, net_conf_t, { file lnk_file }, "stub-resolv.conf") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_systemd_resolved'($*)) dnl ') ######################################## ## ## Transition to sysnet named content ## ## ## ## Domain allowed access. ## ## # define(`sysnet_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_named_content'($*)) dnl gen_require(` type net_conf_t; ') sysnet_etc_filetrans_config($1, "resolv.conf") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.tmp") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-tmp") files_etc_filetrans($1, net_conf_t, file, "resolv.conf.fp-saved") files_etc_filetrans($1, net_conf_t, file, "resolv-secure.conf") files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger") files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger") files_etc_filetrans($1, net_conf_t, file, "denyhosts") files_etc_filetrans($1, net_conf_t, file, "hosts") files_etc_filetrans($1, net_conf_t, file, "hosts.deny") files_etc_filetrans($1, net_conf_t, file, "ethers") files_etc_filetrans($1, net_conf_t, file, "yp.conf") files_etc_filetrans($1, net_conf_t, file, "ntp.conf") init_pid_filetrans($1, net_conf_t, dir, "network") optional_policy(` networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf") networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp") ') sysnet_filetrans_systemd_resolved($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_named_content'($*)) dnl ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # define(`sysnet_manage_ifconfig_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_manage_ifconfig_run'($*)) dnl gen_require(` type ifconfig_var_run_t; ') manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_manage_ifconfig_run'($*)) dnl ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # define(`sysnet_filetrans_named_content_ifconfig',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_named_content_ifconfig'($*)) dnl gen_require(` type ifconfig_var_run_t; ') files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_named_content_ifconfig'($*)) dnl ') ######################################## ## ## Transition to sysnet ifconfig named content ## ## ## ## Domain allowed access. ## ## # define(`sysnet_filetrans_net_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_net_conf'($*)) dnl gen_require(` type net_conf_t; ') files_etc_filetrans($1, net_conf_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_net_conf'($*)) dnl ') ######################################## ## ## Transition to cloud-init named content ## ## ## ## Domain allowed access. ## ## # define(`sysnet_filetrans_cloud_net_conf',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `sysnet_filetrans_cloud_net_conf'($*)) dnl gen_require(` type net_conf_t; ') files_pid_filetrans($1, net_conf_t, dir, "cloud-init") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `sysnet_filetrans_cloud_net_conf'($*)) dnl ') ## SELinux policy for systemd components ###################################### ## ## Creates types and rules for a basic ## systemd domains. ## ## ## ## Prefix for the domain. ## ## # define(`systemd_domain_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_domain_template'($*)) dnl gen_require(` attribute systemd_domain; ') type $1_t, systemd_domain; type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) init_nnp_daemon_domain($1_t) kernel_read_system_state($1_t) auth_use_nsswitch($1_t) selinux_get_enforce_mode($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_domain_template'($*)) dnl ') ###################################### ## ## Create a domain for processes which are started ## exuting systemctl. ## ## ## ## Domain allowed access. ## ## # define(`systemd_stub_unit_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_stub_unit_file'($*)) dnl gen_require(` type systemd_unit_file_t; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_stub_unit_file'($*)) dnl ') ####################################### ## ## Create a domain for processes which are started ## exuting systemctl. ## ## ## ## Domain allowed access. ## ## # define(`systemd_systemctl_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_systemctl_domain'($*)) dnl gen_require(` type systemd_systemctl_exec_t; role system_r; attribute systemctl_domain; ') type $1_systemctl_t, systemctl_domain; domain_type($1_systemctl_t) domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t) role system_r types $1_systemctl_t; domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_systemctl_domain'($*)) dnl ') ######################################## ## ## Execute systemctl in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`systemd_exec_systemctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_exec_systemctl'($*)) dnl gen_require(` type systemd_systemctl_exec_t; ') corecmd_search_bin($1) can_exec($1, systemd_systemctl_exec_t) fs_list_cgroup_dirs($1) fs_read_cgroup_files($1) fs_read_efivarfs_files($1) systemd_list_unit_dirs($1) init_list_pid_dirs($1) init_read_state($1) init_stream_send($1) init_stream_connect($1) systemd_login_list_pid_dirs($1) systemd_login_read_pid_files($1) systemd_passwd_agent_exec($1) dontaudit $1 self:capability { net_admin sys_ptrace }; # systemctl tries to adjust its RLIMIT_NOFILE right when it is started dontaudit $1 self:process setrlimit; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_exec_systemctl'($*)) dnl ') # ######################################## ## ## Allow systemd_systemctl_exec_t to be an entrypoint ## of the specified domain ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_systemctl_entrypoint',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_systemctl_entrypoint'($*)) dnl gen_require(` type systemd_systemctl_exec_t; ') allow $1 systemd_systemctl_exec_t:file entrypoint; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_systemctl_entrypoint'($*)) dnl ') ####################################### ## ## Create a file type used for systemd unit files. ## ## ## ## Type to be used for an unit file. ## ## # define(`systemd_unit_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_unit_file'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') typeattribute $1 systemd_unit_file_type; files_type($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_unit_file'($*)) dnl ') ###################################### ## ## Allow domain to search systemd unit dirs. ## ## ## ## Domain allowed access. ## ## # define(`systemd_search_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_search_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') files_search_var_lib($1) allow $1 systemd_unit_file_type:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_search_unit_dirs'($*)) dnl ') ###################################### ## ## Allow domain to list systemd unit dirs. ## ## ## ## Domain allowed access. ## ## # define(`systemd_list_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_list_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') files_search_var_lib($1) allow $1 systemd_unit_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_list_unit_dirs'($*)) dnl ') ###################################### ## ## Allow domain to list systemd unit dirs. ## ## ## ## Domain allowed access. ## ## # define(`systemd_create_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_create_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') files_search_var_lib($1) allow $1 systemd_unit_file_type:dir create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_create_unit_dirs'($*)) dnl ') ##################################### ## ## Allow domain to getattr all systemd unit files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_getattr_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_getattr_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') files_search_var_lib($1) getattr_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_getattr_unit_files'($*)) dnl ') ##################################### ## ## Allow domain to getattr all systemd unit directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_getattr_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_getattr_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') allow $1 systemd_unit_file_type:dir getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_getattr_unit_dirs'($*)) dnl ') ###################################### ## ## Allow domain to read all systemd unit files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_read_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_read_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') files_search_var_lib($1) allow $1 systemd_unit_file_type:file read_file_perms; allow $1 systemd_unit_file_type:lnk_file read_lnk_file_perms; allow $1 systemd_unit_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_read_unit_files'($*)) dnl ') ##################################### ## ## Dontaudit domain to read all systemd unit files. ## ## ## ## Domain to not audit. ## ## # define(`systemd_dontaudit_read_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_read_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') dontaudit $1 systemd_unit_file_type:file read_file_perms; dontaudit $1 systemd_unit_file_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dontaudit_read_unit_files'($*)) dnl ') ###################################### ## ## Read systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_read_pid_files'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_read_pid_files'($*)) dnl ') ###################################### ## ## Read systemd_resolved PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_resolved_read_pid',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_resolved_read_pid'($*)) dnl gen_require(` type systemd_resolved_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) read_lnk_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_resolved_read_pid'($*)) dnl ') ###################################### ## ## Write to systemd_resolved PID socket files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_resolved_write_pid_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_resolved_write_pid_sock_files'($*)) dnl gen_require(` type systemd_resolved_var_run_t; ') files_search_pids($1) write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_resolved_write_pid_sock_files'($*)) dnl ') ###################################### ## ## Watch systemd_resolved PID directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_resolved_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_resolved_watch_pid_dirs'($*)) dnl gen_require(` type systemd_resolved_var_run_t; ') files_search_pids($1) allow $1 systemd_resolved_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_resolved_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Create objects in /var/run/systemd/resolve with a private ## type using a type_transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Private file type. ## ## ## ## ## Object classes to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`systemd_resolved_pid_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_resolved_pid_filetrans'($*)) dnl gen_require(` type systemd_resolved_var_run_t; ') filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_resolved_pid_filetrans'($*)) dnl ') ###################################### ## ## Read systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_manage_pid_files'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) manage_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_manage_pid_files'($*)) dnl ') ###################################### ## ## Read systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_filetrans_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_filetrans_pid_files'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_filetrans_pid_files'($*)) dnl ') ###################################### ## ## Read systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_list_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_list_pid_dirs'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_list_pid_dirs'($*)) dnl ') ###################################### ## ## Watch systemd_login PID directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_watch_pid_dirs'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') files_search_pids($1) allow $1 systemd_logind_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_watch_pid_dirs'($*)) dnl ') ###################################### ## ## Watch systemd_login session directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_watch_session_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_watch_session_dirs'($*)) dnl gen_require(` type systemd_logind_sessions_t; ') init_search_pid_dirs($1) allow $1 systemd_logind_sessions_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_watch_session_dirs'($*)) dnl ') ###################################### ## ## Mounton systemd_login PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_mounton_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_mounton_pid_dirs'($*)) dnl gen_require(` type systemd_logind_var_run_t; ') allow $1 systemd_logind_var_run_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_mounton_pid_dirs'($*)) dnl ') ###################################### ## ## Use and and inherited systemd ## logind file descriptors. ## ## ## ## Domain allowed access. ## ## # define(`systemd_use_fds_logind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_use_fds_logind'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_use_fds_logind'($*)) dnl ') ######################################## ## ## Read the process state (/proc/pid) of systemd_logind_t. ## ## ## ## Domain allowed access. ## ## # define(`systemd_logind_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_logind_read_state'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:dir search_dir_perms; allow $1 systemd_logind_t:file read_file_perms; allow $1 systemd_logind_t:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_logind_read_state'($*)) dnl ') ###################################### ## ## Read logind sessions files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_read_logind_sessions_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_read_logind_sessions_files'($*)) dnl gen_require(` type systemd_logind_sessions_t; ') init_search_pid_dirs($1) allow $1 systemd_logind_sessions_t:dir list_dir_perms; read_files_pattern($1, systemd_logind_sessions_t, systemd_logind_sessions_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_read_logind_sessions_files'($*)) dnl ') ###################################### ## ## Mounton inherited logind sessions pipes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_mounton_inherited_logind_sessions_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_mounton_inherited_logind_sessions_dirs'($*)) dnl gen_require(` type systemd_logind_sessions_t; ') allow $1 systemd_logind_sessions_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_mounton_inherited_logind_sessions_dirs'($*)) dnl ') ###################################### ## ## Write inherited logind sessions pipes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_write_inherited_logind_sessions_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_write_inherited_logind_sessions_pipes'($*)) dnl gen_require(` type systemd_logind_sessions_t; type systemd_logind_t; ') allow $1 systemd_logind_t:fd use; allow $1 systemd_logind_sessions_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_write_inherited_logind_sessions_pipes'($*)) dnl ') ###################################### ## ## Dontaudit attempts to write inherited logind sessions pipes. ## ## ## ## Domain to not audit. ## ## # define(`systemd_dontaudit_write_inherited_logind_sessions_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_write_inherited_logind_sessions_pipes'($*)) dnl gen_require(` type systemd_logind_sessions_t; ') dontaudit $1 systemd_logind_sessions_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dontaudit_write_inherited_logind_sessions_pipes'($*)) dnl ') ###################################### ## ## Write systemd inhibit pipes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_write_inhibit_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_write_inhibit_pipes'($*)) dnl gen_require(` type systemd_logind_inhibit_var_run_t; ') allow $1 systemd_logind_inhibit_var_run_t:fifo_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_write_inhibit_pipes'($*)) dnl ') ######################################## ## ## Allow process to mount directory with inhibit pipes ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_mounton_inhibit_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_mounton_inhibit_dir'($*)) dnl gen_require(` type systemd_logind_inhibit_var_run_t; ') allow $1 systemd_logind_inhibit_var_run_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_mounton_inhibit_dir'($*)) dnl ') ######################################## ## ## Send and receive messages from ## systemd logind over dbus. ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_logind',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_logind'($*)) dnl gen_require(` type systemd_logind_t; class dbus send_msg; ') allow $1 systemd_logind_t:dbus send_msg; allow systemd_logind_t $1:dbus send_msg; ps_process_pattern(systemd_logind_t, $1) allow systemd_logind_t $1:process signal; allow $1 systemd_logind_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_logind'($*)) dnl ') ####################################### ## ## Execute a domain transition to run systemd-sysctl. ## ## ## ## Domain allowed access. ## ## # define(`systemd_domtrans_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_domtrans_sysctl'($*)) dnl gen_require(` type systemd_sysctl_t, systemd_sysctl_exec_t; ') domtrans_pattern($1, systemd_sysctl_exec_t, systemd_sysctl_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_domtrans_sysctl'($*)) dnl ') ####################################### ## ## Allow a domain to execute systemd-sysctl in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`systemd_exec_sysctl',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_exec_sysctl'($*)) dnl gen_require(` type systemd_sysctl_exec_t; ') can_exec($1,systemd_sysctl_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_exec_sysctl'($*)) dnl ') ####################################### ## ## Allow a domain to execute systemd-sysctl in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`systemd_tmpfiles_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_exec'($*)) dnl gen_require(` type systemd_tmpfiles_exec_t; ') can_exec($1,systemd_tmpfiles_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_exec'($*)) dnl ') ####################################### ## ## Execute a domain transition to run systemd-tmpfiles. ## ## ## ## Domain allowed access. ## ## # define(`systemd_tmpfiles_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_domtrans'($*)) dnl gen_require(` type systemd_tmpfiles_t, systemd_tmpfiles_exec_t; ') domtrans_pattern($1, systemd_tmpfiles_exec_t, systemd_tmpfiles_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_domtrans'($*)) dnl ') ####################################### ## ## Allow caller nnp_transition to systemd_tmpfiles_t ## ## ## ## Domain allowed access. ## ## # define(`systemd_tmpfiles_nnp_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_nnp_domtrans'($*)) dnl gen_require(` type systemd_tmpfiles_t; ') allow $1 systemd_tmpfiles_t:process2 nnp_transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_nnp_domtrans'($*)) dnl ') ####################################### ## ## Execute a domain transition to run systemd-localed. ## ## ## ## Domain allowed access. ## ## # define(`systemd_localed_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_localed_domtrans'($*)) dnl gen_require(` type systemd_localed_t, systemd_localed_exec_t; ') domtrans_pattern($1, systemd_localed_exec_t, systemd_localed_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_localed_domtrans'($*)) dnl ') ######################################## ## ## Execute a domain transition to run systemd-tty-ask-password-agent. ## ## ## ## Domain allowed access. ## ## # define(`systemd_passwd_agent_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_domtrans'($*)) dnl gen_require(` type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ') domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_domtrans'($*)) dnl ') ####################################### ## ## Execute systemd-tty-ask-password-agent in the caller domain ## ## ## ## Domain allowed access. ## ## # define(`systemd_passwd_agent_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_exec'($*)) dnl gen_require(` type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ') can_exec($1, systemd_passwd_agent_exec_t) systemd_manage_passwd_run($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_exec'($*)) dnl ') ######################################## ## ## Execute a domain transition to run systemd_rfkill. ## ## ## ## Domain allowed access. ## ## # define(`systemd_rfkill_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rfkill_domtrans'($*)) dnl gen_require(` type systemd_rfkill_t, systemd_rfkill_exec_t; ') domtrans_pattern($1, systemd_rfkill_exec_t, systemd_rfkill_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rfkill_domtrans'($*)) dnl ') ######################################## ## ## Mounton rfkill lib directory. ## ## ## ## Domain allowed access. ## ## # define(`systemd_rfkill_mounton_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rfkill_mounton_var_lib'($*)) dnl gen_require(` type systemd_rfkill_var_lib_t; ') allow $1 systemd_rfkill_var_lib_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rfkill_mounton_var_lib'($*)) dnl ') ######################################## ## ## Read systemd-rfkill lib files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_rfkill_setattr_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rfkill_setattr_lib'($*)) dnl gen_require(` type systemd_rfkill_var_lib_t; ') files_search_var_lib($1) setattr_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rfkill_setattr_lib'($*)) dnl ') ######################################## ## ## read systemd rfkill dir ## ## ## ## Domain allowed access. ## ## # define(`systemd_rfkill_read_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rfkill_read_lib_dirs'($*)) dnl gen_require(` type systemd_rfkill_var_lib_t; ') list_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rfkill_read_lib_dirs'($*)) dnl ') ######################################## ## ## manage systemd rfkill dir ## ## ## ## Domain allowed access. ## ## # define(`systemd_rfkill_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rfkill_manage_lib_dirs'($*)) dnl gen_require(` type systemd_rfkill_var_lib_t; ') manage_dirs_pattern($1, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rfkill_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Mounton systemd timesync directory. ## ## ## ## Domain allowed access. ## ## # define(`systemd_timedated_mounton_var_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_timedated_mounton_var_lib'($*)) dnl gen_require(` type systemd_timedated_var_lib_t; ') allow $1 systemd_timedated_var_lib_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_timedated_mounton_var_lib'($*)) dnl ') ####################################### ## ## Get timedated service status ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_timedated_status',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_timedated_status'($*)) dnl gen_require(` type systemd_timedated_unit_file_t; ') allow $1 systemd_timedated_unit_file_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_timedated_status'($*)) dnl ') ######################################## ## ## manage systemd timesync dir ## ## ## ## Domain allowed access. ## ## # define(`systemd_timedated_manage_lib_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_timedated_manage_lib_dirs'($*)) dnl gen_require(` type systemd_timedated_var_lib_t; ') manage_dirs_pattern($1, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t) read_lnk_files_pattern($1, systemd_timedated_var_lib_t, systemd_timedated_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_timedated_manage_lib_dirs'($*)) dnl ') ######################################## ## ## Execute a domain transition to run systemd_notify. ## ## ## ## Domain allowed access. ## ## # define(`systemd_notify_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_notify_domtrans'($*)) dnl gen_require(` type systemd_notify_t, systemd_notify_exec_t; ') domtrans_pattern($1, systemd_notify_exec_t, systemd_notify_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_notify_domtrans'($*)) dnl ') ######################################## ## ## Execute systemd-tty-ask-password-agent in the systemd_passwd_agent domain, and ## allow the specified role the systemd_passwd_agent domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the systemd_passwd_agent domain. ## ## # define(`systemd_passwd_agent_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_run'($*)) dnl gen_require(` type systemd_passwd_agent_t; ') systemd_passwd_agent_domtrans($1) role $2 types systemd_passwd_agent_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_run'($*)) dnl ') ######################################## ## ## Execute systemd-tmpfiles in the systemd_tmpfiles_t domain, and ## allow the specified role the systemd_tmpfiles domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the systemd_tmpfiles domain. ## ## # define(`systemd_tmpfiles_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_tmpfiles_run'($*)) dnl gen_require(` type systemd_tmpfiles_t; ') systemd_tmpfiles_domtrans($1) role $2 types systemd_tmpfiles_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_tmpfiles_run'($*)) dnl ') ######################################## ## ## Role access for systemd_passwd_agent ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # define(`systemd_passwd_agent_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_role'($*)) dnl gen_require(` type systemd_passwd_agent_t; ') role $1 types systemd_passwd_agent_t; systemd_passwd_agent_domtrans($2) ps_process_pattern($2, systemd_passwd_agent_t) allow $2 systemd_passwd_agent_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_role'($*)) dnl ') ######################################## ## ## Send generic signals to systemd_passwd_agent processes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_signal_passwd_agent',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_signal_passwd_agent'($*)) dnl gen_require(` type systemd_passwd_agent_t; ') allow $1 systemd_passwd_agent_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_signal_passwd_agent'($*)) dnl ') ###################################### ## ## Allow to domain to read systemd-passwd pipe ## ## ## ## Domain allowed access. ## ## # define(`systemd_read_fifo_file_passwd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_read_fifo_file_passwd_run'($*)) dnl gen_require(` type systemd_passwd_var_run_t; ') init_search_pid_dirs($1) read_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_read_fifo_file_passwd_run'($*)) dnl ') ######################################## ## ## Relabel to user home directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_relabelto_fifo_file_passwd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_relabelto_fifo_file_passwd_run'($*)) dnl gen_require(` type systemd_passwd_var_run_t; ') allow $1 systemd_passwd_var_run_t:fifo_file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_relabelto_fifo_file_passwd_run'($*)) dnl ') ######################################## ## ## Watch systemd-passwd pid dirs ## ## ## ## Domain allowed access. ## ## # define(`systemd_passwd_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_watch_pid_dirs'($*)) dnl gen_require(` type systemd_passwd_var_run_t; ') allow $1 systemd_passwd_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_watch_pid_dirs'($*)) dnl ') ####################################### ## ## Relabel systemd unit directories ## ## ## ## Domain allowed access. ## ## # define(`systemd_relabel_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') relabel_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_dirs'($*)) dnl ') ####################################### ## ## Relabel systemd unit files ## ## ## ## Domain allowed access. ## ## # define(`systemd_relabel_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') relabel_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_files'($*)) dnl ') ####################################### ## ## Relabel systemd unit link files ## ## ## ## Domain allowed access. ## ## # define(`systemd_relabel_unit_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_relabel_unit_symlinks'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') relabel_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_relabel_unit_symlinks'($*)) dnl ') ####################################### ## ## Send generic signals to systemd_passwd_agent processes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_passwd_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_passwd_run'($*)) dnl gen_require(` type systemd_passwd_agent_t; type systemd_passwd_var_run_t; ') init_search_pid_dirs($1) manage_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) manage_fifo_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t) allow systemd_passwd_agent_t $1:process signull; allow systemd_passwd_agent_t $1:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_passwd_run'($*)) dnl ') ###################################### ## ## Template for temporary sockets and files in /dev/.systemd/ask-password ## which are used by systemd-passwd-agent ## ## ## ## The prefix of the domain (e.g., user ## is the prefix for user_t). ## ## # define(`systemd_passwd_agent_dev_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_passwd_agent_dev_template'($*)) dnl gen_require(` type systemd_passwd_agent_t; ') type systemd_$1_device_t; files_type(systemd_$1_device_t) dev_associate(systemd_$1_device_t) dev_filetrans($1_t, systemd_$1_device_t, { file sock_file }) init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file }) allow $1_t systemd_$1_device_t:file manage_file_perms; allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms; allow systemd_passwd_agent_t $1_t:process signull; allow systemd_passwd_agent_t $1_t:unix_dgram_socket sendto; allow systemd_passwd_agent_t systemd_$1_device_t:sock_file write; allow systemd_passwd_agent_t systemd_$1_device_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_passwd_agent_dev_template'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to ## systemd_logger with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`systemd_logger_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_logger_stream_connect'($*)) dnl gen_require(` type systemd_logger_t; ') allow $1 systemd_logger_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_logger_stream_connect'($*)) dnl ') ######################################## ## ## manage systemd unit dirs ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_unit_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_unit_dirs'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_unit_dirs'($*)) dnl ') ######################################## ## ## manage systemd unit link files ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_unit_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_unit_symlinks'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_unit_symlinks'($*)) dnl ') ######################################## ## ## manage all systemd unit files ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_all_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_all_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') manage_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_all_unit_files'($*)) dnl ') ######################################## ## ## manage all systemd unit lnk_files ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_all_unit_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_all_unit_lnk_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') manage_lnk_files_pattern($1, systemd_unit_file_type, systemd_unit_file_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_all_unit_lnk_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to start all systemd services. ## ## ## ## Domain allowed access. ## ## # define(`systemd_start_all_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_start_all_services'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') allow $1 systemd_unit_file_type:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_start_all_services'($*)) dnl ') ####################################### ## ## Allow the specified domain to reload all systemd services. ## ## ## ## Domain allowed access. ## ## # define(`systemd_reload_all_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_reload_all_services'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') allow $1 systemd_unit_file_type:service reload; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_reload_all_services'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## all systemd services ## ## ## ## Domain allowed access. ## ## # define(`systemd_config_all_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_config_all_services'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') allow $1 systemd_unit_file_type:service all_service_perms; init_config_all_script_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_config_all_services'($*)) dnl ') ######################################## ## ## Allow the specified domain to start systemd services. ## ## ## ## Domain allowed access. ## ## # define(`systemd_start_systemd_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_start_systemd_services'($*)) dnl gen_require(` type systemd_unit_file_t; ') allow $1 systemd_unit_file_t:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_start_systemd_services'($*)) dnl ') ####################################### ## ## Allow the specified domain to reload all systemd services. ## ## ## ## Domain allowed access. ## ## # define(`systemd_reload_systemd_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_reload_systemd_services'($*)) dnl gen_require(` type systemd_unit_file_t; ') allow $1 systemd_unit_file_t:service reload; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_reload_systemd_services'($*)) dnl ') ######################################## ## ## Allow the specified domain to modify the systemd configuration of ## all systemd services ## ## ## ## Domain allowed access. ## ## # define(`systemd_config_systemd_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_config_systemd_services'($*)) dnl gen_require(` type systemd_unit_file_t; ') allow $1 systemd_unit_file_t:service all_service_perms; init_config_all_script_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_config_systemd_services'($*)) dnl ') ######################################## ## ## manage all systemd random seed file ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_random_seed',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_random_seed'($*)) dnl gen_require(` type random_seed_t; ') allow $1 random_seed_t:file manage_file_perms; files_var_lib_filetrans($1, random_seed_t, file, "random_seed") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_random_seed'($*)) dnl ') ######################################## ## ## Allow process to read hostname config file. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_hostnamed_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_read_config'($*)) dnl gen_require(` type hostname_etc_t; ') files_search_etc($1) allow $1 hostname_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hostnamed_read_config'($*)) dnl ') ######################################## ## ## Allow process to manage hostname config file. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_hostnamed_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_manage_config'($*)) dnl gen_require(` type hostname_etc_t; ') files_search_etc($1) allow $1 hostname_etc_t:file manage_file_perms; files_etc_filetrans($1, hostname_etc_t, file, "hostname") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hostnamed_manage_config'($*)) dnl ') ######################################## ## ## Allow process to delete hostname config file. ## ## ## ## Domain allowed access. ## ## # define(`systemd_hostnamed_delete_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_delete_config'($*)) dnl gen_require(` type hostname_etc_t; ') init_delete_pid_dir_entry($1) allow $1 hostname_etc_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hostnamed_delete_config'($*)) dnl ') ####################################### ## ## Create objects in /run/systemd/generator directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`systemd_unit_file_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_unit_file_filetrans'($*)) dnl gen_require(` type systemd_unit_file_t; ') files_search_pids($1) filetrans_pattern($1, systemd_unit_file_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_unit_file_filetrans'($*)) dnl ') ####################################### ## ## Create a directory in the /usr/lib/systemd/system directory. ## ## ## ## Domain allowed access. ## ## # define(`systemd_create_unit_file_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_create_unit_file_dirs'($*)) dnl gen_require(` type systemd_unit_file_t; ') create_dirs_pattern($1, systemd_unit_file_t, systemd_unit_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_create_unit_file_dirs'($*)) dnl ') ####################################### ## ## Create a link in the /usr/lib/systemd/system directory. ## ## ## ## Domain allowed access. ## ## # define(`systemd_create_unit_file_lnk',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_create_unit_file_lnk'($*)) dnl gen_require(` type systemd_unit_file_t; ') create_lnk_files_pattern($1, systemd_unit_file_t, systemd_unit_file_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_create_unit_file_lnk'($*)) dnl ') ######################################## ## ## Transition to systemd named content ## ## ## ## Domain allowed access. ## ## # define(`systemd_filetrans_named_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_filetrans_named_content'($*)) dnl gen_require(` type systemd_passwd_var_run_t; type systemd_logind_var_run_t; type hostname_etc_t; type systemd_home_t; type systemd_rfkill_var_lib_t; ') files_pid_filetrans($1, systemd_logind_var_run_t, file, "nologin") files_pid_filetrans($1, systemd_logind_var_run_t, file, "shutdown") init_named_pid_filetrans($1, hostname_etc_t, file, "default-hostname") init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block") init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password") files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) init_var_lib_filetrans($1, systemd_rfkill_var_lib_t, dir, "rfkill" ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_filetrans_named_content'($*)) dnl ') ######################################## ## ## read systemd homedir content ## ## ## ## Domain allowed access. ## ## # define(`systemd_read_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_read_home_content'($*)) dnl gen_require(` type systemd_home_t; ') optional_policy(` gnome_search_gconf_data_dir($1) ') read_files_pattern($1, systemd_home_t, systemd_home_t) read_lnk_files_pattern($1, systemd_home_t, systemd_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_read_home_content'($*)) dnl ') ######################################## ## ## Manage systemd homedir content ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_home_content'($*)) dnl gen_require(` type systemd_home_t; ') optional_policy(` gnome_search_gconf_data_dir($1) ') manage_dirs_pattern($1, systemd_home_t, systemd_home_t) manage_files_pattern($1, systemd_home_t, systemd_home_t) manage_lnk_files_pattern($1, systemd_home_t, systemd_home_t) systemd_filetrans_home_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_home_content'($*)) dnl ') ######################################## ## ## Transition to systemd named content ## ## ## ## Domain allowed access. ## ## # define(`systemd_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_filetrans_home_content'($*)) dnl gen_require(` type systemd_home_t; ') optional_policy(` gnome_data_filetrans($1, systemd_home_t, dir, "systemd") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_filetrans_home_content'($*)) dnl ') ######################################## ## ## Transition to systemd named content for /etc/hostname ## ## ## ## Domain allowed access. ## ## # define(`systemd_filetrans_named_hostname',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_filetrans_named_hostname'($*)) dnl gen_require(` type hostname_etc_t; ') files_etc_filetrans($1, hostname_etc_t, file, "hostname" ) files_etc_filetrans($1, hostname_etc_t, file, "machine-info" ) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_filetrans_named_hostname'($*)) dnl ') ######################################## ## ## Get the system status information from systemd_login ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_status',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_status'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:system status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_status'($*)) dnl ') ######################################## ## ## Send systemd_login a null signal. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_signull'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_signull'($*)) dnl ') ######################################## ## ## Send systemd_hostnamed a null signal. ## ## ## ## Domain allowed access. ## ## # define(`systemd_hostnamed_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hostnamed_signull'($*)) dnl gen_require(` type systemd_hostnamed_t; ') allow $1 systemd_hostnamed_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hostnamed_signull'($*)) dnl ') ######################################## ## ## Tell systemd_login to reboot the system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_reboot',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_reboot'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:system reboot; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_reboot'($*)) dnl ') ######################################## ## ## Tell systemd_login to halt the system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_halt',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_halt'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:system halt; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_halt'($*)) dnl ') ######################################## ## ## Tell systemd_login to do an unknown access. ## ## ## ## Domain allowed access. ## ## # define(`systemd_login_undefined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_login_undefined'($*)) dnl gen_require(` type systemd_logind_t; ') allow $1 systemd_logind_t:system undefined; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_login_undefined'($*)) dnl ') ######################################## ## ## Configure generic unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_config_generic_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_config_generic_services'($*)) dnl gen_require(` type systemd_unit_file_t; ') systemd_exec_systemctl($1) allow $1 systemd_unit_file_t:file read_file_perms; allow $1 systemd_unit_file_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_config_generic_services'($*)) dnl ') ######################################## ## ## Configure power unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_config_power_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_config_power_services'($*)) dnl gen_require(` type power_unit_file_t; ') systemd_exec_systemctl($1) allow $1 power_unit_file_t:file read_file_perms; allow $1 power_unit_file_t:service manage_service_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_config_power_services'($*)) dnl ') ######################################## ## ## Start power unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_start_power_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_start_power_services'($*)) dnl gen_require(` type power_unit_file_t; ') systemd_exec_systemctl($1) allow $1 power_unit_file_t:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_start_power_services'($*)) dnl ') ######################################## ## ## Status power unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_status_power_services',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_status_power_services'($*)) dnl gen_require(` type power_unit_file_t; ') systemd_exec_systemctl($1) allow $1 power_unit_file_t:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_status_power_services'($*)) dnl ') ####################################### ## ## Start power unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_start_all_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_start_all_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') systemd_exec_systemctl($1) allow $1 systemd_unit_file_type:service start; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_start_all_unit_files'($*)) dnl ') ####################################### ## ## Start power unit files domain. ## ## ## ## Domain allowed to transition. ## ## # define(`systemd_status_all_unit_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_status_all_unit_files'($*)) dnl gen_require(` attribute systemd_unit_file_type; ') systemd_exec_systemctl($1) allow $1 systemd_unit_file_type:service status; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_status_all_unit_files'($*)) dnl ') ######################################## ## ## Send and receive messages from ## systemd timedated over dbus. ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_timedated',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_timedated'($*)) dnl gen_require(` type systemd_timedated_t; class dbus send_msg; ') allow $1 systemd_timedated_t:dbus send_msg; allow systemd_timedated_t $1:dbus send_msg; ps_process_pattern(systemd_timedated_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_timedated'($*)) dnl ') ######################################## ## ## Send and receive messages from ## systemd hostnamed over dbus. ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_hostnamed',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_hostnamed'($*)) dnl gen_require(` type systemd_hostnamed_t; class dbus send_msg; ') allow $1 systemd_hostnamed_t:dbus send_msg; allow systemd_hostnamed_t $1:dbus send_msg; ps_process_pattern(systemd_hostnamed_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_hostnamed'($*)) dnl ') ######################################## ## ## Send and receive messages from ## systemd localed over dbus. ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_localed',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_localed'($*)) dnl gen_require(` type systemd_localed_t; class dbus send_msg; ') allow $1 systemd_localed_t:dbus send_msg; allow systemd_localed_t $1:dbus send_msg; ps_process_pattern(systemd_localed_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_localed'($*)) dnl ') ######################################## ## ## Dontaudit attempts to send dbus domains chat messages ## ## ## ## Domain to not audit. ## ## # define(`systemd_dontaudit_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dontaudit_dbus_chat'($*)) dnl gen_require(` attribute systemd_domain; class dbus send_msg; ') dontaudit $1 systemd_domain:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dontaudit_dbus_chat'($*)) dnl ') ###################################### ## ## Read systemd-machined PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_read_pid_files'($*)) dnl gen_require(` type systemd_machined_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) read_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_read_pid_files'($*)) dnl ') ###################################### ## ## Manage systemd-machined PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_manage_pid_files'($*)) dnl gen_require(` type systemd_machined_var_run_t; ') files_search_pids($1) manage_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) manage_files_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_manage_pid_files'($*)) dnl ') ###################################### ## ## List systemd-machined PID files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_list_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_list_pid_dirs'($*)) dnl gen_require(` type systemd_machined_var_run_t; ') files_search_pids($1) list_dirs_pattern($1, systemd_machined_var_run_t, systemd_machined_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_list_pid_dirs'($*)) dnl ') ###################################### ## ## Watch systemd-machined PID directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_watch_pid_dirs'($*)) dnl gen_require(` type systemd_machined_var_run_t; ') files_search_pids($1) allow $1 systemd_machined_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Search systemd-machined lib directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_search_lib',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_search_lib'($*)) dnl gen_require(` type systemd_machined_var_lib_t; ') allow $1 systemd_machined_var_lib_t:dir search_dir_perms; files_search_var_lib($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_search_lib'($*)) dnl ') ######################################## ## ## Read systemd-machined lib files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_read_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_read_lib_files'($*)) dnl gen_require(` type systemd_machined_var_lib_t; ') files_search_var_lib($1) read_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_read_lib_files'($*)) dnl ') ######################################## ## ## Manage systemd-machined lib files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_manage_lib_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_manage_lib_files'($*)) dnl gen_require(` type systemd_machined_var_lib_t; ') files_search_var_lib($1) manage_dirs_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) manage_files_pattern($1, systemd_machined_var_lib_t, systemd_machined_var_lib_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_manage_lib_files'($*)) dnl ') ######################################## ## ## Read and write systemd-machined devpts character nodes. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_rw_devpts_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_rw_devpts_chr_files'($*)) dnl gen_require(` type devpts_t, systemd_machined_devpts_t; ') rw_chr_files_pattern($1, devpts_t, systemd_machined_devpts_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_rw_devpts_chr_files'($*)) dnl ') ######################################## ## ## Allow the specified domain to connect to ## systemd_machined with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`systemd_machined_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_machined_stream_connect'($*)) dnl gen_require(` type systemd_machined_t; ') allow $1 systemd_machined_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_machined_stream_connect'($*)) dnl ') ######################################## ## ## Send and receive messages from ## systemd machined over dbus. ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_machined',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_machined'($*)) dnl gen_require(` type systemd_machined_t; class dbus send_msg; ') allow $1 systemd_machined_t:dbus send_msg; allow systemd_machined_t $1:dbus send_msg; ps_process_pattern(systemd_machined_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_machined'($*)) dnl ') ####################################### ## ## Execute a domain transition to run systemd-coredump. ## ## ## ## Domain allowed access. ## ## # define(`systemd_coredump_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_coredump_domtrans'($*)) dnl gen_require(` type systemd_coredump_t, systemd_coredump_exec_t; ') domtrans_pattern($1, systemd_coredump_exec_t, systemd_coredump_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_coredump_domtrans'($*)) dnl ') ######################################## ## ## Mmap to systemd-coredump temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_map_coredump_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_map_coredump_tmpfs_files'($*)) dnl gen_require(` type systemd_coredump_tmpfs_t; ') allow $1 systemd_coredump_tmpfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_map_coredump_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write to systemd-coredump temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_rw_coredump_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rw_coredump_tmpfs_files'($*)) dnl gen_require(` type systemd_coredump_tmpfs_t; ') allow $1 systemd_coredump_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rw_coredump_tmpfs_files'($*)) dnl ') ######################################## ## ## Mmap to systemd-bootchart temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_map_bootchart_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_map_bootchart_tmpfs_files'($*)) dnl gen_require(` type systemd_bootchart_tmpfs_t; ') allow $1 systemd_bootchart_tmpfs_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_map_bootchart_tmpfs_files'($*)) dnl ') ######################################## ## ## Read and write to systemd-bootchart temporary file system. ## ## ## ## Domain allowed access. ## ## # define(`systemd_rw_bootchart_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_rw_bootchart_tmpfs_files'($*)) dnl gen_require(` type systemd_bootchart_tmpfs_t; ') allow $1 systemd_bootchart_tmpfs_t:file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_rw_bootchart_tmpfs_files'($*)) dnl ') ######################################## ## ## Allow process to read hwdb config file. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_hwdb_read_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hwdb_read_config'($*)) dnl gen_require(` type systemd_hwdb_etc_t; ') files_search_etc($1) allow $1 systemd_hwdb_etc_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hwdb_read_config'($*)) dnl ') ######################################## ## ## Allow process to mmap hwdb config file. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_hwdb_mmap_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hwdb_mmap_config'($*)) dnl gen_require(` type systemd_hwdb_etc_t; ') allow $1 systemd_hwdb_etc_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hwdb_mmap_config'($*)) dnl ') ######################################## ## ## Allow process to manage hwdb config file. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_hwdb_manage_config',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_hwdb_manage_config'($*)) dnl gen_require(` type systemd_hwdb_etc_t; ') files_search_etc($1) manage_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) mmap_files_pattern($1, systemd_hwdb_etc_t, systemd_hwdb_etc_t) allow $1 systemd_hwdb_etc_t:file {relabelfrom relabelto}; files_etc_filetrans($1, systemd_hwdb_etc_t, file) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_hwdb_manage_config'($*)) dnl ') ######################################## ## ## Allow process to mount directory configured in a ## systemd unit as ReadWriteDirectory or ReadOnlyDirectory. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_allow_mount_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_allow_mount_dir'($*)) dnl gen_require(` attribute systemd_mount_directory; ') allow $1 systemd_mount_directory:dir { list_dir_perms mounton }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_allow_mount_dir'($*)) dnl ') ######################################## ## ## Allow process to create directory configured in a ## systemd unit as ReadWriteDirectory or ReadOnlyDirectory. ## ## ## ## Domain allowed access. ## ## ## # define(`systemd_allow_create_mount_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_allow_create_mount_dir'($*)) dnl gen_require(` attribute systemd_mount_directory; ') allow $1 systemd_mount_directory:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_allow_create_mount_dir'($*)) dnl ') ######################################## ## ## Mark the following type as mountable by systemd. ## ## ## ## Type to be authorized to be mounted ## ## ## # define(`systemd_mount_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_mount_dir'($*)) dnl gen_require(` attribute systemd_mount_directory; ') files_type($1) typeattribute $1 systemd_mount_directory; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_mount_dir'($*)) dnl ') ######################################## ## ## Mmap systemd_networkd_exec_t files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_map_networkd_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_map_networkd_exec_files'($*)) dnl gen_require(` type systemd_networkd_exec_t; ') allow $1 systemd_networkd_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_map_networkd_exec_files'($*)) dnl ') ######################################## ## ## Watch systemd_networkd PID directories. ## ## ## ## Domain allowed access. ## ## # define(`systemd_networkd_watch_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_networkd_watch_pid_dirs'($*)) dnl gen_require(` type systemd_networkd_var_run_t; ') init_search_pid_dirs($1) allow $1 systemd_networkd_var_run_t:dir watch_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_networkd_watch_pid_dirs'($*)) dnl ') ######################################## ## ## Mmap systemd_resolved_exec_t files. ## ## ## ## Domain allowed access. ## ## # define(`systemd_map_resolved_exec_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_map_resolved_exec_files'($*)) dnl gen_require(` type systemd_resolved_exec_t; ') allow $1 systemd_resolved_exec_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_map_resolved_exec_files'($*)) dnl ') ######################################## ## ## Exchange messages with ## systemd resolved over dbus or varlink. ## ## ## ## Domain allowed access. ## ## # define(`systemd_chat_resolved',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_chat_resolved'($*)) dnl gen_require(` type systemd_resolved_t; class dbus send_msg; ') allow $1 systemd_resolved_t:dbus send_msg; allow $1 systemd_resolved_t:unix_stream_socket connectto; allow systemd_resolved_t $1:dbus send_msg; ps_process_pattern(systemd_resolved_t, $1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_chat_resolved'($*)) dnl ') ######################################## ## ## Exchange messages with ## systemd resolved over dbus (deprecated) ## ## ## ## Domain allowed access. ## ## # define(`systemd_dbus_chat_resolved',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_dbus_chat_resolved'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use systemd_chat_resolved() instead.') systemd_chat_resolved($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_dbus_chat_resolved'($*)) dnl ') ###################################### ## ## Make the specified type usable as a systemd private tmp type. ## ## ## ## Type to be used as a private tmp type. ## ## # define(`systemd_private_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_private_tmp'($*)) dnl gen_require(` attribute systemd_private_tmp_type; ') typeattribute $1 systemd_private_tmp_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_private_tmp'($*)) dnl ') ####################################### ## ## Delete filesystem objects with systemd_delete_private_tmp attribute ## ## ## ## Domain allowed access ## ## # define(`systemd_delete_private_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_delete_private_tmp'($*)) dnl gen_require(` attribute systemd_private_tmp_type; ') delete_dirs_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type) delete_fifo_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type) delete_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type) delete_lnk_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type) delete_sock_files_pattern($1, systemd_private_tmp_type, systemd_private_tmp_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_delete_private_tmp'($*)) dnl ') # ###################################### ## ## Make the specified type usable as a systemd read efivarfs type. ## ## ## ## Type to be used as a read efivarfs type. ## ## # define(`systemd_read_efivarfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_read_efivarfs'($*)) dnl gen_require(` attribute systemd_read_efivarfs_type; ') typeattribute $1 systemd_read_efivarfs_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_read_efivarfs'($*)) dnl ') ####################################### ## ## Create objects in the pid directory ## with a private type with a type transition. ## ## ## ## Domain allowed access. ## ## # define(`systemd_userdbd_runtime_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_userdbd_runtime_filetrans'($*)) dnl gen_require(` type init_var_run_t; type systemd_userdbd_runtime_t; ') filetrans_pattern($1, init_var_run_t, systemd_userdbd_runtime_t, dir, "userdb") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_userdbd_runtime_filetrans'($*)) dnl ') ####################################### ## ## Manage systemd-userdbd data symlinks. ## ## ## ## Domain allowed access. ## ## # define(`systemd_userdbd_runtime_manage_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_userdbd_runtime_manage_symlinks'($*)) dnl gen_require(` type systemd_userdbd_runtime_t; ') manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t); popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_userdbd_runtime_manage_symlinks'($*)) dnl ') ####################################### ## ## Connect to systemd-userdbd with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`systemd_userdbd_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_userdbd_stream_connect'($*)) dnl gen_require(` type systemd_userdbd_t; type systemd_userdbd_runtime_t; ') files_search_pids($1) list_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) read_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) write_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) allow $1 systemd_userdbd_t:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_userdbd_stream_connect'($*)) dnl ') ####################################### ## ## Manage named sockets in userdbd runtime directory ## ## ## ## Domain allowed access. ## ## # define(`systemd_manage_userdbd_runtime_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `systemd_manage_userdbd_runtime_sock_files'($*)) dnl gen_require(` type systemd_userdbd_runtime_t; ') manage_sock_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `systemd_manage_userdbd_runtime_sock_files'($*)) dnl ') ## Policy for udev. ######################################## ## ## Send generic signals to udev. ## ## ## ## Domain allowed access. ## ## # define(`udev_signal',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_signal'($*)) dnl gen_require(` type udev_t; ') allow $1 udev_t:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_signal'($*)) dnl ') ######################################## ## ## Execute udev in the udev domain. ## ## ## ## Domain allowed to transition. ## ## # define(`udev_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_domtrans'($*)) dnl gen_require(` type udev_t, udev_exec_t; ') domtrans_pattern($1, udev_exec_t, udev_t) allow $1 udev_t:process noatsecure; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_domtrans'($*)) dnl ') ######################################## ## ## Execute udev in the caller domain. ## ## ## ## Domain allowed access. ## ## # define(`udev_exec',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_exec'($*)) dnl gen_require(` type udev_exec_t; ') can_exec($1, udev_exec_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_exec'($*)) dnl ') ######################################## ## ## Execute a udev helper in the udev domain. ## ## ## ## Domain allowed to transition. ## ## # define(`udev_helper_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_helper_domtrans'($*)) dnl gen_require(` type udev_t, udev_helper_exec_t; ') domtrans_pattern($1, udev_helper_exec_t, udev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_helper_domtrans'($*)) dnl ') ######################################## ## ## Allow process to read udev process state. ## ## ## ## Domain allowed access. ## ## # define(`udev_read_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_read_state'($*)) dnl gen_require(` type udev_t; ') kernel_search_proc($1) ps_process_pattern($1, udev_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_read_state'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit a ## udev file descriptor. ## ## ## ## Domain to not audit. ## ## # define(`udev_dontaudit_use_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_dontaudit_use_fds'($*)) dnl gen_require(` type udev_t; ') dontaudit $1 udev_t:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_dontaudit_use_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to read or write ## to a udev unix datagram socket. ## ## ## ## Domain to not audit. ## ## # define(`udev_dontaudit_rw_dgram_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_dontaudit_rw_dgram_sockets'($*)) dnl gen_require(` type udev_t; ') dontaudit $1 udev_t:unix_dgram_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_dontaudit_rw_dgram_sockets'($*)) dnl ') ######################################## ## ## Getattr udev rules chr files ## ## ## ## Domain allowed access. ## ## # define(`udev_getattr_rules_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_getattr_rules_chr_files'($*)) dnl gen_require(` type udev_rules_t; ') getattr_chr_files_pattern($1, udev_rules_t, udev_rules_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_getattr_rules_chr_files'($*)) dnl ') ######################################## ## ## Manage udev rules files ## ## ## ## Domain allowed access. ## ## # define(`udev_manage_rules_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_manage_rules_files'($*)) dnl gen_require(` type udev_rules_t; ') manage_files_pattern($1, udev_rules_t, udev_rules_t) files_search_etc($1) udev_search_pids($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_manage_rules_files'($*)) dnl ') ######################################## ## ## Do not audit search of udev database directories. ## ## ## ## Domain to not audit. ## ## # define(`udev_dontaudit_search_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_dontaudit_search_db'($*)) dnl gen_require(` type udev_var_run_t; ') dontaudit $1 udev_var_run_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_dontaudit_search_db'($*)) dnl ') ######################################## ## ## Read the udev device table. ## ## ##

## Allow the specified domain to read the udev device table. ##

##
## ## ## Domain allowed access. ## ## ## # define(`udev_read_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_read_db'($*)) dnl udev_read_pid_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_read_db'($*)) dnl ') ######################################## ## ## Allow process to modify list of devices. ## ## ## ## Domain allowed access. ## ## # define(`udev_rw_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_rw_db'($*)) dnl gen_require(` type udev_var_run_t; ') files_search_pids($1) dev_list_all_dev_nodes($1) rw_files_pattern($1, udev_var_run_t, udev_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_rw_db'($*)) dnl ') ######################################## ## ## Allow process to modify relabelto udev database ## ## ## ## Domain allowed access. ## ## # define(`udev_relabelto_db',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_relabelto_db'($*)) dnl gen_require(` type udev_var_run_t; ') files_search_pids($1) allow $1 udev_var_run_t:file relabelto_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_relabelto_db'($*)) dnl ') ######################################## ## ## Relabel the udev sock_file. ## ## ## ## Domain allowed access. ## ## # define(`udev_relabel_pid_sockfile',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_relabel_pid_sockfile'($*)) dnl gen_require(` type udev_var_run_t; ') allow $1 udev_var_run_t:sock_file relabel_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_relabel_pid_sockfile'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## udev pid files. ## ## ## ## Domain allowed access. ## ## # define(`udev_read_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_read_pid_files'($*)) dnl gen_require(` type udev_var_run_t; ') dev_list_all_dev_nodes($1) files_search_pids($1) allow $1 udev_var_run_t:dir list_dir_perms; read_files_pattern($1, udev_var_run_t, udev_var_run_t) read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_read_pid_files'($*)) dnl ') ######################################## ## ## Search through udev pid content ## ## ## ## Domain allowed access. ## ## # define(`udev_search_pids',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_search_pids'($*)) dnl gen_require(` type udev_var_run_t; ') files_search_pids($1) search_dirs_pattern($1, udev_var_run_t, udev_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_search_pids'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## udev pid directories ## ## ## ## Domain allowed access. ## ## # define(`udev_manage_pid_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_manage_pid_dirs'($*)) dnl gen_require(` type udev_var_run_t; ') files_search_var($1) manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_manage_pid_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete ## udev pid files. ## ## ## ## Domain allowed access. ## ## # define(`udev_manage_pid_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_manage_pid_files'($*)) dnl gen_require(` type udev_var_run_t; ') files_search_pids($1) manage_files_pattern($1, udev_var_run_t, udev_var_run_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_manage_pid_files'($*)) dnl ') ####################################### ## ## Execute udev in the udev domain, and ## allow the specified role the udev domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the iptables domain. ## ## ## # define(`udev_run',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_run'($*)) dnl gen_require(` type udev_t; ') udev_domtrans($1) role $2 types udev_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_run'($*)) dnl ') ####################################### ## ## Allow caller to create kobject uevent socket for udev ## ## ## ## Domain allowed access. ## ## # define(`udev_create_kobject_uevent_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_create_kobject_uevent_socket'($*)) dnl gen_require(` type udev_t; role system_r; ') allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_create_kobject_uevent_socket'($*)) dnl ') ######################################## ## ## Create a domain for processes ## which can be started by udev. ## ## ## ## Type to be used as a domain. ## ## ## ## ## Type of the program to be used as an entry point to this domain. ## ## # define(`udev_system_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_system_domain'($*)) dnl gen_require(` type udev_t; role system_r; ') domain_type($1) domain_entry_file($1, $2) role system_r types $1; domtrans_pattern(udev_t, $2, $1) dontaudit $1 udev_t:unix_dgram_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_system_domain'($*)) dnl ') ######################################## ## ## Create directories in the run location with udev_var_run_t type ## ## ## ## Domain allowed access. ## ## ## ## ## Name of the directory that is created ## ## # define(`udev_generic_pid_filetrans_run_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `udev_generic_pid_filetrans_run_dirs'($*)) dnl gen_require(` type udev_var_run_t; ') files_pid_filetrans($1, udev_var_run_t, dir, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `udev_generic_pid_filetrans_run_dirs'($*)) dnl ') ## The unconfined domain. ######################################## ## ## Make the specified domain unconfined. ## ## ## ## Domain to make unconfined. ## ## # define(`unconfined_domain_noaudit',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_domain_noaudit'($*)) dnl gen_require(` class dbus all_dbus_perms; class nscd all_nscd_perms; class passwd all_passwd_perms; ') # Use any Linux capability. allow $1 self:capability ~{ sys_module }; allow $1 self:capability2 ~{ mac_admin mac_override }; allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; # Transition to myself, to make get_ordered_context_list happy. allow $1 self:process { dyntransition transition }; # Write access is for setting attributes under /proc/self/attr. allow $1 self:file manage_file_perms; allow $1 self:dir rw_dir_perms; allow $1 self:lockdown { confidentiality integrity }; # Userland object managers allow $1 self:nscd all_nscd_perms; allow $1 self:dbus all_dbus_perms; allow $1 self:passwd all_passwd_perms; allow $1 self:association all_association_perms; allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) dev_unconfined($1) domain_unconfined($1) files_unconfined($1) fs_unconfined($1) selinux_unconfined($1) systemd_config_all_services($1) domain_mmap_low($1) domain_named_filetrans($1) ubac_process_exempt($1) tunable_policy(`selinuxuser_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; ') tunable_policy(`deny_execmem',`',` # Allow making anonymous memory executable, e.g. # for runtime-code generation or executable stack. allow $1 self:process execmem; ') tunable_policy(`selinuxuser_execstack',` allow $1 self:process execstack; # auditallow $1 self:process execstack; ') optional_policy(` auth_unconfined($1) ') optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) dbus_unconfined($1) ') optional_policy(` ipsec_setcontext_default_spd($1) ipsec_match_default_spd($1) ') optional_policy(` nscd_unconfined($1) ') optional_policy(` postgresql_unconfined($1) ') optional_policy(` seutil_create_bin_policy($1) seutil_relabelto_bin_policy($1) ') optional_policy(` storage_unconfined($1) ') optional_policy(` xserver_unconfined($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_domain_noaudit'($*)) dnl ') ######################################## ## ## Make the specified domain unconfined and ## audit executable heap usage. ## ## ##

## Make the specified domain unconfined and ## audit executable heap usage. With exception ## of memory protections, usage of this interface ## will result in the level of access the domain has ## is like SELinux was not being used. ##

##

## Only completely trusted domains should use this interface. ##

##
## ## ## Domain to make unconfined. ## ## # define(`unconfined_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_domain'($*)) dnl gen_require(` attribute unconfined_services; ') unconfined_domain_noaudit($1) tunable_policy(`selinuxuser_execheap',` auditallow $1 self:process execheap; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_domain'($*)) dnl ') ######################################## ## ## Add an alias type to the unconfined domain. (Deprecated) ## ## ##

## Add an alias type to the unconfined domain. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined domain. ## ## # define(`unconfined_alias_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_alias_domain'($*)) dnl refpolicywarn(`$0() has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_alias_domain'($*)) dnl ') ######################################## ## ## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ## ## ##

## Add an alias type to the unconfined execmem ## program file type. (Deprecated) ##

##

## This is added to support targeted policy. Its ## use should be limited. It has no effect ## on the strict policy. ##

##
## ## ## New alias of the unconfined execmem program type. ## ## # define(`unconfined_execmem_alias_program',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_execmem_alias_program'($*)) dnl refpolicywarn(`$0() has been deprecated.') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_execmem_alias_program'($*)) dnl ') ######################################## ## ## Connect to unconfined_server with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_stream_connect'($*)) dnl gen_require(` type unconfined_service_t; ') files_search_pids($1) files_write_generic_pid_pipes($1) allow $1 unconfined_service_t:unix_stream_socket { getattr connectto }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_stream_connect'($*)) dnl ') ######################################## ## ## Connect to unconfined_server with a unix socket. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_domtrans'($*)) dnl gen_require(` type unconfined_service_t; ') corecmd_bin_domtrans($1, unconfined_service_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_domtrans'($*)) dnl ') ######################################## ## ## Allow caller domain to dbus chat unconfined_server. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_dbus_chat',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_dbus_chat'($*)) dnl gen_require(` type unconfined_service_t; class dbus send_msg; ') allow $1 unconfined_service_t:dbus send_msg; allow unconfined_service_t $1:dbus send_msg; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_dbus_chat'($*)) dnl ') ######################################## ## ## Send signull to unconfined_service_t. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_signull',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_signull'($*)) dnl gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_signull'($*)) dnl ') ######################################## ## ## Allow noatsecure. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_noatsecure',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_noatsecure'($*)) dnl gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:process { noatsecure }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_noatsecure'($*)) dnl ') ######################################## ## ## Create unconfined_service_t TCP sockets. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_create_tcp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_create_tcp_sockets'($*)) dnl gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_create_tcp_sockets'($*)) dnl ') ######################################## ## ## Create unconfined_service_t UDP sockets. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_create_udp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_create_udp_sockets'($*)) dnl gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:udp_socket create_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_create_udp_sockets'($*)) dnl ') ######################################## ## ## Create unconfined_service_t UNIX sockets. ## ## ## ## Domain allowed access. ## ## # define(`unconfined_server_create_unix_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_create_unix_sockets'($*)) dnl gen_require(` type unconfined_service_t; ') allow $1 unconfined_service_t:unix_stream_socket create_stream_socket_perms; allow $1 unconfined_service_t:unix_dgram_socket create_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_create_unix_sockets'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write # unconfined service domain unnamed pipes. ## ## ## ## Domain to not audit. ## ## # define(`unconfined_server_dontaudit_rw_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `unconfined_server_dontaudit_rw_pipes'($*)) dnl gen_require(` type unconfined_service_t; ') dontaudit $1 unconfined_service_t:fifo_file rw_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `unconfined_server_dontaudit_rw_pipes'($*)) dnl ') ## Policy for user domains ####################################### ## ## The template containing the most basic rules common to all users. ## ## ##

## The template containing the most basic rules common to all users. ##

##

## This template creates a user domain, types, and ## rules for the user's tty and pty. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`userdom_base_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_base_user_template'($*)) dnl gen_require(` attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; ') attribute $1_file_type; attribute $1_usertype; type $1_t, userdomain, $1_usertype; domain_type($1_t) role $1_r; corecmd_shell_entry_type($1_t) corecmd_bin_entry_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) role $1_r; role $1_r types $1_t; allow system_r $1_r; term_user_pty($1_t, user_devpts_t) term_user_tty($1_t, user_tty_device_t) term_dontaudit_getattr_generic_ptys($1_t) allow $1_usertype $1_usertype:process { signal_perms getsched setsched share getpgid setpgid getcap setcap getsession getattr }; tunable_policy(`deny_ptrace',`',` allow $1_usertype $1_usertype:process ptrace; ') allow $1_usertype $1_usertype:fd use; allow $1_usertype $1_t:key { create view read write search link setattr }; allow $1_usertype $1_usertype:fifo_file rw_fifo_file_perms; allow $1_usertype $1_usertype:unix_dgram_socket { create_socket_perms sendto }; allow $1_usertype $1_usertype:unix_stream_socket { create_stream_socket_perms connectto }; allow $1_usertype $1_usertype:shm create_shm_perms; allow $1_usertype $1_usertype:sem create_sem_perms; allow $1_usertype $1_usertype:msgq create_msgq_perms; allow $1_usertype $1_usertype:msg { send receive }; allow $1_usertype $1_usertype:context contains; dontaudit $1_usertype $1_usertype:socket create; allow $1_usertype user_devpts_t:chr_file { setattr rw_chr_file_perms }; term_create_pty($1_usertype, user_devpts_t) # avoid annoying messages on terminal hangup on role change dontaudit $1_usertype user_devpts_t:chr_file ioctl; allow $1_usertype user_tty_device_t:chr_file { setattr rw_chr_file_perms }; # avoid annoying messages on terminal hangup on role change dontaudit $1_usertype user_tty_device_t:chr_file ioctl; application_exec_all($1_usertype) kernel_read_kernel_sysctls($1_usertype) kernel_read_all_sysctls($1_usertype) kernel_dontaudit_list_unlabeled($1_usertype) kernel_dontaudit_getattr_unlabeled_files($1_usertype) kernel_dontaudit_getattr_unlabeled_symlinks($1_usertype) kernel_dontaudit_getattr_unlabeled_pipes($1_usertype) kernel_dontaudit_getattr_unlabeled_sockets($1_usertype) kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype) kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype) kernel_dontaudit_list_proc($1_usertype) dev_dontaudit_getattr_all_blk_files($1_usertype) dev_dontaudit_getattr_all_chr_files($1_usertype) dev_getattr_mtrr_dev($1_t) # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_usertype) domain_dontaudit_getattr_all_domains($1_usertype) domain_dontaudit_getsession_all_domains($1_usertype) dev_dontaudit_all_access_check($1_usertype) files_read_etc_files($1_usertype) files_list_mnt($1_usertype) files_list_var($1_usertype) files_read_mnt_files($1_usertype) files_dontaudit_all_access_check($1_usertype) files_read_etc_runtime_files($1_usertype) files_read_usr_files($1_usertype) files_read_usr_src_files($1_usertype) # Read directories and files with the readable_t type. # This type is a general type for "world"-readable files. files_list_world_readable($1_usertype) files_read_world_readable_files($1_usertype) files_read_world_readable_symlinks($1_usertype) files_read_world_readable_pipes($1_usertype) files_read_world_readable_sockets($1_usertype) # old broswer_domain(): files_dontaudit_getattr_all_dirs($1_usertype) files_dontaudit_list_non_security($1_usertype) files_dontaudit_getattr_all_files($1_usertype) files_dontaudit_getattr_non_security_symlinks($1_usertype) files_dontaudit_getattr_non_security_pipes($1_usertype) files_dontaudit_getattr_non_security_sockets($1_usertype) files_dontaudit_setattr_etc_runtime_files($1_usertype) files_exec_usr_files($1_t) fs_list_cgroup_dirs($1_usertype) fs_dontaudit_rw_cgroup_files($1_usertype) fs_read_tmpfs_symlinks($1_usertype) storage_rw_fuse($1_usertype) init_stream_connect($1_usertype) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_rw_utmp($1_usertype) libs_exec_ld_so($1_usertype) miscfiles_read_generic_certs($1_t) miscfiles_read_all_certs($1_usertype) miscfiles_read_public_files($1_usertype) systemd_dbus_chat_logind($1_usertype) systemd_read_logind_sessions_files($1_usertype) systemd_write_inhibit_pipes($1_usertype) systemd_write_inherited_logind_sessions_pipes($1_usertype) systemd_login_read_pid_files($1_usertype) tunable_policy(`deny_execmem',`', ` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; ') tunable_policy(`selinuxuser_execstack',` # Allow making the stack executable via mprotect. allow $1_t self:process execstack; ') optional_policy(` abrt_stream_connect($1_usertype) ') optional_policy(` fs_list_cgroup_dirs($1_usertype) ') optional_policy(` ssh_rw_stream_sockets($1_usertype) ssh_rw_dgram_sockets($1_usertype) ssh_delete_tmp($1_t) ssh_signal($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_base_user_template'($*)) dnl ') ####################################### ## ## Allow a home directory for which the ## role has read-only access. ## ## ##

## Allow a home directory for which the ## role has read-only access. ##

##

## This does not allow execute access. ##

##
## ## ## The user role ## ## ## ## ## The user domain ## ## ## # define(`userdom_ro_home_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_ro_home_role'($*)) dnl gen_require(` type user_home_t, user_home_dir_t; ') role $1 types { user_home_t user_home_dir_t }; ############################## # # Domain access to home dir # type_member $2 user_home_dir_t:dir user_home_dir_t; # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) files_list_home($2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_ro_home_role'($*)) dnl ') ####################################### ## ## Allow a home directory for which the ## role has full access. ## ## ##

## Allow a home directory for which the ## role has full access. ##

##

## This does not allow execute access. ##

##
## ## ## The user role ## ## ## ## ## The user domain ## ## ## # define(`userdom_manage_home_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_home_role'($*)) dnl gen_require(` type user_home_t, user_home_dir_t; attribute user_home_type; ') role $1 types { user_home_type user_home_dir_t }; ############################## # # Domain access to home dir # type_member $2 user_home_dir_t:dir user_home_dir_t; # full control of the home directory allow $2 user_home_t:dir mounton; allow $2 user_home_t:file entrypoint; allow $2 user_home_type:dir_file_class_set { relabelto relabelfrom }; allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; manage_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) manage_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_dirs_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_lnk_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_sock_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) relabel_fifo_files_pattern($2, { user_home_dir_t user_home_type }, user_home_type) userdom_filetrans_home_content($2) files_list_home($2) # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; tunable_policy(`use_nfs_home_dirs',` fs_mount_nfs($2) fs_mounton_nfs($2) fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) fs_manage_nfs_symlinks($2) fs_manage_nfs_named_sockets($2) fs_manage_nfs_named_pipes($2) ') tunable_policy(`use_samba_home_dirs',` fs_mount_cifs($2) fs_mounton_cifs($2) fs_manage_cifs_dirs($2) fs_manage_cifs_files($2) fs_manage_cifs_symlinks($2) fs_manage_cifs_named_sockets($2) fs_manage_cifs_named_pipes($2) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_home_role'($*)) dnl ') ####################################### ## ## Manage user temporary files ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_files'($*)) dnl ') ####################################### ## ## Watch user temporary directories ## ## ## ## Domain allowed access. ## ## # define(`userdom_watch_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_watch_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') watch_dirs_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_watch_tmp_dirs'($*)) dnl ') ####################################### ## ## Watch_mount user temporary directories ## ## ## ## Domain allowed access. ## ## # define(`userdom_watch_mount_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_watch_mount_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') watch_mount_dirs_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_watch_mount_tmp_dirs'($*)) dnl ') ####################################### ## ## Watch_with_perm user temporary directories ## ## ## ## Domain allowed access. ## ## # define(`userdom_watch_with_perm_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_watch_with_perm_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') watch_with_perm_dirs_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_watch_with_perm_tmp_dirs'($*)) dnl ') ####################################### ## ## Mmap user temporary files ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_map_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_map_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_map_tmp_files'($*)) dnl ') ####################################### ## ## Manage user temporary sockets ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_sockets'($*)) dnl gen_require(` type user_tmp_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_sockets'($*)) dnl ') ####################################### ## ## Manage user temporary directories ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_dirs'($*)) dnl ') ####################################### ## ## Manage user temporary directories ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_mounton_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_mounton_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir mounton; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_mounton_tmp_dirs'($*)) dnl ') ####################################### ## ## Manage user temporary files ## ## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmp_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmp_role'($*)) dnl gen_require(` attribute user_tmp_type; type user_tmp_t; ') role $1 types user_tmp_t; files_poly_member_tmp($2, user_tmp_t) allow $2 user_tmp_type:dir mounton; manage_dirs_pattern($2, user_tmp_type, user_tmp_type) manage_files_pattern($2, user_tmp_type, user_tmp_type) manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type) manage_sock_files_pattern($2, user_tmp_type, user_tmp_type) manage_fifo_files_pattern($2, user_tmp_type, user_tmp_type) files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) fs_tmpfs_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file }) relabel_dirs_pattern($2, user_tmp_type, user_tmp_type) relabel_files_pattern($2, user_tmp_type, user_tmp_type) relabel_lnk_files_pattern($2, user_tmp_type, user_tmp_type) relabel_sock_files_pattern($2, user_tmp_type, user_tmp_type) relabel_fifo_files_pattern($2, user_tmp_type, user_tmp_type) allow $2 user_tmp_type:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmp_role'($*)) dnl ') ####################################### ## ## Dontaudit search of user bin dirs. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_search_user_bin_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_bin_dirs'($*)) dnl gen_require(` type home_bin_t; ') dontaudit $1 home_bin_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_bin_dirs'($*)) dnl ') ####################################### ## ## Execute user bin files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_exec_user_bin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_exec_user_bin_files'($*)) dnl gen_require(` attribute user_home_type; type home_bin_t, user_home_dir_t; ') exec_files_pattern($1, { user_home_dir_t user_home_type }, home_bin_t) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_exec_user_bin_files'($*)) dnl ') ####################################### ## ## The execute access user temporary files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_exec_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_exec_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') exec_files_pattern($1, user_tmp_t, user_tmp_t) dontaudit $1 user_tmp_t:sock_file execute; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_exec_user_tmp_files'($*)) dnl ') ####################################### ## ## Manage user temporary file system files ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_files'($*)) dnl gen_require(` type user_tmpfs_t; ') manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_files'($*)) dnl ') ####################################### ## ## Role access for the user tmpfs type ## that the user has full access. ## ## ##

## Role access for the user tmpfs type ## that the user has full access. ##

##

## This does not allow execute access. ##

##
## ## ## Role allowed access. ## ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_tmpfs_role',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_tmpfs_role'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_manage_tmp_role() instead.') userdom_manage_tmp_role($1,$2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_tmpfs_role'($*)) dnl ') ####################################### ## ## The interface allowing the user basic ## network permissions ## ## ## ## The user domain ## ## ## # define(`userdom_basic_networking',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_basic_networking'($*)) dnl allow $1 self:tcp_socket create_stream_socket_perms; allow $1 self:udp_socket create_socket_perms; corenet_tcp_sendrecv_generic_if($1) corenet_udp_sendrecv_generic_if($1) corenet_tcp_sendrecv_generic_node($1) corenet_udp_sendrecv_generic_node($1) corenet_tcp_sendrecv_all_ports($1) corenet_udp_sendrecv_all_ports($1) corenet_tcp_connect_all_ports($1) corenet_sendrecv_all_client_packets($1) optional_policy(` init_tcp_recvfrom_all_daemons($1) init_udp_recvfrom_all_daemons($1) ') optional_policy(` ipsec_match_default_spd($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_basic_networking'($*)) dnl ') ####################################### ## ## The template for creating a user xwindows client. (Deprecated) ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`userdom_xwindows_client_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_xwindows_client_template'($*)) dnl refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.') gen_require(` type $1_t, user_tmpfs_t; ') dev_rw_xserver_misc($1_t) dev_rw_power_management($1_t) dev_read_input($1_t) dev_read_misc($1_t) dev_write_misc($1_t) # open office is looking for the following dev_getattr_agp_dev($1_t) dev_dontaudit_rw_dri($1_t) # GNOME checks for usb and other devices: dev_rw_usbfs($1_t) dev_rw_generic_usb_dev($1_t) xserver_user_x_domain_template($1, $1_t, user_tmpfs_t) xserver_xsession_entry_type($1_t) xserver_dontaudit_write_log($1_t) xserver_stream_connect_xdm($1_t) # certain apps want to read xdm.pid file xserver_read_xdm_pid($1_t) # gnome-session creates socket under /tmp/.ICE-unix/ xserver_create_xdm_tmp_sockets($1_t) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($1_t) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_xwindows_client_template'($*)) dnl ') ####################################### ## ## The template for allowing the user to change passwords. ## NOTE! This template also allows the user to change shell. ## If you want to only allow changing passwords, you should ## use usermanage_run_passwd() instead. ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`userdom_change_password_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_change_password_template'($*)) dnl gen_require(` type $1_t; role $1_r; ') optional_policy(` usermanage_run_chfn($1_t,$1_r) usermanage_run_passwd($1_t,$1_r) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_change_password_template'($*)) dnl ') ####################################### ## ## The template containing rules common to unprivileged ## users and administrative users. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`userdom_common_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_common_user_template'($*)) dnl gen_require(` attribute unpriv_userdomain; ') userdom_basic_networking($1_usertype) corenet_all_recvfrom_netlabel($1_t) ############################## # # User domain Local policy # allow $1_t self:packet_socket create_socket_perms; # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; allow $1_t self:netlink_selinux_socket create_socket_perms; allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; allow $1_t self:socket create_socket_perms; allow $1_usertype unpriv_userdomain:fd use; kernel_read_system_state($1_t) kernel_read_network_state($1_usertype) kernel_read_software_raid_state($1_usertype) kernel_read_net_sysctls($1_usertype) kernel_read_afs_state($1_usertype) # Very permissive allowing every domain to see every type: kernel_get_sysvipc_info($1_usertype) # Find CDROM devices: kernel_read_device_sysctls($1_usertype) kernel_request_load_module($1_usertype) corenet_udp_bind_generic_node($1_usertype) corenet_udp_bind_generic_port($1_usertype) dev_read_rand($1_usertype) dev_write_sound($1_usertype) dev_read_sound($1_usertype) dev_read_sound_mixer($1_usertype) dev_write_sound_mixer($1_usertype) dev_rw_inherited_input_dev($1_usertype) files_exec_etc_files($1_usertype) files_search_locks($1_usertype) # Check to see if cdrom is mounted files_search_mnt($1_usertype) # cjp: perhaps should cut back on file reads: files_read_var_files($1_usertype) files_read_var_symlinks($1_usertype) files_read_generic_spool($1_usertype) files_read_var_lib_files($1_usertype) # Stat lost+found. files_getattr_lost_found_dirs($1_usertype) files_read_config_files($1_usertype) fs_read_noxattr_fs_files($1_usertype) fs_read_noxattr_fs_symlinks($1_usertype) fs_rw_cgroup_files($1_usertype) application_getattr_socket($1_usertype) ifdef(`enable_mls',` init_rw_tcp_sockets($1_t) ') logging_send_syslog_msg($1_t) selinux_get_enforce_mode($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t) selinux_validate_context($1_t) selinux_compute_access_vector($1_t) selinux_compute_create_context($1_t) selinux_compute_relabel_context($1_t) selinux_compute_user_contexts($1_t) # for eject storage_getattr_fixed_disk_dev($1_usertype) auth_read_login_records($1_usertype) auth_run_pam_timestamp($1_t,$1_r) auth_run_utempter($1_t,$1_r) auth_filetrans_admin_home_content($1_t) init_read_utmp($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_run_newrole($1_t,$1_r) seutil_exec_checkpolicy($1_t) seutil_exec_setfiles($1_usertype) # for when the network connection is killed # this is needed when a login role can change # to this one. seutil_dontaudit_signal_newrole($1_t) term_getattr_all_ttys($1_t) optional_policy(` afs_read_config($1_t) ') optional_policy(` # Allow graphical boot to check battery lifespan apm_stream_connect($1_usertype) ') optional_policy(` chrome_role($1_r, $1_usertype) ') optional_policy(` canna_stream_connect($1_usertype) ') optional_policy(` colord_read_lib_files($1_usertype) ') optional_policy(` dbus_system_bus_client($1_usertype) allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` avahi_dbus_chat($1_usertype) ') optional_policy(` bluetooth_dbus_chat($1_usertype) ') optional_policy(` consolekit_dbus_chat($1_usertype) consolekit_read_log($1_usertype) ') optional_policy(` devicekit_dbus_chat($1_usertype) devicekit_dbus_chat_power($1_usertype) devicekit_dbus_chat_disk($1_usertype) ') optional_policy(` evolution_dbus_chat($1_usertype) evolution_alarm_dbus_chat($1_usertype) ') optional_policy(` firewalld_dbus_chat($1_usertype) ') optional_policy(` geoclue_dbus_chat($1_usertype) ') optional_policy(` gnome_dbus_chat_gconfdefault($1_usertype) ') optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ') optional_policy(` memcached_stream_connect($1_usertype) ') optional_policy(` modemmanager_dbus_chat($1_usertype) ') optional_policy(` networkmanager_dbus_chat($1_usertype) networkmanager_read_lib_files($1_usertype) ') optional_policy(` policykit_dbus_chat($1_usertype) ') optional_policy(` vpn_dbus_chat($1_usertype) ') ') optional_policy(` git_role($1_r, $1_t) ') optional_policy(` inetd_use_fds($1_usertype) inetd_rw_tcp_sockets($1_usertype) ') optional_policy(` inn_read_config($1_usertype) inn_read_news_lib($1_usertype) inn_read_news_spool($1_usertype) ') optional_policy(` lircd_stream_connect($1_usertype) ') optional_policy(` locate_read_lib_files($1_t) ') optional_policy(` mpd_manage_user_data_content($1_t) mpd_relabel_user_data_content($1_t) mpd_stream_connect($1_t) ') # for running depmod as part of the kernel packaging process optional_policy(` modutils_read_module_config($1_usertype) ') optional_policy(` mta_rw_spool($1_usertype) mta_manage_queue($1_usertype) ') optional_policy(` tunable_policy(`selinuxuser_mysql_connect_enabled',` mysql_stream_connect($1_t) ') ') optional_policy(` oident_manage_user_content($1_t) oident_relabel_user_content($1_t) oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf") ') optional_policy(` # to allow monitoring of pcmcia status pcmcia_read_pid($1_usertype) ') optional_policy(` pcscd_read_pid_files($1_t) pcscd_stream_connect($1_t) ') optional_policy(` tunable_policy(`selinuxuser_postgresql_connect_enabled',` postgresql_stream_connect($1_usertype) postgresql_tcp_connect($1_usertype) ') ') optional_policy(` ppp_manage_home_files($1_t) ppp_relabel_home_files($1_t) ppp_home_filetrans_ppp_home($1_t, file, ".ppprc") ') optional_policy(` resmgr_stream_connect($1_usertype) ') optional_policy(` rpc_dontaudit_getattr_exports($1_usertype) ') optional_policy(` rpcbind_stream_connect($1_usertype) ') optional_policy(` samba_stream_connect_winbind($1_usertype) ') optional_policy(` sandbox_transition($1_usertype, $1_r) ') optional_policy(` seunshare_role_template($1, $1_r, $1_t) ') optional_policy(` slrnpull_search_spool($1_usertype) ') optional_policy(` thumb_role($1_r, $1_usertype) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_common_user_template'($*)) dnl ') ####################################### ## ## The template for creating a login user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`userdom_login_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_login_user_template'($*)) dnl gen_require(` class context contains; attribute login_userdomain; ') userdom_base_user_template($1) typeattribute $1_t login_userdomain; userdom_manage_home_role($1_r, $1_t) userdom_manage_tmp_role($1_r, $1_usertype) ifelse(`$1',`unconfined',`',` gen_tunable(`$1_exec_content', true) tunable_policy(`$1_exec_content',` userdom_exec_user_tmp_files($1_usertype) userdom_exec_user_home_content_files($1_usertype) ') tunable_policy(`$1_exec_content && use_nfs_home_dirs',` fs_exec_nfs_files($1_usertype) ') tunable_policy(`$1_exec_content && use_samba_home_dirs',` fs_exec_cifs_files($1_usertype) ') ') # NOTE! This template also allows user to change shell. userdom_change_password_template($1) ############################## # # User domain Local policy # dontaudit $1_t self:capability { sys_nice fsetid }; allow $1_t self:process ~{ ptrace execmem execstack execheap }; tunable_policy(`selinuxuser_use_ssh_chroot',` allow $1_t self:capability { setuid setgid sys_chroot }; ') dontaudit $1_t self:process setrlimit; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; domain_dyntrans_type($1_t) allow $1_t self:context contains; kernel_dontaudit_read_system_state($1_usertype) kernel_dontaudit_list_all_proc($1_usertype) dev_read_sysfs($1_usertype) dev_read_rand($1_usertype) dev_read_urand($1_usertype) domain_use_interactive_fds($1_usertype) # Command completion can fire hundreds of denials domain_dontaudit_exec_all_entry_files($1_usertype) files_dontaudit_list_default($1_usertype) files_dontaudit_read_default_files($1_usertype) # Stat lost+found. files_getattr_lost_found_dirs($1_usertype) fs_get_all_fs_quotas($1_usertype) fs_getattr_all_fs($1_usertype) fs_search_all($1_usertype) auth_read_passwd($1_t) auth_role($1_r, $1_t) auth_create_cache($1_t) auth_rw_cache($1_t) auth_search_pam_console_data($1_t) auth_dontaudit_read_login_records($1_t) auth_dontaudit_write_login_records($1_t) application_exec_all($1_t) # Allow login user type to run systemd user session init_signal($1_usertype) # The library functions always try to open read-write first, # then fall back to read-only if it fails. init_dontaudit_rw_utmp($1_t) # Stop warnings about access to /dev/console init_dontaudit_use_fds($1_usertype) init_dontaudit_use_script_fds($1_usertype) # Needed by pam_selinux.so calling in systemd-users init_entrypoint_exec(login_userdomain) libs_exec_lib_files($1_usertype) logging_dontaudit_getattr_all_logs($1_usertype) # for running TeX programs miscfiles_read_tetex_data($1_usertype) miscfiles_exec_tetex_data($1_usertype) seutil_read_config($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_exec_setfiles($1_usertype) optional_policy(` cups_read_config($1_usertype) cups_stream_connect($1_usertype) cups_stream_connect_ptal($1_usertype) ') optional_policy(` kerberos_use($1_usertype) init_write_key($1_usertype) ') optional_policy(` mysql_filetrans_named_content($1_usertype) ') optional_policy(` mta_dontaudit_read_spool_symlinks($1_usertype) ') optional_policy(` quota_dontaudit_getattr_db($1_usertype) ') optional_policy(` rpm_read_db($1_usertype) rpm_dontaudit_manage_db($1_usertype) rpm_read_cache($1_usertype) ') optional_policy(` oddjob_run_mkhomedir($1_t, $1_r) oddjob_run($1_t, $1_r) ') optional_policy(` chronyd_run_chronyc($1_t, $1_r) ') optional_policy(` ipa_run_helper($1_t, $1_r) ') optional_policy(` wine_filetrans_named_content($1_usertype) ') optional_policy(` sssd_stream_connect($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_login_user_template'($*)) dnl ') ####################################### ## ## The template for creating a unprivileged login user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`userdom_restricted_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_restricted_user_template'($*)) dnl gen_require(` attribute unpriv_userdomain; ') userdom_login_user_template($1) typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms; dontaudit $1_usertype self:netlink_audit_socket create_socket_perms; seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t) ############################## # # Local policy # optional_policy(` loadkeys_run($1_t, $1_r) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_restricted_user_template'($*)) dnl ') ####################################### ## ## The template for creating a unprivileged xwindows login user. ## ## ##

## The template for creating a unprivileged xwindows login user. ##

##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`userdom_restricted_xwindows_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_restricted_xwindows_user_template'($*)) dnl userdom_restricted_user_template($1) ############################## # # Local policy # allow $1_usertype self:cap_userns { sys_admin sys_chroot }; dontaudit $1_usertype self:cap_userns sys_ptrace; allow $1_usertype self:dir { add_name write }; kernel_stream_connect($1_usertype) fs_associate_proc($1_usertype) dev_read_sound($1_usertype) dev_write_sound($1_usertype) # gnome keyring wants to read this. dev_dontaudit_read_rand($1_usertype) # temporarily allow since openoffice requires this dev_read_rand($1_usertype) dev_read_video_dev($1_usertype) dev_write_video_dev($1_usertype) dev_rw_wireless($1_usertype) libs_dontaudit_setattr_lib_files($1_usertype) init_read_state($1_usertype) init_signal($1_usertype) tunable_policy(`selinuxuser_rw_noexattrfile',` dev_rw_usbfs($1_t) dev_rw_generic_usb_dev($1_usertype) fs_manage_noxattr_fs_files($1_usertype) fs_manage_noxattr_fs_dirs($1_usertype) fs_manage_dos_dirs($1_usertype) fs_manage_dos_files($1_usertype) storage_raw_read_removable_device($1_usertype) storage_raw_write_removable_device($1_usertype) ') logging_send_syslog_msg($1_t) logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain selinux_get_enforce_mode($1_t) seutil_exec_restorecond($1_t) seutil_read_file_contexts($1_t) seutil_read_default_contexts($1_t) xserver_restricted_role($1_r, $1_t) optional_policy(` alsa_read_rw_config($1_usertype) ') # cjp: needed by KDE apps # bug: #682499 optional_policy(` gnome_read_usr_config($1_usertype) # cjp: telepathy F15 bugs telepathy_role($1_r, $1_t, $1) ') optional_policy(` obex_role($1_r, $1_t, $1) ') optional_policy(` dbus_role_template($1, $1_r, $1_usertype) dbus_system_bus_client($1_usertype) allow $1_usertype $1_usertype:dbus send_msg; optional_policy(` abrt_dbus_chat($1_usertype) abrt_run_helper($1_usertype, $1_r) ') optional_policy(` accountsd_dbus_chat($1_usertype) ') optional_policy(` consolekit_dontaudit_read_log($1_usertype) consolekit_dbus_chat($1_usertype) ') optional_policy(` cups_dbus_chat($1_usertype) cups_dbus_chat_config($1_usertype) ') optional_policy(` devicekit_dbus_chat($1_usertype) devicekit_dbus_chat_disk($1_usertype) devicekit_dbus_chat_power($1_usertype) ') optional_policy(` fprintd_dbus_chat($1_t) ') optional_policy(` realmd_dbus_chat($1_t) ') optional_policy(` gnome_role_template($1, $1_r, $1_t) ') optional_policy(` wm_role_template($1, $1_r, $1_t) ') ') optional_policy(` policykit_role($1_r, $1_usertype) ') optional_policy(` pulseaudio_role($1_r, $1_usertype) pulseaudio_filetrans_home_content($1_usertype) ') optional_policy(` rtkit_scheduled($1_usertype) ') optional_policy(` systemd_filetrans_home_content($1_usertype) ') optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) ') optional_policy(` udev_read_db($1_usertype) ') optional_policy(` xserver_xdm_ioctl_log($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_restricted_xwindows_user_template'($*)) dnl ') ####################################### ## ## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. ## ## ##

## The template for creating a unprivileged user roughly ## equivalent to a regular linux user. ##

##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## # define(`userdom_unpriv_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_unpriv_user_template'($*)) dnl ############################## # # Declarations # # Inherit rules for ordinary users. userdom_restricted_xwindows_user_template($1) userdom_common_user_template($1) ############################## # # Local policy # allow $1_t self:capability { setgid chown fowner }; allow $1_t self:alg_socket create_socket_perms; allow $1_t self:dccp_socket create_socket_perms; allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms; dontaudit $1_t self:capability { setuid }; dontaudit $1_t self:netlink_selinux_socket create_socket_perms; allow $1_t self:bpf { map_create map_read map_write prog_load prog_run }; allow $1_t $1_t:system all_system_perms; tunable_policy(`deny_bluetooth',`',` allow $1_t self:bluetooth_socket create_socket_perms; ') auth_use_nsswitch($1_t) corecmd_exec_chroot($1_t) # port access is audited even if dac would not have allowed it, so dontaudit it here # corenet_dontaudit_tcp_bind_all_reserved_ports($1_t) # Need the following rule to allow users to run vpnc corenet_tcp_bind_xserver_port($1_t) corenet_tcp_bind_generic_node($1_usertype) init_domtrans($1_t) init_rw_stream_sockets($1_t) storage_rw_fuse($1_t) files_exec_usr_files($1_t) # cjp: why? files_read_kernel_symbol_table($1_t) ifndef(`enable_mls',` fs_exec_noxattr($1_t) tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) # Write floppies storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) ',` storage_raw_read_removable_device($1_t) ') ') miscfiles_read_hwdata($1_usertype) fs_manage_cgroup_dirs($1_t) fs_mounton_fusefs($1_usertype) # Allow users to run TCP servers (bind to ports and accept connection from # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`selinuxuser_share_music',` corenet_tcp_bind_daap_port($1_usertype) ') tunable_policy(`selinuxuser_tcp_server',` corenet_tcp_bind_all_unreserved_ports($1_usertype) ') tunable_policy(`selinuxuser_udp_server',` corenet_udp_bind_all_unreserved_ports($1_usertype) ') optional_policy(` cdrecord_role($1_r, $1_t) ') optional_policy(` cron_role($1_r, $1) ') optional_policy(` games_manage_data_files($1_usertype) ') optional_policy(` gpg_role($1_r, $1_usertype) ') optional_policy(` systemd_dbus_chat_timedated($1_t) systemd_dbus_chat_hostnamed($1_t) systemd_dbus_chat_localed($1_t) systemd_config_all_services($1_t) ') optional_policy(` gpm_stream_connect($1_usertype) ') optional_policy(` mount_run_fusermount($1_t, $1_r) mount_read_pid_files($1_t) ') optional_policy(` wine_role_template($1, $1_r, $1_t) ') optional_policy(` postfix_run_postdrop($1_t, $1_r) postfix_search_spool($1_t) ') # Run pppd in pppd_t by default for user optional_policy(` ppp_run_cond($1_t, $1_r) ') optional_policy(` vdagent_getattr_log($1_t) vdagent_getattr_exec_files($1_t) vdagent_stream_connect($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_unpriv_user_template'($*)) dnl ') ####################################### ## ## The template for creating an administrative user. ## ## ##

## This template creates a user domain, types, and ## rules for the user's tty, pty, home directories, ## tmp, and tmpfs files. ##

##

## The privileges given to administrative users are: ##

    ##
  • Raw disk access
  • ##
  • Set all sysctls
  • ##
  • All kernel ring buffer controls
  • ##
  • Create, read, write, and delete all files but shadow
  • ##
  • Manage source and binary format SELinux policy
  • ##
  • Run insmod
  • ##
##

##
## ## ## The prefix of the user domain (e.g., sysadm ## is the prefix for sysadm_t). ## ## # define(`userdom_admin_user_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_admin_user_template'($*)) dnl gen_require(` attribute admindomain; attribute confined_admindomain; class passwd { passwd chfn chsh rootok crontab }; ') ############################## # # Declarations # # Inherit rules for ordinary users. userdom_login_user_template($1) userdom_common_user_template($1) domain_obj_id_change_exemption($1_t) role system_r types $1_t; typeattribute $1_t admindomain; typeattribute $1_t confined_admindomain; ifdef(`direct_sysadm_daemon',` domain_system_change_exemption($1_t) ') ############################## # # $1_t local policy # # Manipulate other users crontab. allow $1_t self:passwd crontab; allow $1_t self:bpf { map_create map_read map_write prog_load prog_run }; allow $1_t self:alg_socket create_stream_socket_perms; allow $1_t self:dccp_socket create_stream_socket_perms; allow $1_t self:cap_userns sys_ptrace; tunable_policy(`deny_bluetooth',`',` allow $1_t self:bluetooth_socket create_stream_socket_perms; ') auth_use_nsswitch($1_t) kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) kernel_read_afs_state($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes: kernel_kill_unlabeled($1_t) kernel_signal_unlabeled($1_t) kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) kernel_signal($1_t) kernel_stream_connect($1_t) corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels corenet_rw_tun_tap_dev($1_t) dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) # for lsof dev_getattr_mtrr_dev($1_t) # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) dev_delete_all_blk_files($1_t) dev_delete_all_chr_files($1_t) dev_rename_all_blk_files($1_t) dev_rename_all_chr_files($1_t) dev_create_generic_symlinks($1_t) dev_rw_generic_usb_dev($1_t) dev_rw_usbfs($1_t) dev_read_kmsg($1_t) dev_read_cpuid($1_t) domain_setpriority_all_domains($1_t) domain_read_all_domains_state($1_t) domain_getattr_all_domains($1_t) domain_getcap_all_domains($1_t) domain_dontaudit_ptrace_all_domains($1_t) # signal all domains: domain_kill_all_domains($1_t) domain_signal_all_domains($1_t) domain_signull_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigstop_all_domains($1_t) domain_sigchld_all_domains($1_t) # for lsof domain_getattr_all_sockets($1_t) domain_dontaudit_getattr_all_sockets($1_t) files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) fs_getattr_all_files($1_t) fs_list_all($1_t) fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) storage_raw_read_removable_device($1_t) storage_raw_write_removable_device($1_t) storage_dontaudit_read_fixed_disk($1_t) term_use_all_inherited_terms($1_t) term_use_unallocated_ttys($1_t) auth_getattr_shadow($1_t) # Manage almost all files files_manage_non_security_dirs($1_t) files_manage_non_security_files($1_t) # Map almost all files files_map_non_security_files($1_t) # Relabel almost all files files_relabel_non_security_files($1_t) files_mounton_rootfs($1_t) init_telinit($1_t) logging_send_syslog_msg($1_t) optional_policy(` modutils_domtrans_kmod($1_t) ') # The following rule is temporary until such time that a complete # policy management infrastructure is in place so that an administrator # cannot directly manipulate policy files with arbitrary programs. seutil_manage_src_policy($1_t) # Violates the goal of limiting write access to checkpolicy. # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) systemd_config_all_services($1_t) userdom_manage_user_home_content_dirs($1_t) userdom_manage_user_home_content_files($1_t) userdom_manage_user_home_content_symlinks($1_t) userdom_manage_user_home_content_pipes($1_t) userdom_manage_user_home_content_sockets($1_t) userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file }) tunable_policy(`selinuxuser_rw_noexattrfile',` fs_manage_noxattr_fs_files($1_t) fs_manage_noxattr_fs_dirs($1_t) ',` fs_read_noxattr_fs_files($1_t) ') tunable_policy(`selinuxuser_tcp_server',` corenet_tcp_bind_all_unreserved_ports($1_t) ') tunable_policy(`selinuxuser_udp_server',` corenet_udp_bind_all_unreserved_ports($1_t) ') optional_policy(` afs_read_config($1_t) ') optional_policy(` abrt_dbus_chat($1_t) abrt_run_helper($1_t, $1_r) ') optional_policy(` postgresql_unconfined($1_t) ') optional_policy(` userhelper_exec($1_t) ') optional_policy(` vdagent_getattr_log($1_t) vdagent_getattr_exec_files($1_t) vdagent_stream_connect($1_t) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_admin_user_template'($*)) dnl ') ######################################## ## ## Allow user to run as a secadm ## ## ##

## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role of the object to create. ## ## # define(`userdom_security_admin',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_security_admin'($*)) dnl allow $1 self:capability { audit_control dac_read_search }; allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; corecmd_exec_shell($1) domain_obj_id_change_exemption($1) dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) files_create_default_dir($1) files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) mls_process_read_up($1) mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) selinux_read_policy($1) files_relabel_all_files($1) auth_relabel_shadow($1) init_exec($1) logging_send_syslog_msg($1) logging_read_audit_log($1) logging_read_generic_logs($1) logging_read_audit_config($1) seutil_manage_bin_policy($1) seutil_manage_default_contexts($1) seutil_manage_file_contexts($1) seutil_manage_module_store($1) seutil_manage_config($1) seutil_manage_login_config($1) seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` aide_run($1,$2) ') optional_policy(` consoletype_exec($1) ') optional_policy(` ipsec_run_setkey($1,$2) ') optional_policy(` netlabel_run_mgmt($1,$2) ') optional_policy(` samhain_run($1, $2) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_security_admin'($*)) dnl ') ######################################## ## ## Make the specified type usable as ## a user application domain type. ## ## ## ## Type to be used as a user application domain. ## ## # define(`userdom_user_application_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_application_type'($*)) dnl application_type($1) ubac_constrained($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_application_type'($*)) dnl ') ######################################## ## ## Make the specified type usable as ## a user application domain. ## ## ## ## Type to be used as a user application domain. ## ## ## ## ## Type to be used as the domain entry point. ## ## # define(`userdom_user_application_domain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_application_domain'($*)) dnl application_domain($1, $2) ubac_constrained($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_application_domain'($*)) dnl ') ######################################## ## ## Make the specified type usable in a ## user home directory. ## ## ## ## Type to be used as a file in the ## user home directory. ## ## # define(`userdom_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_content'($*)) dnl gen_require(` attribute user_home_content_type; type user_home_t; attribute user_home_type; ') typeattribute $1 user_home_content_type; allow $1 user_home_t:filesystem associate; files_type($1) ubac_constrained($1) files_poly_member($1) typeattribute $1 user_home_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_content'($*)) dnl ') ######################################## ## ## Make the specified type usable as a ## user temporary file. ## ## ## ## Type to be used as a file in the ## temporary directories. ## ## # define(`userdom_user_tmp_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_file'($*)) dnl files_tmp_file($1) ubac_constrained($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_tmp_file'($*)) dnl ') ######################################## ## ## Make the specified type usable as a ## user tmpfs file. ## ## ## ## Type to be used as a file in ## tmpfs directories. ## ## # define(`userdom_user_tmpfs_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_tmpfs_file'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_file() instead.') userdom_user_tmp_file($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_tmpfs_file'($*)) dnl ') ######################################## ## ## Make the specified type usable as ## user temporary content. ## ## ## ## Type to be used as a file in the ## generic temporary directory. ## ## # define(`userdom_user_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_content'($*)) dnl gen_require(` attribute user_tmp_type; ') typeattribute $1 user_tmp_type; files_tmp_file($1) ubac_constrained($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_tmp_content'($*)) dnl ') ######################################## ## ## Make the specified type usable in a ## generic tmpfs_t directory. ## ## ## ## Type to be used as a file in the ## generic temporary directory. ## ## # define(`userdom_user_tmpfs_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_tmpfs_content'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_user_tmp_content() instead.') userdom_user_tmp_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_tmpfs_content'($*)) dnl ') ######################################## ## ## Allow domain to attach to TUN devices created by administrative users. ## ## ## ## Domain allowed access. ## ## # define(`userdom_attach_admin_tun_iface',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_attach_admin_tun_iface'($*)) dnl gen_require(` attribute admindomain; ') allow $1 admindomain:tun_socket relabelfrom; allow $1 self:tun_socket relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_attach_admin_tun_iface'($*)) dnl ') ######################################## ## ## Set the attributes of a user pty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_setattr_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file setattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ptys'($*)) dnl ') ######################################## ## ## Create a user pty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_create_user_pty',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_create_user_pty'($*)) dnl gen_require(` type user_devpts_t; ') term_create_pty($1, user_devpts_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_create_user_pty'($*)) dnl ') ######################################## ## ## Get the attributes of user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir getattr_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_user_home_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of user home directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_getattr_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir getattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_home_dirs'($*)) dnl ') ######################################## ## ## Search user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_search_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_search_user_home_dirs'($*)) dnl ') ######################################## ## ## Search user tmp directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_search_user_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_search_user_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') files_search_tmp($1) allow $1 user_tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_search_user_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to search user home directories. ## ## ##

## Do not audit attempts to search user home directories. ## This will supress SELinux denial messages when the specified ## domain is denied the permission to search these directories. ##

##
## ## ## Domain to not audit. ## ## ## # define(`userdom_dontaudit_search_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_dirs'($*)) dnl ') ######################################## ## ## List user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) tunable_policy(`use_nfs_home_dirs',` fs_list_nfs($1) ') tunable_policy(`use_samba_home_dirs',` fs_list_cifs($1) ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_user_home_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to list user home subdirectories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_list_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; type user_home_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; dontaudit $1 user_home_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_home_dirs'($*)) dnl ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_create_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_create_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_create_user_home_dirs'($*)) dnl ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_dirs'($*)) dnl ') ######################################## ## ## Create user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dontaudit_manage_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_dirs'($*)) dnl ') ######################################## ## ## Relabel to user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_relabelto_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_dir_t:dir relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_home_dirs'($*)) dnl ') ######################################## ## ## Relabel to user home files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_relabelto_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_home_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_home_files'($*)) dnl ') ######################################## ## ## Relabel user home files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_relabel_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_home_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabel_user_home_files'($*)) dnl ') ######################################## ## ## Relabel user home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_relabel_user_home_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_home_dirs'($*)) dnl gen_require(` type user_home_dir_t; ') allow $1 user_home_t:dir relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabel_user_home_dirs'($*)) dnl ') ######################################## ## ## Create directories in the home dir root with ## the user home directory type. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_home_filetrans_user_home_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_home_filetrans_user_home_dir'($*)) dnl gen_require(` type user_home_dir_t; ') files_home_filetrans($1, user_home_dir_t, dir, $2) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_home_filetrans_user_home_dir'($*)) dnl ') ######################################## ## ## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. ## ## ##

## Do a domain transition to the specified ## domain when executing a program in the ## user home directory. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## Domain to transition to. ## ## # define(`userdom_user_home_domtrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_domtrans'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') domain_auto_trans($1, user_home_t, $2) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_domtrans'($*)) dnl ') ######################################## ## ## Do not audit attempts to search user home content directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_search_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_home_content'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir search_dir_perms; fs_dontaudit_list_nfs($1) fs_dontaudit_list_cifs($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_home_content'($*)) dnl ') ######################################## ## ## List all users home content directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_all_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_home_content'($*)) dnl gen_require(` attribute user_home_content_type; ') userdom_search_user_home_dirs($1) allow $1 user_home_content_type:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_all_user_home_content'($*)) dnl ') ######################################## ## ## List contents of users home directory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_user_home_content'($*)) dnl gen_require(` type user_home_dir_t; attribute user_home_type; ') files_list_home($1) allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_user_home_content'($*)) dnl ') ######################################## ## ## Create, read, write, and delete directories ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_dirs'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_dirs'($*)) dnl ') ######################################## ## ## Delete directories in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_home_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_dirs'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:dir delete_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_dirs'($*)) dnl ') ######################################## ## ## Delete files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_files'($*)) dnl ') ######################################## ## ## Delete all directories in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_home_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_dirs'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir delete_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_dirs'($*)) dnl ') ######################################## ## ## Set the attributes of user home files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_setattr_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_setattr_user_home_content_files'($*)) dnl ') ######################################## ## ## Set the attributes of user tmp files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_setattr_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_setattr_user_tmp_files'($*)) dnl ') ######################################## ## ## Create a user tmp sockets. ## ## ## ## Domain allowed access. ## ## # define(`userdom_create_user_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_create_user_tmp_sockets'($*)) dnl gen_require(` type user_tmp_t; ') files_search_tmp($1) allow $1 user_tmp_t:dir list_dir_perms; create_sock_files_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_create_user_tmp_sockets'($*)) dnl ') ######################################## ## ## Dontaudit getattr on user tmp sockets. ## ## ## ## Domain allowed access. ## ## # define(`usedom_dontaudit_user_getattr_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `usedom_dontaudit_user_getattr_tmp_sockets'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') userdom_getattr_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `usedom_dontaudit_user_getattr_tmp_sockets'($*)) dnl ') ######################################## ## ## Dontaudit getattr on user tmp sockets. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dontaudit_user_getattr_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_user_getattr_tmp_sockets'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:sock_file getattr_sock_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_user_getattr_tmp_sockets'($*)) dnl ') ######################################## ## ## Relabel user tmp files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_relabel_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmp_files'($*)) dnl ') ######################################## ## ## Relabel user tmp files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_relabel_user_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabel_user_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir relabel_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabel_user_tmp_dirs'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the ## attributes of user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_setattr_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file setattr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_home_content_files'($*)) dnl ') ######################################## ## ## Set the attributes of all user home directories. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_setattr_all_user_home_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_setattr_all_user_home_content_dirs'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir setattr_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_setattr_all_user_home_content_dirs'($*)) dnl ') ######################################## ## ## Mmap user home files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_mmap_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_mmap_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file map; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_mmap_user_home_content_files'($*)) dnl ') ######################################## ## ## map user home files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_map_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_map_user_home_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_map_user_home_files'($*)) dnl ') ######################################## ## ## Read user home files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_files'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') allow $1 user_home_dir_t:lnk_file read_lnk_file_perms; list_dirs_pattern($1, { user_home_dir_t user_home_type }, { user_home_dir_t user_home_type }) read_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to getattr user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_getattr_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_home_content'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir getattr; dontaudit $1 user_home_type:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_home_content'($*)) dnl ') ######################################## ## ## Do not audit attempts to read user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; type user_home_dir_t; ') dontaudit $1 user_home_dir_t:dir list_dir_perms; dontaudit $1 user_home_type:dir list_dir_perms; dontaudit $1 user_home_type:file read_file_perms; dontaudit $1 user_home_type:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to mmap user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_mmap_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_mmap_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_mmap_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to append user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_append_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_write_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file write_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_home_content_files'($*)) dnl ') ######################################## ## ## Delete all files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_files'($*)) dnl ') ######################################## ## ## Delete sock files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_home_content_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_sock_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:sock_file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_sock_files'($*)) dnl ') ######################################## ## ## Delete all sock files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_home_content_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_sock_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:sock_file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_sock_files'($*)) dnl ') ######################################## ## ## Delete all files in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:dir_file_class_set delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content'($*)) dnl ') ######################################## ## ## Do not audit attempts to write user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_relabel_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file relabel_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabel_user_home_content_files'($*)) dnl ') ######################################## ## ## Read user home subdirectory symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_user_home_content_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_user_home_content_symlinks'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') allow $1 { user_home_dir_t user_home_t }:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_user_home_content_symlinks'($*)) dnl ') ######################################## ## ## Execute user home files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_exec_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_exec_user_home_content_files'($*)) dnl gen_require(` type user_home_dir_t; attribute user_home_type; ') files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) dontaudit $1 user_home_type:sock_file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_exec_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to execute user home files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_exec_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_exec_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') dontaudit $1 user_home_t:file exec_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_exec_user_home_content_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete files ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_files'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') manage_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_t:file map; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to create, read, write, and delete directories ## in a user home subdirectory. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_manage_user_home_content_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') dontaudit $1 user_home_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_home_content_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete symbolic links ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_content_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_symlinks'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') manage_lnk_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_symlinks'($*)) dnl ') ######################################## ## ## Delete symbolic links in a user home directory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_home_content_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_home_content_symlinks'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:lnk_file delete_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_home_content_symlinks'($*)) dnl ') ######################################## ## ## Delete all symbolic links in a user home directory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_home_content_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_home_content_symlinks'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:lnk_file delete_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_home_content_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete named pipes ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_content_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_pipes'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') manage_fifo_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete named sockets ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_home_content_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content_sockets'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') allow $1 user_home_dir_t:dir search_dir_perms; manage_sock_files_pattern($1, user_home_t, user_home_t) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content_sockets'($*)) dnl ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_user_home_dir_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans'($*)) dnl gen_require(` type user_home_dir_t; ') filetrans_pattern($1, user_home_dir_t, $2, $3, $4) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans'($*)) dnl ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_user_home_content_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_content_filetrans'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') filetrans_pattern($1, user_home_t, $2, $3, $4) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_content_filetrans'($*)) dnl ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## the user home file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_user_home_dir_filetrans_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') filetrans_pattern($1, user_home_dir_t, user_home_t, $2, $3) files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_user_home_content'($*)) dnl ') ######################################## ## ## Write to user temporary named sockets. ## ## ## ## Domain allowed access. ## ## # define(`userdom_write_user_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_sockets'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:sock_file write_sock_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_sockets'($*)) dnl ') ######################################## ## ## List user temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_user_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to list user ## temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_list_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_user_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to manage users ## temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_manage_user_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_dirs'($*)) dnl ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_tmp_files'($*)) dnl gen_require(` attribute user_tmp_type; ') getattr_files_pattern($1, user_tmp_type, user_tmp_type) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_user_tmp_files'($*)) dnl ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_files'($*)) dnl gen_require(` attribute user_tmp_type; ') read_files_pattern($1, user_tmp_type, user_tmp_type) allow $1 user_tmp_type:dir list_dir_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_files'($*)) dnl ') ######################################## ## ## Read user temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_append_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_append_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_append_user_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read users ## temporary files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_user_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to append users ## temporary files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_append_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file append_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_user_tmp_files'($*)) dnl ') ######################################## ## ## Read and write user temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_files'($*)) dnl ') ######################################## ## ## Read and write user temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_user_tmp_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmp_sock_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:dir list_dir_perms; allow $1 user_tmp_t:sock_file rw_inherited_sock_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmp_sock_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to manage users ## temporary files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_manage_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_user_tmp_files'($*)) dnl ') ######################################## ## ## Read user temporary symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_user_tmp_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmp_symlinks'($*)) dnl gen_require(` type user_tmp_t; ') read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_user_tmp_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_dirs'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_filetrans_named_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_filetrans_named_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root") files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_filetrans_named_user_tmp_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary symbolic links. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_symlinks',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_symlinks'($*)) dnl gen_require(` type user_tmp_t; ') manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_symlinks'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary named pipes. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmp_pipes'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmp_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary named pipes. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_pipes'($*)) dnl gen_require(` type user_tmp_t; ') manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_pipes'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary named sockets. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_sockets',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_sockets'($*)) dnl gen_require(` type user_tmp_t; ') manage_sock_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_sockets'($*)) dnl ') ######################################## ## ## Create objects in a user temporary directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_user_tmp_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_tmp_filetrans'($*)) dnl gen_require(` type user_tmp_t; ') filetrans_pattern($1, user_tmp_t, $2, $3, $4) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_tmp_filetrans'($*)) dnl ') ######################################## ## ## Create objects in the temporary directory ## with an automatic type transition to ## the user temporary type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_tmp_filetrans_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_tmp_filetrans_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') files_tmp_filetrans($1, user_tmp_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_tmp_filetrans_user_tmp'($*)) dnl ') ####################################### ## ## Getattr user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.') userdom_getattr_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Read user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_read_user_tmp_files() instead.') userdom_read_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Read/Write user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_rw_user_tmp_files() instead.') userdom_rw_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Manage user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_manage_user_tmp_files() instead.') userdom_manage_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Read/Write inherited user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_rw_inherited_user_tmp_files instead.') userdom_rw_inherited_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Execute user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_execute_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_execute_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_execute_user_tmp_files instead.') userdom_execute_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_execute_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Execute user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_execute_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_execute_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file execute; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_execute_user_tmp_files'($*)) dnl ') ######################################## ## ## Get the attributes of a user domain tty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file getattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_user_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to get the attributes of a user domain tty. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_getattr_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file getattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_user_ttys'($*)) dnl ') ######################################## ## ## Set the attributes of a user domain tty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_setattr_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_setattr_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file setattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_setattr_user_ttys'($*)) dnl ') ######################################## ## ## Do not audit attempts to set the attributes of a user domain tty. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_setattr_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file setattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_ttys'($*)) dnl ') ######################################## ## ## Read and write a user domain tty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_user_ttys'($*)) dnl ') ######################################## ## ## Read and write a inherited user domain tty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_inherited_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_ttys'($*)) dnl ') ######################################## ## ## Read and write a user domain pty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_user_ptys'($*)) dnl ') ######################################## ## ## Read and write a inherited user domain pty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_inherited_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_ptys'($*)) dnl ') ######################################## ## ## Read and write a inherited user TTYs and PTYs. ## ## ##

## Allow the specified domain to read and write inherited user ## TTYs and PTYs. This will allow the domain to ## interact with the user via the terminal. Typically ## all interactive applications will require this ## access. ##

##
## ## ## Domain allowed access. ## ## ## # define(`userdom_use_inherited_user_terminals',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_inherited_user_terminals'($*)) dnl gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 user_tty_device_t:chr_file rw_inherited_term_perms; allow $1 user_devpts_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_inherited_user_terminals'($*)) dnl ') ####################################### ## ## Allow attempts to read and write ## a user domain tty and pty. ## ## ## ## Domain to not audit. ## ## # define(`userdom_use_user_terminals',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_user_terminals'($*)) dnl gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 user_tty_device_t:chr_file rw_term_perms; allow $1 user_devpts_t:chr_file rw_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_user_terminals'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## a user domain tty and pty. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_use_user_terminals',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_terminals'($*)) dnl gen_require(` type user_tty_device_t, user_devpts_t; ') dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms; dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_terminals'($*)) dnl ') ######################################## ## ## Get attributes of user domain tty and pty. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_user_terminals',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_user_terminals'($*)) dnl gen_require(` type user_tty_device_t, user_devpts_t; ') allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_user_terminals'($*)) dnl ') ######################################## ## ## Execute a shell in all user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`userdom_spec_domtrans_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_all_users'($*)) dnl gen_require(` attribute userdomain; ') corecmd_shell_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_all_users'($*)) dnl ') ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`userdom_xsession_spec_domtrans_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_all_users'($*)) dnl gen_require(` attribute userdomain; ') xserver_xsession_spec_domtrans($1, userdomain) allow userdomain $1:fd use; allow userdomain $1:fifo_file rw_file_perms; allow userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_all_users'($*)) dnl ') ######################################## ## ## Execute a shell in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`userdom_spec_domtrans_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_spec_domtrans_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') corecmd_shell_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_spec_domtrans_unpriv_users'($*)) dnl ') ##################################### ## ## Allow domain dyntrans to unpriv userdomain. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dyntransition_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dyntransition_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process dyntransition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dyntransition_unpriv_users'($*)) dnl ') #################################### ## ## Allow domain dyntrans to admin userdomain. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dyntransition_admin_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dyntransition_admin_users'($*)) dnl gen_require(` attribute admindomain; ') allow $1 admindomain:process dyntransition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dyntransition_admin_users'($*)) dnl ') ######################################## ## ## Execute an Xserver session in all unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`userdom_xsession_spec_domtrans_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') xserver_xsession_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_xsession_spec_domtrans_unpriv_users'($*)) dnl ') ######################################## ## ## Manage unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_unpriv_user_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_semaphores'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem create_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_semaphores'($*)) dnl ') ######################################## ## ## Manage unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_unpriv_user_shared_mem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_unpriv_user_shared_mem'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm create_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_unpriv_user_shared_mem'($*)) dnl ') ######################################## ## ## Destroy unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`userdom_destroy_unpriv_user_shared_mem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_destroy_unpriv_user_shared_mem'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm destroy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_destroy_unpriv_user_shared_mem'($*)) dnl ') ######################################## ## ## Destroy unpriviledged user's message queue entries. ## ## ## ## Domain allowed access. ## ## # define(`userdom_destroy_unpriv_user_msgq',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_destroy_unpriv_user_msgq'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:msgq destroy; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_destroy_unpriv_user_msgq'($*)) dnl ') ######################################## ## ## Execute bin_t in the unprivileged user domains. This ## is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed to transition. ## ## # define(`userdom_bin_spec_domtrans_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') corecmd_bin_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_file_perms; allow unpriv_userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_bin_spec_domtrans_unpriv_users'($*)) dnl ') ######################################## ## ## Execute all entrypoint files in unprivileged user ## domains. This is an explicit transition, requiring the ## caller to use setexeccon(). ## ## ## ## Domain allowed access. ## ## # define(`userdom_entry_spec_domtrans_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fifo_file rw_fifo_file_perms; allow unpriv_userdomain $1:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_entry_spec_domtrans_unpriv_users'($*)) dnl ') ######################################## ## ## Search users home directories. ## ## ## ## Domain allowed access. ## ## # define(`userdom_search_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_search_user_home_content'($*)) dnl gen_require(` type user_home_dir_t; attribute user_home_type; ') files_list_home($1) allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms; allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_search_user_home_content'($*)) dnl ') ######################################## ## ## Send general signals to unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_signal_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_signal_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_signal_unpriv_users'($*)) dnl ') ######################################## ## ## Inherit the file descriptors from unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_unpriv_users_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_unpriv_users_fds'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_unpriv_users_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit the file descriptors ## from unprivileged user domains. ## ## ##

## Do not audit attempts to inherit the file descriptors ## from unprivileged user domains. This will supress ## SELinux denial messages when the specified domain is denied ## the permission to inherit these file descriptors. ##

##
## ## ## Domain to not audit. ## ## ## # define(`userdom_dontaudit_use_unpriv_user_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl gen_require(` attribute unpriv_userdomain; ') dontaudit $1 unpriv_userdomain:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_unpriv_user_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to use user ptys. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_use_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to open user ptys. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_open_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_open_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file open; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_open_user_ptys'($*)) dnl ') ######################################## ## ## Relabel files to unprivileged user pty types. ## ## ## ## Domain allowed access. ## ## # define(`userdom_relabelto_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_relabelto_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') allow $1 user_devpts_t:chr_file relabelto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_relabelto_user_ptys'($*)) dnl ') ######################################## ## ## Do not audit attempts to relabel files from ## user pty types. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_relabelfrom_user_ptys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl gen_require(` type user_devpts_t; ') dontaudit $1 user_devpts_t:chr_file relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_relabelfrom_user_ptys'($*)) dnl ') ######################################## ## ## Write all users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_write_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') write_files_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write users ## temporary files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_write_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_user_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to delete users ## temporary files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_delete_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_delete_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_delete_user_tmp_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read/write users ## temporary fifo files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_rw_user_tmp_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_user_tmp_pipes'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_user_tmp_pipes'($*)) dnl ') ######################################## ## ## Allow domain to read/write inherited users ## fifo files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_pipes',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_pipes'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_pipes'($*)) dnl ') ######################################## ## ## Do not audit attempts to use user ttys. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_use_user_ttys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_user_ttys'($*)) dnl gen_require(` type user_tty_device_t; ') dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_user_ttys'($*)) dnl ') ######################################## ## ## Read the process state of all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_all_users_state',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_state'($*)) dnl gen_require(` attribute userdomain; ') read_files_pattern($1, userdomain, userdomain) read_lnk_files_pattern($1,userdomain,userdomain) kernel_search_proc($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_all_users_state'($*)) dnl ') ######################################## ## ## Get the attributes of all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_getattr_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_getattr_all_users'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_getattr_all_users'($*)) dnl ') ######################################## ## ## Inherit the file descriptors from all user domains ## ## ## ## Domain allowed access. ## ## # define(`userdom_use_all_users_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_use_all_users_fds'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_use_all_users_fds'($*)) dnl ') ######################################## ## ## Do not audit attempts to inherit the file ## descriptors from any user domains. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_use_all_users_fds',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_use_all_users_fds'($*)) dnl gen_require(` attribute userdomain; ') dontaudit $1 userdomain:fd use; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_use_all_users_fds'($*)) dnl ') ######################################## ## ## Send general signals to all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_signal_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_signal_all_users'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process signal; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_signal_all_users'($*)) dnl ') ####################################### ## ## Send signull to all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_signull_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_signull_all_users'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_signull_all_users'($*)) dnl ') ######################################## ## ## Send kill signals to all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_kill_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_kill_all_users'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process sigkill; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_kill_all_users'($*)) dnl ') ######################################## ## ## Send a SIGCHLD signal to all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_sigchld_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_sigchld_all_users'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_sigchld_all_users'($*)) dnl ') ######################################## ## ## Read keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_all_users_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_all_users_keys'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:key read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_all_users_keys'($*)) dnl ') ######################################## ## ## Write keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_write_all_users_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_write_all_users_keys'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:key write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_write_all_users_keys'($*)) dnl ') ######################################## ## ## Read and write keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_all_users_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_all_users_keys'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:key { read view write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_all_users_keys'($*)) dnl ') ######################################## ## ## Create keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_create_all_users_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_create_all_users_keys'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:key create; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_create_all_users_keys'($*)) dnl ') ######################################## ## ## Send a dbus message to all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dbus_send_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dbus_send_all_users'($*)) dnl gen_require(` attribute userdomain; class dbus send_msg; ') allow $1 userdomain:dbus send_msg; ps_process_pattern($1, userdomain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dbus_send_all_users'($*)) dnl ') ######################################## ## ## Allow apps to set rlimits on userdomain ## ## ## ## Domain allowed access. ## ## # define(`userdom_set_rlimitnh',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_set_rlimitnh'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process rlimitinh; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_set_rlimitnh'($*)) dnl ') ######################################## ## ## Define this type as a Allow apps to set rlimits on userdomain ## ## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## ## ## Domain allowed access. ## ## # define(`userdom_unpriv_usertype',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_unpriv_usertype'($*)) dnl gen_require(` attribute unpriv_userdomain, userdomain; attribute $1_usertype; ') typeattribute $2 $1_usertype; typeattribute $2 unpriv_userdomain; typeattribute $2 userdomain; auth_use_nsswitch($2) ubac_constrained($2) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_unpriv_usertype'($*)) dnl ') ####################################### ## ## Define this type as a Allow apps to set rlimits on userdomain ## ## ## ## Domain allowed access. ## ## # define(`userdom_unpriv_type',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_unpriv_type'($*)) dnl gen_require(` attribute userdomain; ') typeattribute $1 userdomain; auth_use_nsswitch($1) ubac_constrained($1) dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_unpriv_type'($*)) dnl ') ######################################## ## ## Connect to users over a unix stream socket. ## ## ## ## Domain allowed access. ## ## # define(`userdom_stream_connect',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_stream_connect'($*)) dnl gen_require(` type user_tmp_t; attribute userdomain; ') stream_connect_pattern($1, user_tmp_t, user_tmp_t, userdomain) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_stream_connect'($*)) dnl ') ######################################## ## ## Ptrace user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_ptrace_all_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_ptrace_all_users'($*)) dnl gen_require(` attribute userdomain; ') tunable_policy(`deny_ptrace',`',` allow $1 userdomain:process ptrace; ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_ptrace_all_users'($*)) dnl ') ######################################## ## ## dontaudit Search /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_search_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_admin_dir'($*)) dnl ') ######################################## ## ## dontaudit list /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_list_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_list_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_list_admin_dir'($*)) dnl ') ######################################## ## ## Allow domain to list /root ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:dir list_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_admin_dir'($*)) dnl ') ######################################## ## ## Allow Search /root ## ## ## ## Domain allowed access. ## ## # define(`userdom_search_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_search_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_search_admin_dir'($*)) dnl ') ######################################## ## ## dontaudit create dirs /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_create_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_create_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:dir create_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_create_admin_dir'($*)) dnl ') ######################################## ## ## allow manage dirs /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_manage_admin_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_admin_dirs'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_admin_dirs'($*)) dnl ') ######################################## ## ## allow manage files /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_manage_admin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_admin_files'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_admin_files'($*)) dnl ') ######################################## ## ## dontaudit manage dirs /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_manage_admin_dir',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_admin_dir'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:dir manage_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_admin_dir'($*)) dnl ') ######################################## ## ## dontaudit manage files /root ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_manage_admin_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_manage_admin_files'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file manage_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_manage_admin_files'($*)) dnl ') ######################################## ## ## RW unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_semaphores'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_semaphores'($*)) dnl ') ######################################## ## ## Send a message to unpriv users over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`userdom_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dgram_send'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dgram_send'($*)) dnl ') ###################################### ## ## Send a message to users over a unix domain ## datagram socket. ## ## ## ## Domain allowed access. ## ## # define(`userdom_users_dgram_send',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_users_dgram_send'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:unix_dgram_socket sendto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_users_dgram_send'($*)) dnl ') ####################################### ## ## Allow execmod on files in homedirectory ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_execmod_user_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_execmod_user_home_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:file execmod; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_execmod_user_home_files'($*)) dnl ') ######################################## ## ## Read admin home files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_read_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; read_files_pattern($1, admin_home_t, admin_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_admin_home_files'($*)) dnl ') ######################################## ## ## Delete admin home files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_delete_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; allow $1 admin_home_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_admin_home_files'($*)) dnl ') ######################################## ## ## Execute admin home files. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_exec_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_exec_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; exec_files_pattern($1, admin_home_t, admin_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_exec_admin_home_files'($*)) dnl ') ######################################## ## ## Append files inherited ## in the /root directory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_inherit_append_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:file { getattr append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_inherit_append_admin_home_files'($*)) dnl ') ####################################### ## ## Manage all files/directories in the homedir ## ## ## ## The user domain ## ## ## # define(`userdom_manage_user_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_home_content'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_sock_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_fifo_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) filetrans_pattern($1, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file }) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_home_content'($*)) dnl ') ###################################### ## ## Manage all dirs in the homedir ## ## ## ## The user domain ## ## # define(`userdom_manage_all_user_home_type_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_home_type_dirs'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_dirs_pattern($1, { user_home_dir_t user_home_type }, user_home_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_home_type_dirs'($*)) dnl ') ###################################### ## ## Manage all files in the homedir ## ## ## ## The user domain ## ## # define(`userdom_manage_all_user_home_type_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_home_type_files'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; attribute user_home_type; ') files_list_home($1) manage_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) manage_lnk_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_home_type_files'($*)) dnl ') ######################################## ## ## Create objects in a user home directory ## with an automatic type transition to ## the user home file type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## # define(`userdom_user_home_dir_filetrans_pattern',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_user_home_dir_filetrans_pattern'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') type_transition $1 user_home_dir_t:$2 user_home_t; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_user_home_dir_filetrans_pattern'($*)) dnl ') ######################################## ## ## Create objects in the /root directory ## with an automatic type transition to ## a specified private type. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to create. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_admin_home_dir_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_admin_home_dir_filetrans'($*)) dnl gen_require(` type admin_home_t; ') allow $1 admin_home_t:lnk_file read_lnk_file_perms; filetrans_pattern($1, admin_home_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_admin_home_dir_filetrans'($*)) dnl ') ######################################## ## ## Send signull to unprivileged user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_signull_unpriv_users',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_signull_unpriv_users'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:process signull; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_signull_unpriv_users'($*)) dnl ') ######################################## ## ## Write all users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_write_user_tmp_dirs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_write_user_tmp_dirs'($*)) dnl gen_require(` type user_tmp_t; ') list_dirs_pattern($1, user_tmp_t, user_tmp_t) rw_dirs_pattern($1, user_tmp_t, user_tmp_t) write_files_pattern($1, user_tmp_t, user_tmp_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_write_user_tmp_dirs'($*)) dnl ') ######################################## ## ## Manage keys for all user domains. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_all_users_keys',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_all_users_keys'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:key manage_key_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_all_users_keys'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## userdomain stream. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_rw_stream',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_stream'($*)) dnl gen_require(` attribute userdomain; ') dontaudit $1 userdomain:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_stream'($*)) dnl ') ######################################## ## ## Read and write userdomain stream. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_stream',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_stream'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:unix_stream_socket rw_socket_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_stream'($*)) dnl ') ######################################## ## ## Read and write userdomain stream. ## ## ## ## Domain allowed access. ## ## # define(`userdom_connectto_stream',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_connectto_stream'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:unix_stream_socket connectto; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_connectto_stream'($*)) dnl ') ######################################## ## ## Do not audit attempts to read and write ## unserdomain datagram socket. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_rw_dgram_socket',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_rw_dgram_socket'($*)) dnl gen_require(` attribute userdomain; ') dontaudit $1 userdomain:unix_dgram_socket { read write }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_rw_dgram_socket'($*)) dnl ') ######################################## ## ## Append files ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_append_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_append_user_home_content_files'($*)) dnl gen_require(` type user_home_dir_t, user_home_t; ') append_files_pattern($1, user_home_t, user_home_t) allow $1 user_home_dir_t:dir search_dir_perms; files_search_home($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_append_user_home_content_files'($*)) dnl ') ######################################## ## ## Read files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_inherited_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_inherited_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:file { getattr read }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_inherited_user_home_content_files'($*)) dnl ') ######################################## ## ## Dontaudit Read files inherited from the admin home dir. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_inherited_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_inherited_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_inherited_admin_home_files'($*)) dnl ') ######################################## ## ## Dontaudit append files inherited from the admin home dir. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_append_inherited_admin_home_file',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_append_inherited_admin_home_file'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file append_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_append_inherited_admin_home_file'($*)) dnl ') ######################################## ## ## Read/Write files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_home_content_files'($*)) dnl ') ######################################## ## ## Append files inherited ## in a user home subdirectory. ## ## ## ## Domain allowed access. ## ## # define(`userdom_inherit_append_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_user_home_content_files'($*)) dnl gen_require(` type user_home_t; ') allow $1 user_home_t:file { getattr append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_inherit_append_user_home_content_files'($*)) dnl ') ######################################## ## ## Append files inherited ## in a user tmp files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_inherit_append_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_inherit_append_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file { getattr append }; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_inherit_append_user_tmp_files'($*)) dnl ') ###################################### ## ## Read audio files in the users homedir. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_read_home_audio_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_home_audio_files'($*)) dnl gen_require(` type audio_home_t; ') userdom_search_user_home_dirs($1) allow $1 audio_home_t:dir list_dir_perms; read_files_pattern($1, audio_home_t, audio_home_t) read_lnk_files_pattern($1, audio_home_t, audio_home_t) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_home_audio_files'($*)) dnl ') ###################################### ## ## Manage texlive content in the users homedir. ## ## ## ## Domain allowed access. ## ## ## # define(`userdom_manage_home_texlive',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_home_texlive'($*)) dnl gen_require(` type texlive_home_t; ') userdom_search_user_home_dirs($1) userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012") userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013") userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014") manage_dirs_pattern($1, texlive_home_t, texlive_home_t) manage_files_pattern($1, texlive_home_t, texlive_home_t) manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t) allow $1 texlive_home_t:file relabelfrom; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_home_texlive'($*)) dnl ') ######################################## ## ## Do not audit attempts to write all user home content files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_write_all_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_all_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file write_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_all_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to write all user tmp content files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_write_all_user_tmp_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_all_user_tmp_content_files'($*)) dnl gen_require(` attribute user_tmp_type; ') dontaudit $1 user_tmp_type:file write_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_all_user_tmp_content_files'($*)) dnl ') ######################################## ## ## Manage all user temporary content. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_all_user_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_tmp_content'($*)) dnl gen_require(` attribute user_tmp_type; ') manage_dirs_pattern($1, user_tmp_type, user_tmp_type) manage_files_pattern($1, user_tmp_type, user_tmp_type) manage_lnk_files_pattern($1, user_tmp_type, user_tmp_type) manage_sock_files_pattern($1, user_tmp_type, user_tmp_type) manage_fifo_files_pattern($1, user_tmp_type, user_tmp_type) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_tmp_content'($*)) dnl ') ######################################## ## ## List all user temporary content. ## ## ## ## Domain allowed access. ## ## # define(`userdom_list_all_user_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_list_all_user_tmp_content'($*)) dnl gen_require(` attribute user_tmp_type; ') list_dirs_pattern($1, user_tmp_type, user_tmp_type) getattr_files_pattern($1, user_tmp_type, user_tmp_type) read_lnk_files_pattern($1, user_tmp_type, user_tmp_type) getattr_sock_files_pattern($1, user_tmp_type, user_tmp_type) getattr_fifo_files_pattern($1, user_tmp_type, user_tmp_type) files_search_var($1) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_list_all_user_tmp_content'($*)) dnl ') ######################################## ## ## Manage all user tmpfs content. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_all_user_tmpfs_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_all_user_tmpfs_content'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_manage_all_user_tmp_content instead.') userdom_manage_all_user_tmp_content($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_all_user_tmpfs_content'($*)) dnl ') ######################################## ## ## Delete all user temporary content. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_all_user_tmp_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_all_user_tmp_content'($*)) dnl gen_require(` attribute user_tmp_type; ') delete_dirs_pattern($1, user_tmp_type, user_tmp_type) delete_files_pattern($1, user_tmp_type, user_tmp_type) delete_lnk_files_pattern($1, user_tmp_type, user_tmp_type) delete_sock_files_pattern($1, user_tmp_type, user_tmp_type) delete_fifo_files_pattern($1, user_tmp_type, user_tmp_type) # /var/tmp files_search_var($1) files_delete_tmp_dir_entry($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_all_user_tmp_content'($*)) dnl ') ######################################## ## ## Read system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_home_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_home_certs'($*)) dnl gen_require(` attribute userdom_home_reader_certs_type; ') typeattribute $1 userdom_home_reader_certs_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_home_certs'($*)) dnl ') ######################################## ## ## mmap system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # define(`userdom_map_home_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_map_home_certs'($*)) dnl gen_require(` type home_cert_t; ') allow $1 home_cert_t:file map; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_map_home_certs'($*)) dnl ') ######################################## ## ## Manage system SSL certificates in the users homedir. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_home_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_home_certs'($*)) dnl gen_require(` type home_cert_t; ') allow $1 home_cert_t:dir list_dir_perms; manage_dirs_pattern($1, home_cert_t, home_cert_t) manage_files_pattern($1, home_cert_t, home_cert_t) manage_lnk_files_pattern($1, home_cert_t, home_cert_t) userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_admin_home_dir_filetrans($1, home_cert_t, dir, ".cert") popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_home_certs'($*)) dnl ') ####################################### ## ## Dontaudit Write system SSL certificates in the users homedir. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_write_home_certs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_write_home_certs'($*)) dnl gen_require(` type home_cert_t; ') dontaudit $1 home_cert_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_write_home_certs'($*)) dnl ') ######################################## ## ## dontaudit Search getatrr /root files ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_getattr_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_getattr_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:file getattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_getattr_admin_home_files'($*)) dnl ') ######################################## ## ## dontaudit read /root lnk files ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_admin_home_lnk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_admin_home_lnk_files'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_admin_home_lnk_files'($*)) dnl ') ######################################## ## ## dontaudit read /root files ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_admin_home_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_admin_home_files'($*)) dnl gen_require(` type admin_home_t; ') dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms; dontaudit $1 admin_home_t:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_admin_home_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary chr files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_chr_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_chr_files'($*)) dnl gen_require(` type user_tmp_t; ') manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_chr_files'($*)) dnl ') ######################################## ## ## Create, read, write, and delete user ## temporary blk files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_manage_user_tmp_blk_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_manage_user_tmp_blk_files'($*)) dnl gen_require(` type user_tmp_t; ') manage_blk_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_manage_user_tmp_blk_files'($*)) dnl ') ######################################## ## ## Dontaudit attempt to set attributes on user temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_setattr_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir setattr; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_tmp'($*)) dnl ') ######################################## ## ## Dontaudit attempt to set attributes on user temporary file system files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_setattr_user_tmpfs',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_setattr_user_tmpfs'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_dontaudit_setattr_user_tmp() instead.') userdom_dontaudit_setattr_user_tmp($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_setattr_user_tmpfs'($*)) dnl ') ######################################## ## ## Read all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_read_inherited_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_read_inherited_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file read_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_read_inherited_user_tmp_files'($*)) dnl ') ######################################## ## ## Read/write/mmap all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_mmap_rw_inherited_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_mmap_rw_inherited_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file mmap_rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_mmap_rw_inherited_user_tmp_files'($*)) dnl ') ######################################## ## ## Read/write all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file rw_inherited_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_tmp_files'($*)) dnl ') ######################################## ## ## Write all inherited users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_write_inherited_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_write_inherited_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_write_inherited_user_tmp_files'($*)) dnl ') ######################################## ## ## Write all inherited users home files ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_inherited_user_home_sock_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_inherited_user_home_sock_files'($*)) dnl gen_require(` attribute user_home_type; ') allow $1 user_home_type:sock_file write; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_inherited_user_home_sock_files'($*)) dnl ') ######################################## ## ## Delete all users files in /tmp ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_tmp_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmp_files'($*)) dnl gen_require(` type user_tmp_t; ') allow $1 user_tmp_t:file delete_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmp_files'($*)) dnl ') ######################################## ## ## Delete user tmpfs files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_delete_user_tmpfs_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_delete_user_tmpfs_files'($*)) dnl refpolicywarn(`$0($*) has been deprecated, use userdom_delete_user_tmp_files instead.') userdom_delete_user_tmp_files($1) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_delete_user_tmpfs_files'($*)) dnl ') ######################################## ## ## Read/Write unpriviledged user SysV shared ## memory segments. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_unpriv_user_shared_mem',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_shared_mem'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:shm rw_shm_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_shared_mem'($*)) dnl ') ######################################## ## ## Do not audit attempts to search user ## temporary directories. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_search_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_search_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') dontaudit $1 user_tmp_t:dir search_dir_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_search_user_tmp'($*)) dnl ') ######################################## ## ## Execute a file in a user home directory ## in the specified domain. ## ## ##

## Execute a file in a user home directory ## in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # define(`userdom_domtrans_user_home',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_domtrans_user_home'($*)) dnl gen_require(` type user_home_t; ') read_lnk_files_pattern($1, user_home_t, user_home_t) domain_transition_pattern($1, user_home_t, $2) type_transition $1 user_home_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_domtrans_user_home'($*)) dnl ') ######################################## ## ## Execute a file in a user tmp directory ## in the specified domain. ## ## ##

## Execute a file in a user tmp directory ## in the specified domain. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The type of the new process. ## ## # define(`userdom_domtrans_user_tmp',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_domtrans_user_tmp'($*)) dnl gen_require(` type user_tmp_t; ') files_search_tmp($1) read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) domain_transition_pattern($1, user_tmp_t, $2) type_transition $1 user_tmp_t:process $2; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_domtrans_user_tmp'($*)) dnl ') ######################################## ## ## Do not audit attempts to read all user home content files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_all_user_home_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_all_user_home_content_files'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_all_user_home_content_files'($*)) dnl ') ######################################## ## ## Do not audit attempts to read all user tmp content files. ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_read_all_user_tmp_content_files',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_read_all_user_tmp_content_files'($*)) dnl gen_require(` attribute user_tmp_type; ') dontaudit $1 user_tmp_type:file read_file_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_read_all_user_tmp_content_files'($*)) dnl ') ####################################### ## ## Read and write unpriviledged user SysV sempaphores. ## ## ## ## Domain allowed access. ## ## # define(`userdom_rw_unpriv_user_semaphores',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_rw_unpriv_user_semaphores'($*)) dnl gen_require(` attribute unpriv_userdomain; ') allow $1 unpriv_userdomain:sem rw_sem_perms; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_rw_unpriv_user_semaphores'($*)) dnl ') ######################################## ## ## Transition to userdom named content ## ## ## ## Domain allowed access. ## ## # define(`userdom_filetrans_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_filetrans_home_content'($*)) dnl gen_require(` attribute userdom_filetrans_type; ') typeattribute $1 userdom_filetrans_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_filetrans_home_content'($*)) dnl ') ######################################## ## ## Make the specified type able to read content in user home dirs ## ## ## ## Domain allowed access. ## ## # define(`userdom_home_reader',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_home_reader'($*)) dnl gen_require(` attribute userdom_home_reader_type; ') typeattribute $1 userdom_home_reader_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_home_reader'($*)) dnl ') ######################################## ## ## Make the specified type able to manage content in user home dirs ## ## ## ## Domain allowed access. ## ## # define(`userdom_home_manager',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_home_manager'($*)) dnl gen_require(` attribute userdom_home_manager_type; ') typeattribute $1 userdom_home_manager_type; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_home_manager'($*)) dnl ') ######################################## ## ## Create objects in the temporary filesystem directory ## with an automatic type transition to ## the user temporary filesystem type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_tmpfs_filetrans',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_tmpfs_filetrans'($*)) dnl gen_require(` type user_tmpfs_t; ') fs_tmpfs_filetrans($1, user_tmpfs_t, $2, $3) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_tmpfs_filetrans'($*)) dnl ') ####################################### ## ## Create objects in the temporary filesystem directory ## with an automatic type transition to ## the user temporary filesystem type. ## ## ## ## Domain allowed access. ## ## ## ## ## The class of the object to be created. ## ## ## ## ## The name of the object being created. ## ## ## ## ## The name of the object being created. ## ## # define(`userdom_tmpfs_filetrans_to',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_tmpfs_filetrans_to'($*)) dnl gen_require(` type user_tmpfs_t; ') filetrans_pattern($1, user_tmpfs_t, $2, $3, $4) popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_tmpfs_filetrans_to'($*)) dnl ') ###################################### ## ## File name transition for generic home content files. ## ## ## ## Domain allowed access. ## ## # define(`userdom_filetrans_generic_home_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_filetrans_generic_home_content'($*)) dnl gen_require(` type home_bin_t; type audio_home_t; type home_cert_t; type user_tmp_t; ') userdom_user_home_dir_filetrans($1, home_bin_t, dir, "bin") userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Audio") userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert") userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki") userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates") userdom_user_home_dir_filetrans($1, user_tmp_t, dir, "tmp") userdom_user_home_dir_filetrans($1, user_tmp_t, dir, ".tmp") optional_policy(` gnome_data_filetrans($1, home_cert_t, dir, "certificates") ') popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_filetrans_generic_home_content'($*)) dnl ') ######################################## ## ## Allow caller to transition to any userdomain ## ## ## ## Domain allowed access. ## ## # define(`userdom_transition',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_transition'($*)) dnl gen_require(` attribute userdomain; ') allow $1 userdomain:process transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_transition'($*)) dnl ') ######################################## ## ## Allow caller to nnp_transition to login userdomain. ## ## ## ## Domain allowed access. ## ## # define(`userdom_nnp_transition_login_userdomain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_nnp_transition_login_userdomain'($*)) dnl gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process2 nnp_transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_nnp_transition_login_userdomain'($*)) dnl ') ######################################## ## ## Allow caller to transition to login userdomain. ## ## ## ## Domain allowed access. ## ## # define(`userdom_transition_login_userdomain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_transition_login_userdomain'($*)) dnl gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process transition; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_transition_login_userdomain'($*)) dnl ') ######################################## ## ## Allow caller noatsecure permission. ## ## ## ## Domain allowed access. ## ## # define(`userdom_noatsecure_login_userdomain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_noatsecure_login_userdomain'($*)) dnl gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process noatsecure ; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_noatsecure_login_userdomain'($*)) dnl ') ######################################## ## ## Allow caller to send sigchld to login userdomain. ## ## ## ## Domain allowed access. ## ## # define(`userdom_sigchld_login_userdomain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_sigchld_login_userdomain'($*)) dnl gen_require(` attribute login_userdomain; ') allow $1 login_userdomain:process sigchld; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_sigchld_login_userdomain'($*)) dnl ') ######################################## ## ## Add caller login userdomain attribute. ## ## ## ## Domain allowed access. ## ## # define(`userdom_login_userdomain',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_login_userdomain'($*)) dnl gen_require(` attribute login_userdomain; ') typeattribute $1 login_userdomain; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_login_userdomain'($*)) dnl ') ######################################## ## ## Do not audit attempts to check the ## access on user content files ## ## ## ## Domain to not audit. ## ## # define(`userdom_dontaudit_access_check_user_content',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_dontaudit_access_check_user_content'($*)) dnl gen_require(` attribute user_home_type; ') dontaudit $1 user_home_type:dir_file_class_set audit_access; popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_dontaudit_access_check_user_content'($*)) dnl ') ####################################### ## ## The template containing the most basic rules common to confined admin. ## ## ##

## The template containing the most basic rules common to all users. ##

##

## This template creates a user domain, types, and ## rules for the user's tty and pty. ##

##
## ## ## The prefix of the user domain (e.g., user ## is the prefix for user_t). ## ## ## # define(`userdom_confined_admin_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_confined_admin_template'($*)) dnl gen_require(` attribute confined_admindomain; attribute userdomain; type user_devpts_t, user_tty_device_t; class context contains; ') type $1_t, userdomain, confined_admindomain; role $1_r; role $1_r types $1_t; domain_type($1_t) domain_user_exemption_target($1_t) ubac_constrained($1_t) auth_use_nsswitch($1_t) ifelse(`$1',`unconfined',`',` gen_tunable(`$1_exec_content', true) tunable_policy(`$1_exec_content',` userdom_exec_user_tmp_files($1_t) userdom_exec_user_home_content_files($1_t) ') tunable_policy(`$1_exec_content && use_nfs_home_dirs',` fs_exec_nfs_files($1_t) ') tunable_policy(`$1_exec_content && use_samba_home_dirs',` fs_exec_cifs_files($1_t) ') ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_confined_admin_template'($*)) dnl ') ######################################## ## ## Allow user to run as a secadm ## ## ##

## Create objects in a user home directory ## with an automatic type transition to ## a specified private type. ##

##

## This is a templated interface, and should only ## be called from a per-userdomain template. ##

##
## ## ## Domain allowed access. ## ## ## ## ## The role of the object to create. ## ## # define(`userdom_security_admin_template',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl policy_m4_comment(policy_call_depth,begin `userdom_security_admin_template'($*)) dnl allow $1 self:capability { audit_control dac_read_search }; allow $1 self:netlink_audit_socket { nlmsg_write create_netlink_socket_perms }; corecmd_exec_shell($1) domain_obj_id_change_exemption($1) dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) files_create_default_dir($1) files_root_filetrans_default($1, dir) # Necessary for managing /boot/efi fs_manage_dos_files($1) mls_process_read_up($1) mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1) selinux_set_enforce_mode($1) selinux_set_all_booleans($1) selinux_set_parameters($1) selinux_read_policy($1) files_relabel_all_files($1) auth_relabel_shadow($1) init_exec($1) logging_send_syslog_msg($1) logging_read_audit_log($1) logging_read_generic_logs($1) logging_read_audit_config($1) seutil_manage_bin_policy($1) seutil_manage_default_contexts($1) seutil_manage_file_contexts($1) seutil_manage_module_store($1) seutil_manage_config($1) seutil_manage_login_config($1) seutil_run_checkpolicy($1,$2) seutil_run_loadpolicy($1,$2) seutil_run_semanage($1,$2) seutil_run_setsebool($1,$2) seutil_run_setfiles($1, $2) optional_policy(` aide_run($1,$2) ') optional_policy(` consoletype_exec($1) ') optional_policy(` ipsec_run_setkey($1,$2) ') optional_policy(` netlabel_run_mgmt($1,$2) ') optional_policy(` samhain_run($1, $2) ') dnl popdef(`policy_call_depth') dnl policy_m4_comment(policy_call_depth,end `userdom_security_admin_template'($*)) dnl ') ## divert